Re: [Savannah-hackers-public] Anyone have any updates on Savannah?

[Paul Smith]

On Mon, 2010-11-29 at 19:52 +0100, Sylvain Beucler wrote:
> On Mon, Nov 29, 2010 at 01:44:33PM -0500, Paul Smith wrote:
> > On Mon, 2010-11-29 at 19:34 +0100, Sylvain Beucler wrote:
> > > What I know is there's been a SQL injection leading to illegitimate
> > > membership access
> > 
> > Oh blerg.  The prevalence of these types of very simple (to avoid and to
> > fix) mistakes even on technical sites makes me despair.
> 
> I spend several weeks patching hundreds of DB queries to attempt to
> get rid of them.  That's not so easy because apparently I managed to
> miss a couple.  Sure, it's easy to avoid when you rewrite from
> scratch, but we're talking about legacy code whose rewrite is not
> finished yet.

I didn't mean to disparage anyone's efforts; mine was more a general
comment that even conceptually straightforward problems (unlike, say,
cross-site scripting or something) seem so hard to avoid in the real
world.  I really don't know anything at all about Savannah or how it's
coded.

I haven't messed with a web site in so long that the last time I did,
the backend was all Perl CGI.  However, it was easy to avoid injection
issues because (a) Perl has "taint mode", and (b) Perl has great support
for databases through DBI, which make it simple to automatically quote
strings appropriately, etc.  Between those two it's not hard to be
robust in the face of injection... assuming whomever is writing the code
in the first place is paying the least amount of attention.  Not a safe
assumption I grant you.


Looking forward to the next news update, thanks Sylvain!

-- 
-------------------------------------------------------------------------------
 Paul D. Smith <address@hidden>          Find some GNU make tips at:
 http://www.gnu.org                      http://make.mad-scientist.net
 "Please remain calm...I may be mad, but I am a professional." --Mad Scientist