Re: C versus other languages, round 538 or so (Re: CGI scripts in sh)

[Jonathan James <Jonathan () SECURITO SE>]

A well experienced C/C++ programmer knows how to avoid the black holes that
exist in regards to buffer overflows/unexpected input.
All you have to do is to structure and think through your software design
thoroughly before you turn your idea into code.

As for C v. Perl I would choose C.
Why? Because Perl is an interpreted language, we don't know if there exists
any flaw in the perl interpreter. When you create a CGI script using C you
know what you get. The CGI scripts run faster offers more control and
possibilities, you can distribute your CGI scripts without giving away the
sourcecode.

Jonathan
http://www.securito.se

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
> I use /bin/bash for a number of small CGI's, and I do dare to claim them
> secure. Why? They don't read any user input. They are more or less simple
> programs which filters command outputs into something I want to use on my
> homepages.
>
> However, bash is really not a language well suited for common CGIs. Why?
>   1. Generally hard to do a lot of things, limited language.
>   2. Not commonly used, alas lack of debugged libraries & guidelines.
>   3. Tricky to keep track on where shell-expansion is being done.
>
> Personly, I've coded quite little in C/C++, I mostly try to keep my
> knowledge up to date because I'm interested in the security topics it
> introduces. However, I've come to realize that C introduces hazards even
> highly skilled programmers cannot cope with, the avarage CGI programmer
> much less.
>
> As an example, I had a look on code from a C programmer I consider to be
> very intelligent and efficent (one of the better ones out there) and
> looking at the code I found a variaty of "dangerous" code. OK, there was
> nothing exploitable (I think) but a number of things that looked
> dangerous. If skilled programmers produce such dangerous code, there's no
> telling what the avarage programmer will do.
>
> Many programmers excuse poor code with "but this software will never be
> executed with elevated priviledges, so it cannot be exploited" which
> basicly is stupid assumption. The mpeg123 bug is merely an example of the
> general principle; none-priviledged applications can be exploited as well.
> It's only a question of how obvious and how hard the attack is.
>
> Back at your question, I'd say a CGI written in sh is a very, very bad
> idea in general. C is also a bad idea, unless you understand the common C
> problems and quite actively search your code for misstakes (it's not a
> question of what you write when you think about it, but what you write
> when you are tired, in a hurry, etc etc).
>
> perl is actually a quite good language, with many existing CGI libraries
> and security guidelines. IMHO, languages such as perl and php3 is close to
> ideal for writing scripts. It will still be a pain, checking against
> metachars, gaurd against null poison, perhaps filter out HTML tags and
> check http-referer to gaurd against cross-site linking attacks. But you do
> have a moderately good success chance :)