Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Do you whitelist or blacklist utf-8?
- Date: Thu, 24 Feb 2011 19:48:02 +0900
- From: "Stephen J. Turnbull" <stephen@example.com>
- Subject: Re: [tlug] Do you whitelist or blacklist utf-8?
- References: <4D639689.1010302@example.com> <4D63EFBC.1020900@example.com> <4D64C5DD.1040607@example.com> <4D64CB49.10906@example.com> <4D652AF5.10304@example.com> <4D655712.1090608@example.com> <37687.61.213.3.170.1298510044.squirrel@example.com> <4D661A15.8010009@example.com>
Darren Cook writes: > > And, yeah, for better security, don't use PHP :) > > Do you have any evidence to support that statement? > > Security always seems, to me, to be dominated by the programmer's > understanding of security issues; language features are quite minor. > I.e. the same programmer will write safe or dangerous code whichever > language he uses. That's true of the *language*. The problem with PHP has always been the *implementation*, as a review of the applicable CERTS will show. And it's not true that the same programmer will write safe or dangerous code in whichever language. Some languages are inherently safe in some respects. For example, all of the usual scripting languages (not to mention Lisp) are *safe* from crashes caused by (user) bugs in pointer handling because they simply don't have such creatures. Of course the implementations can crash, but in most cases it's not the implementation of the language that crashes, but the language binding of some external library that does. The languages themselves tend to be extremely safe. Web frameworks in Python, at least, are heading in the same direction. It's harder to add raw text to your dynamic web page than it is to add sanitized text in some of the recent ones. That's a good thing. (I can't speak for or against Perl, PHP, or Ruby in this respect. This is not an argument for choosing Python, unless the only thing you have to go on is some random comment I made. ;-) Some of the languages have restricted execution modes (python's has been deprecated but Perl has "taint mode", although I've heard that it is very hard to use in a real app). > (As far as I know, PHP has all the required functions for writing safe > code, such as htmlspecialchars(), urlencode(), strip_tags(), > filter_var(), regexes, etc.) But these low-level functions are not very helpful, because they require effort; without a fair amount of sophistication you can end up with "double-url-encoding" bugs and the like. Trying to avoid those you may end up with insufficient url encoding, etc.
- Follow-Ups:
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Josh Glover
- Re: [tlug] Do you whitelist or blacklist utf-8?
- References:
- [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Nikolay Elenkov
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Darren Cook
- [tlug] Do you whitelist or blacklist utf-8?
- Prev by Date: Re: [tlug] Do you whitelist or blacklist utf-8?
- Next by Date: Re: [tlug] Do you whitelist or blacklist utf-8? [SOLVED]
- Previous by thread: Re: [tlug] Do you whitelist or blacklist utf-8? [SOLVED]
- Next by thread: Re: [tlug] Do you whitelist or blacklist utf-8?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |