Re: Python, Ruby, Perl & PHP

[James Walden <jwalden () eecs utoledo edu>]

Fabien wrote:
I'm on the list since more or less one month and I have seen a lot of 
discussion about the "safety" of a language. And since I use language 
like Python or PHP, I would like to have your opinion about such language.


Your question is quite broad, so I'll give some quick answers along with 
references that go into greater depth.  On the positive side, it's much 
more difficult to construct a buffer overflow in the languages that you 
ask about than in C/C++.  A perhaps larger advantage of the languages 
you mention is that the number of lines of code needed to perform a 
function in one of those languages is often a factor of 5 smaller than 
in C/C++.  On the negative side, most of these languages have features 
which let you easily generate and insert code into your program at 
runtime, but novice programmers are less likely to misuse such features 
than they are to write buffer overflow bugs in C/C++.


PHP has features that make input validation more difficult, such as 
register_globals, which permits attackers to insert variable values 
directly into your program using the GET or POST HTTP request 
parameters.  There are also issues with sessions and file uploads.  Use 
PHP version 4.3 and follow the recommendations in

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html

Perl has certain functions like open() and glob() which invoke shells 
when you might not expect them too, but it does offer "taint" mode as a 
method of requiring programmers to validate their input.  I like the 
idea, but it's not foolproof, as you can use an insecure validation 
algorithm, which satifies perl's taint requirements but fails to protect 
your program from dangerous input.  There have been problems with 
suidperl several times in the past, so I would suggest not using it. 
Read the perlsec(1) man page for more details, and check out the 
3-argument open introduced in perl 5.6 that makes it easier to avoid 
invoking a shell when using pipes.


Python has a stronger type checking system than perl and PHP, but its 
checking is dynamic, unlike the static checks in C/C++.  However, I'm 
not sure that dynamic type checking makes Python any less secure than 
C++, considering that language's ability to cast types arbitrarily or 
the complexity of using templates when you do need dynamic typing in 
that language.  There's a short discussion of Python security at

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/python.html

I haven't written more than toy programs in Ruby, so I can't comment 
directly on that language.


--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC
http://www.eecs.utoledo.edu/~jwalden/