Re: Attack on Perl or Perl's need better PR (again)

This issue was raised on the Perl Foundation steering committee list and here are couple of comments from that discussion which might prove of interest.

The article's original title was "Danger level rises for Perl flaws". Their addition of the word "app" was a small concession to make it clear the problem is not entirely Perl's. I think petdance may have helped with that, but I'm not sure.
Rafael has stated that the intent is to fix Perl's implementation of printf to prevent this sort of stuff.
There's a possibility that format strings may be tainted in future versions of Perl (this was mentioned in an offhand manner and I have no other details).

Cheers,
Ovid

New address of my CGI Course.

Comment on Re: Attack on Perl or Perl's need better PR (again)

Replies are listed 'Best First'.
Re^2: Attack on Perl or Perl's need better PR (again) by converter (Priest) on Dec 01, 2005 at 03:47 UTC
I have to confess, I'm the one responsible for the first comment in the talkback section. I wrote a longer comment, but after proofreading it, I realized that only fellow monks would appreciate it and reduced it to PHB reading level. I stand by my original claims about webmin. Not only is it poorly-written by today's standards, it leads to even scarier code when in-house development begins. I haven't tested this thoroughly, but if I recall correctly, taint mode is ineffectual because of the way miniserv.pl runs the module code. Another gripe: there is a lot of code that touches critical system data that I would only reluctantly trust to well-respected CPAN modules and does so in ways that lead to easily avoidable errors like duplicate records in system user databases. converter	[reply]

Replies are listed 'Best First'.

Re^2: Attack on Perl or Perl's need better PR (again)
by converter (Priest) on Dec 01, 2005 at 03:47 UTC

I have to confess, I'm the one responsible for the first comment in the talkback section. I wrote a longer comment, but after proofreading it, I realized that only fellow monks would appreciate it and reduced it to PHB reading level.

I stand by my original claims about webmin. Not only is it poorly-written by today's standards, it leads to even scarier code when in-house development begins. I haven't tested this thoroughly, but if I recall correctly, taint mode is ineffectual because of the way miniserv.pl runs the module code. Another gripe: there is a lot of code that touches critical system data that I would only reluctantly trust to well-respected CPAN modules and does so in ways that lead to easily avoidable errors like duplicate records in system user databases.

converter

[reply]