On Thu, 11 Oct 2012, Tim Johnson wrote:
> perlmonk alert! perlmonk alert! ... And this pythonist agrees.
> Arthur has provided my cover from incoming PHPist flak. So, I'm
> just going to fire away here...
I feel used... and slightly dirty.
> 1)Many agree that PHP is not designed well. extract() writes
> will-nilly to the global symbol table? Holy crap! Bad idea, *but*
> I don't have to use it in my own PHP code do I? Of course, I'm
> sure the drupal resources are using extract(). I know that
> CodeIgnitor does.
>
> 2)Could it be that some of the bad rep that PHP has for security
> flaws arose because there are so many PHP coders and many of those
> didn't start out as I did or I presume Arthur did by writing CGI
> interfaces from the ground up, with security in mind?
I grant you, there's probably some heinous code abortion like what Matt's
Script Archive did for Perl in every language. That said, the security in
the core language itself is probably the worst I have ever seen, period.
Cribbing from
http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/
* In 2007 the interpreter had an integer overflow vulnerability. The
fix started with if (size > INT_MAX) return NULL; and went downhill
from there. (For those not down with the C: INT_MAX is the biggest
integer that will fit in a variable, ever. I hope you can figure out
the rest from there.)
* More recently, PHP 5.3.7 managed to include a crypt() function
that would, in effect, let anyone log in with any password.
* PHP 5.4s dev server is vulnerable to a denial of service,
because it takes the Content-Length header (which anyone can
set to anything) and tries to allocate that much memory.
This is a bad idea.
> 3)IOWS could not a programmer who learned good habits from other
> languages manage the "attack vector".
Not to be too glib, but no. Sure, you could code in some protection for the
flaws you don't know about, but what about the ones you don't? Yeah, that's
an issue for all languages, but not all languages have such idiocies
injected like what I quoted above. I mean, really, "if (size > INT_MAX)
return NULL", WTF? How did they expect that to work?!
> 4)Are there add-ons to drupal to improve PHP security?
>
> 5)Are there add-ons to PHP to import security?
>
> Any PHP coders here? Be gentle with Arthur.
Bring it on, I haven't had a good flame war in awhile. And I'm wearing my
abestos underwear. :-) On a more serious note, read the article above,
that guy does a great job of breaking down the more absurd PHPisms from a
language perspective, going into specific details. The security section is
probably the smallest part of that doc. If you can defend the language from
the rest of *that*, forget hacking, go into law or politics.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Oct 11 11:11:07 2012
This archive was generated by hypermail 2.1.8 : Thu Oct 11 2012 - 11:11:07 AKDT