Rocco Caputo writes:
> Rating all of CPAN according to the quality of the average module does
> a disservice to its better half. Depreciating its good distributions
> also feeds into the myth that all Perl software is shoddy.
That isn't what I said. I program Perl daily. I use a bunch of CPAN
on a daily basis. It's important to look at the average of all
software. It's just like I would rather fly in an airplane 100 miles
than drive 100 miles.
> It seems naive to assume that an older project is more reliable than a
> younger one. Inception dates have no bearing on the age and quality
> of source code, otherwise djbdns would be considered less reliable
> than bind.
Is "old code is good code" a myth then? It's certainly bandied about
often enough.
> > Use of a user string incorrectly in a "system" or "open" might do it.
> > Also, an incorrect chown, chmod, umask, etc.
>
> A casual grep through POE's source would reveal that it doesn't do any
> of this.
I looked briefly at UserBase.pm, because it seems to have something to
do with security. I came up with a few questions which weren't easily
resolved. There are probably good answers to all my questions, but
I'm a fairly experienced programmer and my casual observations didn't
find them. I wouldn't find easy answers for Apache either, but I
*trust* Apache from its reputation alone. That's the best I can do,
and that's what I've been arguing about.
Anyway, here's a quick list:
-d $heap->{Dir} || mkdir $heap->{Dir},0755;
Is $heap->{Dir} supposed to be readable by everybody? What is
$head->{Dir}? Will it contain data from the heap on disk? What if
there's a clear text password in the heap?
open FILE,">>$heap->{File}" or
croak qq($heap->{_type} could not open '>>$heap->{File}'.);
This contains a small error: there should always be a space after ">".
unlink "$heap->{Dir}/$href->{user_name}" if $href->{new_user_name};
What if $heap->{Dir} is misconfigured and set to /var/mail? Is POE
running as root?
sub poco_userbase_update {
my $heap = $_[HEAP];
my $protocol = $heap->{Protocol};
my %params = splice @_,ARG0;
for($heap->{Cipher}) {
$_ is set, and it isn't local($_). This is a problem, because other
code gets values. Always use lexically scoped variables. Dynamically
scoped variables are a major source of unexpected behavior. Nit:
Barewords are bad imiho. ARG0 and HEAP should be subroutines or
methods.
my $stm = <<_EOSTM_;
delete from $heap->{Table}
where $heap->{UserColumn} = '$href->{user_name}'
_EOSTM_
$stm .= qq[ and $heap->{DomainColumn} = '$href->{domain}'] if
$href->{domain};
This is naive SQL. What if the user_name or domain has a ' in it?
What if it contains arbitrary code such as:
dontcare' OR user_name like '%
Bad news. Use '?' for all arguments except constants. The result
isn't checked to see how many records were deleted either.
> You seem to be making claims against POE based on broad generalization
> rather than research. Regardless of your intent, representing these
> opinions as facts does damage the project's reputation, since they are
> available out of context and "forever" through the list's archives.
I have no doubt POE is written well and certainly with the best
intentions. Let that stand in the archives forever.
However, the debate was not about POE vs Apache, but essentially about
old code vs new code--with a side discussion about security through
obscurity. Given two packages, which I'm not familiar with, I'll take
the older one over the new one any day.
Rob
