OT: Re: Secure popen

From: ___cliff rayman___ (cliffat_private)
Date: Wed Jun 20 2001 - 19:57:00 PDT

  • Next message: KuroiNeko: "Re: Secure popen"

    you should have quoted your message as flame bait.
    or at least subclassed it as such.  :-)
    
    Glynn Clements wrote:
    
    > Richard Mirch wrote:
    >
    > > Is there any specific reason why you are writing a simple CGI in c++? If
    > > it is for learning, then I can see the point but this can easily be done
    > > securely and efficiently in PERL or perhaps PHP(never had a chance to do
    > > this).
    >
    > Whilst it's theoretically possible to write a secure CGI in Perl, it's
    > a lot easier to get it right in a language such as C++ which:
    >
    > a) doesn't make extensive use of "in-band signalling" (i.e.
    > subsitutions triggered by metacharacters),
    >
    > b) has (reasonably) strong typing, and
    
    i can see why this makes a program more efficient, but
    not more secure.
    
    >
    > c) tends to be legible.
    
    beauty is in the eye of the beholder.  perl is much more legible to
    me than c++, and i prefer c++ legibility to many other languages.
    
    >
    >
    > Scripting languages such as Perl are useful for quick hacks, but
    > security-wise, they truly suck. Scan the BugTraq archives for
    > references to CGI programs; I would guess that around 90% of
    > vulnerabilities are due to the above.
    
    i don't think so.  the majority of the program crashes in this world
    are related to C/C++ and its use of pointers.  it is very easy to
    write secure perl programs.  lots of people, especially beginners
    just happen to write CGI programs in perl and since they are not
    yet capable programmers, they write insecure code.  beginners
    don't write CGI programs in C++ because it is outside the capability
    of beginners to do so.  a skilled programmer will write quality code
    with either language.
    
    >
    >
    > Also note that, with the use of a decent C++ "string" class, there's
    > no reason why a program should be susceptible to buffer overruns.
    >
    > --
    > Glynn Clements <glynn.clementsat_private>
    
    --
    ___cliff rayman___cliffat_private___http://www.genwax.com/
    



    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 08:45:49 PDT