Re: Secure popen

From: Glynn Clements (glynn.clementsat_private)
Date: Wed Jun 20 2001 - 05:32:53 PDT

  • Next message: Kai Schulte: "Re: Secure popen"

    Richard Mirch wrote:
    
    > Is there any specific reason why you are writing a simple CGI in c++? If
    > it is for learning, then I can see the point but this can easily be done
    > securely and efficiently in PERL or perhaps PHP(never had a chance to do
    > this).
    
    Whilst it's theoretically possible to write a secure CGI in Perl, it's
    a lot easier to get it right in a language such as C++ which:
    
    a) doesn't make extensive use of "in-band signalling" (i.e.
    subsitutions triggered by metacharacters),
    
    b) has (reasonably) strong typing, and
    
    c) tends to be legible.
    
    Scripting languages such as Perl are useful for quick hacks, but
    security-wise, they truly suck. Scan the BugTraq archives for
    references to CGI programs; I would guess that around 90% of
    vulnerabilities are due to the above.
    
    Also note that, with the use of a decent C++ "string" class, there's
    no reason why a program should be susceptible to buffer overruns.
    
    -- 
    Glynn Clements <glynn.clementsat_private>
    



    This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 17:42:49 PDT