Pathologically Eclectic Rubbish Lister | |
PerlMonks |
Re: Re: Untainting safely. (b0iler proofing?)by Anonymous Monk |
on Jun 26, 2002 at 02:10 UTC ( [id://177262]=note: print w/replies, xml ) | Need Help?? |
I'm completely stunned that you'd suggest not using regexes for parsing Did you read the article? if not, please take the time to scan it (search for "s/" to get to the relavent sections) and perhaps you'll see why this method (ord() and unpack())seemed appealing. The way the interpolation that regexs do can be exploited to bypass even the most sophisticated set of multiple passes with regex to sanitise a user supplied path is simply scary. Peer review and a huge number of test cases, especially those culled from real-world experience Exactly why I was suggesting development of such code here! There are very few huge corporations and many millions of small companies in the world. The big ones have the budgets for such in-depth, in-house development, review and expertise. The rest have often one or two developers who are responsible for developing and maintaining the code. No possibility of enlisting more than there own expertise in reviewing their own work. And whilst when the big ones make mistakes, they have the have the funds to correct them. When the small ones make mistakes, the finacial costs of correction are often too much for their small net worths to bear and they go under taking the jobs they provided with them. Permenantly. Expertise takes either time or money. Those that have invested the time, charge substantially to hire that expertise to others. The big guys have the money to grow that expertise internally or buy it externally. They are still making mistakes. The small guy has neither choice. I don't understand why the idea of utilising the collective resourses of PM to address and simplify the process of handling security--the one thing that (as I have seen all over PM) is at the top of almost every single IT experts', of any flavour, list of major priorities--is so shocking? BrowserUK (mistakenly posted anonymously) Added attributio - dvergin 2002-06-28
In Section
Seekers of Perl Wisdom
|
|