develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Creative and *routine* use of so-called "magic" ARGV (was [perl#2783] Security of ARGV using 2-argument open)

Thread Previous | Thread Next
Glenn Linderman
July 28, 2008 22:22
Re: Creative and *routine* use of so-called "magic" ARGV (was [perl#2783] Security of ARGV using 2-argument open)
Message ID:
On approximately 7/28/2008 10:08 PM, came the following characters from 
the keyboard of Mark Mielke:
> Tom Christiansen wrote:
>> [ how to support magical @ARGV better than today ]
>> If you feed an @ARGV or <STDIN> like this:
>>     /etc
>>     -
>>     /etc/passwd     /tmp/.X11-unix/X0     foo.gz     
>>     /etc/motd     /dev/tty     
>> /tmp/fifo     ~/.exrc
> Very cool. Obviously, I wouldn't use it in a place where @ARGV can be 
> passed in via a web page form. But for simple practicality for everyday 
> usage with the flexibility for a program to be used in scenarios never 
> imagined by the original author? Very cool. This is really how I see the 
> origin of Perl. Solving practical problems in ways other languages were 
> a decade or so late in solving.

Yes it is very cool.  Obviously it has restrictions of file names.

The scenarios in which it can be used, in this case, are those that 
_are_ predicted by the original author -- handling of .gz & .Z files 
requires code predicted by the original author; handling of URLs 
requires code predicted by the original author.

> If I want to write a secure application, I'm not sure I would choose 
> Perl. If I did use Perl, or any other language, I would expect to have 
> to put in effort and have a clue.

So if a language cannot be used simply and easily to write correct, 
concise, secure applications, why should anyone use it for anything 
else?  It is easier to become familiar with a language that does permit 
simple and easy creation of correct, concise, secure applications, and 
use that for everything.  The burden of being multi-lingual is too great 
for most casual programmers.  If they strain to learn one language, they 
would rather use it for everything.

I've learned and used about 3 dozen languages, I'm no longer proficient 
in most of them, and I few I never did become proficient in, but it only 
took me about 3 days effort to get a small, but non-trivial, program 
running in a language I've never used before, running a GUI package I've 
never used before.  I don't yet claim to be proficient in that language 
or GUI, but I probably will become reasonably so, because Perl, at which 
I am reasonably proficient (but not as expert as Tom), couldn't handle 
the requirements of the project.  So I _can_ learn languages... but I 
don't really want to learn more languages, I'd rather code useful 
applications in the ones I already know.

I _can_ learn the security problems in the languages I use, and 
_usually_ remember to code around them... but I don't really want to... 
that is not productive.  I'd rather that the insecurities be resolved by 
updates to the language, even if it means recoding a few lines in a few 
scripts (no, Tom, not all 100 of your scripts need to be updated, 
because your environment is protected and secure, and you can keep 
running the old perl) to achieve that.

Glenn --
A protocol is complete when there is nothing left to remove.
-- Stuart Cheshire, Apple Computer, regarding Zero Configuration Networking

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About