LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 22:40 UTC (Fri) by chromatic (subscriber, #26207)
In reply to: OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet) by kjp
Parent article: OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Perhaps you meant s/Perl/C/g in your comment. C doesn't have taint mode, for one particular example.

(Log in to post comments)

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 23:27 UTC (Fri) by khim (subscriber, #9252) [Link]

While C is not particularly "safe" language it's infinitely better then Perl: while it does have some dangerous constructs it's simple and limited language. Perl is not. You can rarely be 100% sure about what your Perl program actually does. You can have some guesses and in simple cases you'll be right most of the time, but in general - it's not actually possible. If that's not definition of "unsafe" language then I don't know what is.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 0:27 UTC (Sat) by tetromino (subscriber, #33846) [Link]

With all due respect, I suspect that the fact that you don't know why your perl code does what it does is a result of your lack of experience in using perl and lack of time to read the documentation.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 10:12 UTC (Sat) by khim (subscriber, #9252) [Link]

If I don't know what my code is doing - then I'm ill. May be bad memory, may be something else. The question is: can I understand what the code written by others is doing. If they wrote program without explicit goal of fooling me. Perl fails this test spectacularly: it's rarely easy to do unless the code is written by someone who's using very small "safe" subset of Perl.

I can easily do this with C or Python, I can do it with C++ or Haskell (not easy, but doable), but I can not do it with Perl - and neither can Larry Wall (see my comment above). And if not he, then who ?

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 18:05 UTC (Sat) by Richard_J_Neill (subscriber, #23093) [Link]

There are several issues here.

1)Can perl be obfuscated/hard to read? Yes. For example, this construct which I saw on slashdot as a signature.

perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'

That's the origin of the "write-only code" or "programming in line-noise" jokes. But then, any language allows this.

2)Can perl be clearly written and understandable. Yes, of course - it depends on the style of the author. (It also helps to avoid some of the more obscure syntax).

3)Can you write a trojan in perl, which will fool casual inspection of the source. Yes. But you can do it in C, or bash too. Eg:

if ((a=b))... /* = vs == */

:(){ :|:& };: #Do NOT try this in bash, it will hang your system.

This has nothing to do with OpenBSD.

Posted May 5, 2007 18:22 UTC (Sat) by smoogen (subscriber, #97) [Link]

My only issue with write-only-code was that for a long time it was the preferred religion of many perl coders. Maybe it was job-security fears or the macho-ness that none of the other perl coders could figure out your hairy construct you came up with. This is not a language issue though.. it is a culture/religion issue and those are the ones that get people the most rankled... got to know who your buddies are and who you need to send the inquisition after...

Just fun

Posted May 5, 2007 18:45 UTC (Sat) by niner (subscriber, #26151) [Link]

I often try to solve some thing with as little lines of code or even characters as possible in Perl - and then throw this code away and replace it with a longer, maintainable version. It's just fun and nice practice, not unlike something mathematicians do.

To introduce such constructs into production code is irresponsible of course.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 6, 2007 7:55 UTC (Sun) by jengelh (subscriber, #33263) [Link]

>perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print';

And for those stuck with such, try this:

perl -MO=Deparse -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print';
$_ = ': 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\\2: 5/7\\_/\\7: 12m m::';
tr/:/\n/;
s/(\D)(\d+)/$1 x $2;/eg;
print $_;

It's so much easier to read, so why not use it should you stumble across such code.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:28 UTC (Tue) by nix (subscriber, #2304) [Link]

The shell won't like that: you open a ' quote and then close it in the middle of the block...

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:32 UTC (Tue) by jengelh (subscriber, #33263) [Link]

13:26 takeshi:~ > echo 'a''b''c'
abc

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:41 UTC (Tue) by nix (subscriber, #2304) [Link]

I don't see the relevance of that: there are no doubled quotes in the parent of your post. Everything from the third line onwards is *typed to the shell* because the ; on the previous line terminated the *shell's* command line, not perl's (you just closed the quote that would have protected the ; from the shell).

I don't think the shell likes

$_ = ...

as syntax very much.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:44 UTC (Tue) by jengelh (subscriber, #33263) [Link]

I thought you could figure out that the bold text is what you type, and the non-bold text is what you get. :-)

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 18:37 UTC (Tue) by nix (subscriber, #2304) [Link]

Oops, sorry, reading with links; no bold :) I see it with one of those
newfangled graphical browser thingies.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 10, 2007 10:28 UTC (Thu) by ekj (subscriber, #1524) [Link]

Any language *CAN* be obfuscated. However some obfuscate easier than others, and there are no other language where such a large set of coders took so obvious pride in unreadable gobbelydok. "Perl oneliner" anyone ?

It's more a question about culture than about the language as such really, allthough it *does* help the confusion and illegibility when you have a dozen or more "special" characters with various magical properties -- for added bonus, let their magical properties be dependent on context.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 7, 2007 15:14 UTC (Mon) by tjc (subscriber, #137) [Link]

... and lack of time to read the documentation.
I didn't find the documentation to be all that good. There's a lot of it, but that's not quite the same thing.

For example, porting an existing multi-file PHP application to perl is difficult, because multi-file applications are awkward and non-intuitive in Perl (nightmarish problems with variable scoping), and there's not much written about it.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 7, 2007 17:19 UTC (Mon) by niner (subscriber, #26151) [Link]

Yes, multi-file applications are a real horror in PHP. Always having to guess where an include file might be, where variables and functions are coming from and having fun getting your variables over-written because there is nothing like a name space concept...

But the horror really starts with the documentation. A bare minimum of explanation leaving out important details, wrong examples and promotion of bad coding style. And comments that gladly explain you how their hello world app works.

perldoc perlmod
perldoc perlsub
perldoc perltoot

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 9, 2007 15:54 UTC (Wed) by tjc (subscriber, #137) [Link]

... there is nothing like a name space concept...
It seems as though 545 other people share your concern:

http://new.petitiononline.com/mod_perl/signed.cgi?phpns

I think that if I were a serious PHP developer I'd probably sign up too.

1;

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 2:31 UTC (Sat) by chromatic (subscriber, #26207) [Link]

> You can rarely be 100% sure about what your Perl program actually does.

Actually, I'm often 100% sure about what my Perl programs actually do. I have a fairly good grasp of the language.

It's C and Haskell that give me trouble, often for very different reasons--respectively, spooky memory-clobbering action at a distance and spooky math concepts.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 6, 2007 19:08 UTC (Sun) by bronson (subscriber, #4806) [Link]

khim, are you seriously trying to claim that C is safer than Perl? Because that is, of course, demonstrably false.

And, no, that's not the definition of "unsafe" language. Unsafe languages tend to turn a tiny mistake by a programmer into a colossal security hole. While Perl suffers from many faults, this is certainly not one of them.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds