This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Date: Tue, 04 Jul 2000 16:14:45 -0700
Malcolm Dew-Jones wrote:
> Magic wrote:
> : Tony Curtis wrote:
> : > If you look at the code you posted, you'll notice that it
> : > handles POST by blithely reading data of length
> : > $ENV{CONTENT_LENGTH} without checking to see how much it
> : > will read. That's only one problem with it.
> : Great! :o)
> : In that case as I don't think I'll be using POST at all (only GET)
> : I'll just "die" if it uses POST.
> Better yet, just check the CONTENT_LENGTH for some reasonable maximum.
Brenner's cgi.lib does an adequate job of protecting
against content length problems. Those who claim cgi.lib
does not control content length are displaying a lack
of knowledge of Perl and of her history:
# maximum bytes to accept via POST - 2^17
$cgi_lib'maxdata = 131072;
> : I don't know what "-w -T" will do, but I will endevour to find out
> : (thanks to the kind person who sent me most of the PerlMan in Email)
> : :o)
> -w = perl warns you about various things that are commonly mistakes.
> Highly recommended.
Pragma warnings display an unacceptable error rate. It is
quite common for wording of pragma hints to be incomprehensible
gibberish or simply wrong. Not uncommon at all for pragma hints
to create a wild goose chase by returning an error message
which is several hundred lines off target. Even more common
are pragma errors based in variations of more recent Perl
versions rendering portability near zero. Pragma warnings
should carry a warning as well:
"This error message might be in error itself. Who knows?"
> -T = perl warns you if user input is used in any potentially unsafe
> statement, BUT be careful, lack of taint errors DOES NOT MEAN
> YOUR PROGRWM IS SAFE. Correctly untainting data can be difficult, and
> you can untaint data without meaning too if you use the data in regular
> expressions for other purposes. E.g. If you check the input for some
> flag, then the data may be untainted, even though that wasn't the reason
> for the check, and -T will not warn you about the use of the still-unsafe
> data.
> Recommended, but don't trust tainting to keep your script safe.
Taint checking causes a lot of scripts to crash without good
reason. Taint checking also severely restricts what you can
do with a Perl script; Taint limits effectiveness and imagination.
Taint checking creates a false sense of security. For best
security, address your security problems personally. Your
advice to not trust Taint checking is of excellent quality.
Trusting Taint is like trusting O.J. Simpson.
> Also use strict, which requires variables to be predeclared which helps
> you to avoid typos, especially important for subtle typos such
> as using $array when only @array has been declared.
Use of strict promotes lazy programmers and promotes ignorance
of Perl itself. Strict leads so called programmers to be lax
and careless in knowing Strict will catch most but not all of
his or her errors. True programmers scoff at use of Strict.
We know how to write programs correctly sans babysitter.
All-in-all, cgi.pm, pragma warnings, taint checking and use
of strict, are annoying Perl 5 Cargo Cult mule manure all of
which lead to inexcusable problems and makes for lax ineffective
programmers or, what I have come to term with ironic biting
endearment, "Copy and Paste Technicians" rather than what
I personally consider to be programmers.
Avoid Perl 5 Cargo Cult and you will becoming a better programmer
through hard work, planning, thinking and by learning unforgettable
hard lessons by actually writing your programs rather than being
just another Copy and Paste Technician worshipping Perl 5 Cargo Cult.
Godzilla!