Secure Coding mailing list archives
Re: Python, Ruby, Perl & PHP
From: James Walden <jwalden () eecs utoledo edu>
Date: Mon, 03 May 2004 16:39:42 +0100
Fabien wrote: I'm on the list since more or less one month and I have seen a lot of discussion about the "safety" of a language. And since I use language like Python or PHP, I would like to have your opinion about such language. Your question is quite broad, so I'll give some quick answers along with references that go into greater depth. On the positive side, it's much more difficult to construct a buffer overflow in the languages that you ask about than in C/C++. A perhaps larger advantage of the languages you mention is that the number of lines of code needed to perform a function in one of those languages is often a factor of 5 smaller than in C/C++. On the negative side, most of these languages have features which let you easily generate and insert code into your program at runtime, but novice programmers are less likely to misuse such features than they are to write buffer overflow bugs in C/C++. PHP has features that make input validation more difficult, such as register_globals, which permits attackers to insert variable values directly into your program using the GET or POST HTTP request parameters. There are also issues with sessions and file uploads. Use PHP version 4.3 and follow the recommendations in http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html Perl has certain functions like open() and glob() which invoke shells when you might not expect them too, but it does offer "taint" mode as a method of requiring programmers to validate their input. I like the idea, but it's not foolproof, as you can use an insecure validation algorithm, which satifies perl's taint requirements but fails to protect your program from dangerous input. There have been problems with suidperl several times in the past, so I would suggest not using it. Read the perlsec(1) man page for more details, and check out the 3-argument open introduced in perl 5.6 that makes it easier to avoid invoking a shell when using pipes. Python has a stronger type checking system than perl and PHP, but its checking is dynamic, unlike the static checks in C/C++. However, I'm not sure that dynamic type checking makes Python any less secure than C++, considering that language's ability to cast types arbitrarily or the complexity of using templates when you do need dynamic typing in that language. There's a short discussion of Python security at http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/python.html I haven't written more than toy programs in Ruby, so I can't comment directly on that language. -- James Walden, Ph.D. Visiting Assistant Professor of EECS The University of Toledo @ LCCC http://www.eecs.utoledo.edu/~jwalden/
Current thread:
- Python, Ruby, Perl & PHP Fabien (Apr 23)
- Re: Python, Ruby, Perl & PHP James Walden (May 03)