Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: Re: Untainting safely. (b0iler proofing?)

by Anonymous Monk
on Jun 26, 2002 at 02:10 UTC ( [id://177262]=note: print w/replies, xml ) Need Help??


in reply to Re: Untainting safely. (b0iler proofing?)
in thread Untainting safely. (b0iler proofing?)

I'm completely stunned that you'd suggest not using regexes for parsing

Did you read the article? if not, please take the time to scan it (search for "s/" to get to the relavent sections) and perhaps you'll see why this method (ord() and unpack())seemed appealing. The way the interpolation that regexs do can be exploited to bypass even the most sophisticated set of multiple passes with regex to sanitise a user supplied path is simply scary.

Peer review and a huge number of test cases, especially those culled from real-world experience

Exactly why I was suggesting development of such code here! There are very few huge corporations and many millions of small companies in the world. The big ones have the budgets for such in-depth, in-house development, review and expertise. The rest have often one or two developers who are responsible for developing and maintaining the code. No possibility of enlisting more than there own expertise in reviewing their own work. And whilst when the big ones make mistakes, they have the have the funds to correct them. When the small ones make mistakes, the finacial costs of correction are often too much for their small net worths to bear and they go under taking the jobs they provided with them. Permenantly.

Expertise takes either time or money. Those that have invested the time, charge substantially to hire that expertise to others. The big guys have the money to grow that expertise internally or buy it externally. They are still making mistakes. The small guy has neither choice.

I don't understand why the idea of utilising the collective resourses of PM to address and simplify the process of handling security--the one thing that (as I have seen all over PM) is at the top of almost every single IT experts', of any flavour, list of major priorities--is so shocking?

BrowserUK (mistakenly posted anonymously)

Added attributio - dvergin 2002-06-28

Replies are listed 'Best First'.
•Re: Re: Re: Untainting safely. (b0iler proofing?)
by merlyn (Sage) on Jun 26, 2002 at 21:41 UTC
    The small guy has neither choice.
    And there's where you're wrong again.

    It's the cost of doing business plain and simple. If you can't include security as part of your budget and still make a profit, you've got a bad business plan.

    It's just as wrong to cheat on security costs as it is to cheat on paying Uncle Sam his share. If you wouldn't even dream of the latter, why are you even debating the former?

    -- Randal L. Schwartz, Perl hacker

Re: Re: Re: Untainting safely. (b0iler proofing?)
by Anonymous Monk on Jun 26, 2002 at 02:29 UTC

    Please accept my apologies. I have just realised than when I made the post to which this is a reply, and this earlier post, I was was not logged in. So they have come up as Anonymous Monk not as me. I don't know how (or if) this can be corrected?

    If not, I offer this post for any that feel the need for --.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://177262]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (7)
As of 2024-03-29 00:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found