Re3: What Does Microsoft Think of Perl?

(I am not a JScript or VBSCript guru, so I may be wrong in a few assertions below.)

Perl isn't less secure. Perl is more powerful. You cannot access the operating system with JScript or VBScript. You cannot (easily) initiate a download from some other server and execute that code.

Even more importantly, Acme::Bleach doesn't exist in anything but Perl. That alone makes security checking through regex impossible.

My concern is that the increased power of Perl will not come with increased safeguards on the part of the browser manufacturers or the plugin manufacturers or the OS manufacturers. THAT is what I am scared $h!tless about.

------
We are the carpenters and bricklayers of the Information Age.

Don't go borrowing trouble. For programmers, this means Worry only about what you need to implement.

Comment on Re3: What Does Microsoft Think of Perl?

Replies are listed 'Best First'.
Re4: What Does Microsoft Think of Perl? by Ionitor (Scribe) on Jul 20, 2002 at 14:57 UTC
As is pointed out below, this is a fairly old article. In its current state, there is little (read no) likelyhood that PerlScript will be installed by default on Windows/IE. Of course, there are those that will install PerlScript (such as myself). At one point, this was fairly dangerous, as is mentioned here. PerlScript is too powerful (it lacks the "sandbox" of JavaScript) to be used for general web scripting at the moment. Testing on my own machine, I was able to use PerlScript in a web page to delete a file on my computer, without any sort of prompt whatsoever. However, the page linked to is out of date. It says that the only way to avoid this problem is to not browse the web or turn off scripting in the browser for any machine that has PerlScript installed. Looking at the current documentation for PerlScript, there is a registry setting that limits PerlScript to certain IE Internet zones. By default PerlScript only runs in the "local intranet", which means that a random site on the web cannot use it to attack your computer. It also means that a company can choose to use client-side PerlScript on their intranet web sites without severely comprimising the security of their users' computers. In short, the current default in every version of Windows is that PerlScript is not installed. If it is installed, a client's PerlScript will not be available to regular web sites. Even if a user decided to be stupid and enable PerlScript for the Internet zone in IE, it is unlikely that many malicious sites would bother targeting their attacks on that tiny group of people (which is presumably much smaller than the group of people that will just click "yes" and install any ActiveX control that the web site asks them to).	[reply]

Replies are listed 'Best First'.

Re4: What Does Microsoft Think of Perl?
by Ionitor (Scribe) on Jul 20, 2002 at 14:57 UTC

Of course, there are those that will install PerlScript (such as myself). At one point, this was fairly dangerous, as is mentioned here. PerlScript is too powerful (it lacks the "sandbox" of JavaScript) to be used for general web scripting at the moment. Testing on my own machine, I was able to use PerlScript in a web page to delete a file on my computer, without any sort of prompt whatsoever.

However, the page linked to is out of date. It says that the only way to avoid this problem is to not browse the web or turn off scripting in the browser for any machine that has PerlScript installed. Looking at the current documentation for PerlScript, there is a registry setting that limits PerlScript to certain IE Internet zones. By default PerlScript only runs in the "local intranet", which means that a random site on the web cannot use it to attack your computer. It also means that a company can choose to use client-side PerlScript on their intranet web sites without severely comprimising the security of their users' computers.

In short, the current default in every version of Windows is that PerlScript is not installed. If it is installed, a client's PerlScript will not be available to regular web sites. Even if a user decided to be stupid and enable PerlScript for the Internet zone in IE, it is unlikely that many malicious sites would bother targeting their attacks on that tiny group of people (which is presumably much smaller than the group of people that will just click "yes" and install any ActiveX control that the web site asks them to).

[reply]