On Wed, Jun 20, 2001 at 01:32:53PM +0100, Glynn Clements wrote: > > Richard Mirch wrote: > > > Is there any specific reason why you are writing a simple CGI in c++? If > > it is for learning, then I can see the point but this can easily be done > > securely and efficiently in PERL or perhaps PHP(never had a chance to do > > this). > > Whilst it's theoretically possible to write a secure CGI in Perl, it's > a lot easier to get it right in a language such as C++ which: > > a) doesn't make extensive use of "in-band signalling" (i.e. > subsitutions triggered by metacharacters), > > b) has (reasonably) strong typing, and > > c) tends to be legible. > > Scripting languages such as Perl are useful for quick hacks, but > security-wise, they truly suck. Scan the BugTraq archives for > references to CGI programs; I would guess that around 90% of > vulnerabilities are due to the above. Is the reason for the large number of vulnerabilities in perl-based CGI's due to the language? This is what you appear to be saying. My thought is that because perl is easier for entry-level programmers to program in, those programmers will use it for developing web and other applications. Less-experienced programmers generally make more mistakes (or poor design choices) than more-experienced programmers. Therefore we're likely to see more dodgy scripts written in perl, by bad programmers, simply because bad programmers find perl more accessible than say, C++. Technical features of a language (that have security implications) mean little, unless they either happen invisibly in the background (memory management in perl), or are actively and correctly used by the programmer (i.e. snprintf(3)). > > Also note that, with the use of a decent C++ "string" class, there's > no reason why a program should be susceptible to buffer overruns. > > -- > Glynn Clements <glynn.clementsat_private> > Cheers, Nick -- "I'm just very selective about the reality I choose to accept" --Calvin
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 08:39:55 PDT