On Mon, 28 Feb 2005 21:13:06 -0500, Bogart Salzberg <[EMAIL PROTECTED]> wrote: > An (improved) argument for a bottom-up approach to boosting Perl...
[ various stuff I mostly agree with snipped ] > 3. Make Perl CGI easier to use. The aid of "CGI::Carp > qw(fatalsToBrowser)" should be built-in and ON by default. (How hard is > it for perl to figure out that it was called in a CGI context and > prepend a header upon expiring? For that matter, how hard is it for > Apache to do?) "500 Server Error" is NOT helpful. Sure, you could check > the error log. But some ISPs don't even allow access to the error log. > When you're smart enough to turn it OFF, you'll be smart enough to turn > it OFF. [...] This I'm strongly opposed to since it is a security hole. The same tool that you use to debug your code can be used by attackers to debug an attack against your code. Search for a guide to how to conduct an SQL injection attack to see a practical example of how this happens in practice. Make it easy to find the feature and toggle it. But don't encourage insecure by default when facing the Internet. Please. Ben _______________________________________________ Boston-pm mailing list [email protected] http://mail.pm.org/mailman/listinfo/boston-pm
