[PLUG] Preventing Probes Like This

Tim tim-pdxlug at sentinelchicken.org
Mon Aug 25 23:50:53 UTC 2008


> [...]

Most of your responses up to this point in your last message seem to be
of the form "Well, it is still *possible*, regardless of
language/platform to write bad code".  Yes, I don't dispute this.  I've
seen Java developers fail to cast integer arguments and have them
inject.  The point is, if you actually sit down and test applications
like this on various platforms for a living, you'll find that some
platforms just have many fewer of these stupid mistakes.  I'm not
talking about theory, I'm talking about practice.


> Where that "feature" really went south was people writing dynamic 
> loaders without any forethought of what their input arguments needed to 
> be restricted to. Those "dynamic loaders" got stuck in a lot of 
> high-profile projects, and the rest is history.

Including remote files as code is a dumb idea, regardless of language.
If you really had to do this in a distributed application environment,
you're better off using a network filesystem.

Of course Python can pull down a remote file and eval it in one of
several ways.  Making that kind of functionality a part of "import ..."
would be sheer idiocy.  Period.  Consider the principle of least
surprise (http://www.faqs.org/docs/artu/ch11s01.html).


> > When it comes to real-world applications, the platform does matter
> > because most programmers suck.
> > 
> I've seen less-than-ideal PHP/Java coders write the exact same problems 
> into both languages. I've also seen a heck of a lot more bad public PHP 
> code than Java code (putting aside the major DoS/memory issues that many 
> Java apps seem to love). What I think makes a *huge* difference is the 
> number of long term, professional, coders in various arenas, as compared 
> to hobbyists and enthusiasts. PHP is where a lot of people seem to cut 
> their web-app security teeth the hard way, where folks into Python, 
> Ruby, Perl (etc.) tend to have a few more years of "making mistakes" 
> under their belt.

True, maybe there are just more bad programmers working on PHP apps.
Is that because it's so easy to learn, or because experienced
programmers realize it's an unsafe platform?


tim



More information about the PLUG mailing list