[D3ve1inE]

Hi guys, Netanel Rubin here.

First of, I'm not a Pythonist. Python has nothing to do with the faults of Perl - Perl does.

Perl was a great language back at the 90's and early 2000 - it doesn't now. That is mainly because of the 'write-only' code style and many not-that-intuitive behaviors other languages practice better. It is true that my talk was based on bad programming practices, but that's the practices actually used in the wild - in Bugzilla, TWiki, MovableType, and I haven't even started talking about what cPanel developers did. So, if 99% of programmers doesn't use the language properly, who's fault is that? A company needs to provide its costumers with a working, intuitive product. So is a programming language. If so many people doesn't know how to use it properly, I'm sorry, but it's the language fault.

Another thing pointed out is prepare(). Yes, you can use it, no SQLIs there. BUT, this has nothing to do with the point. The point is that list expansion behavior in function calls is a problem most programmers weren't aware of. These are some code sections used at Bugzilla 4.4.6 (fully patched as of 30/12/2014) at different places: $attachment->_check_content_type($cgi->param('content_type')); $cgi->uploadInfo($cgi->param('data'))->{'Content-Type'}; IsValidQueryType($cgi->param('query_type'))

And it also has 2 different quote() occurrences: $dbh->quote($cgi->param('requester')); $dbh->quote($cgi->param('requestee'));

Now, I'm not saying all of those leads to a vulnerability, but as you can see there's a very visible trend here.

Did all of those programmers and maintainers never read the tutorial for the language? Or did the language documentation confused them to the point they simply weren't aware of this behavior?

From a personal perspective of one that did try to figure out what's going on with lists I can definitely say that this behavior is documents - At several places, very differently. As a simple example go back to my slides and look at the CGI documentation screen shot. VERY confusing, and honestly, just false.

As for the attitude, I do apologize for everyone offended by the young douchebag that attacked your language. But, as recent vulnerabilities showed us, without a proper show no one's gonna notice you and your point, important as it may be. So, yes, I added a couple of funny images and built a momentum for a punch line, but otherwise this talk wouldn't have got the buzz it's getting right now and programmers would've still be blind to this behaviors, as sad as it may be.

For an ending note, I do believe Perl has done it course, especially for large, maintained systems such as Bugzilla and cPanel. It may be the end of an era, but who said this is such a bad thing?

Thank you for your comments (positive or negative) and for reading this.

[leejo]

Excellent, you're here so i (we) can address a couple of the points in your talk.

1) DBI is not a core module, nor to my knowledge has it ever been.

2) I'm the current maintainer of CGI.pm - i am not the author. This is an important point because the module is 20 years old, and like any software of significant size/age/importance it has been through several different hands (over 30 according to the git log, which only goes back to 1998 so is missing 3 years).

It would be great if i could just release a version of CGI.pm that removes the list context behaviour of ->param but that would massively break back compatibility for hundreds, if not thousands, of users. Not all of these users have the knowledge or resources to fix their code, which is why for the time being CGI.pm will warn when ->param is called in list context. This has actually broken some software (anyone that has set warnings to be fatal), but this was the least harmful way i could get out to users who maybe blind to the issue that there is indeed an issue.

And yes, as many have already stated this was an unfortunate consequence of the list context behaviour of CGI.pm. Knowing the difference between scalar/list context in perl is a classic gotcha. This behaviour lurked in code going back years - the examples you cite would all fall into the "legacy code" category. You're making the classic mistake of someone who doesn't know perl: looking at code from over a decade ago and thinking this represents modern perl. It doesn't.

A couple of other examples of critical bugs that were revealed in 2014: shellshock and heartbleed. Should we dismiss bash, C, etc, as terrible languages because of these? No. People make mistakes, don't RTFM, misunderstand language features, and bugs can exist in legacy code for years and years. Usually critical bugs.

You could have made an excellent talk from the work you did in exposing the bug(s) you found. You failed. Learn from this.

[tikums]

> A couple of other examples of critical bugs that were revealed in 2014: shellshock and heartbleed. Should we dismiss bash, C, etc, as terrible languages because of these?

Yes.

[chromatic]

Perl was a great language back at the 90's and early 2000 - it doesn't now.

Professional Perl programmers understood this coding error as a coding error at least in 2000, in my personal experience. If you squint, you can see it as a poorly designed interface in the CGI module (though I'm not sure how you would fix it), but your examples are passing untrusted, unvetted user input to sensitive code.

Professional programmers have understood that as bad practice for multiple decades.

Did all of those programmers and maintainers never read the tutorial for the language?

I'm certain if you went back in time and asked "What happens if a query string contains multiple parameters of the same name?" many people would look very confused, as if they'd never considered such a thing were possible. In other words, the answer to your question is "No, most web programmers neither read nor understood the documentation, because the state of web programming in those days was terrible."

[kbenson]

From the changelog of the latest release of Perl: "CGI has been upgraded from version 3.63 to 3.65. NOTE: CGI is deprecated and may be removed from a future version of Perl."

You can still make arguments about list handling in Perl, but using a deprecated module, which has been understood by the community for years to be problematic and exists mostly for backwards compatibility, does not bolster your argument, it does the opposite.

Using large monolithic projects that were started 10+ years (Twiki: 1998, Movable Type: 2001, Bugzilla: open sourced by Mozilla in 1998) ago also doesn't lend itself well towards pointing out modern usage of Perl.

Feel free to make any argument you want, but you should use relevant examples if you hope to be taken seriously.

Edit: Typo fix: s/not be problematic/be problematic/

[xorcist]

I love it how you picture anyone disagreeing with your conclusions,that Perl is somehow a "bad" language and everyone should just stop using it, as being (a) old and (b) think of Perl as "their" language.

You did find a real vulnerability in a common misuse of the 20 year old CGI module. What you did was good. Those were real bugs and should be fixed, and CGI.pm shouldn't have been designed that way in the first place.

But those bugs lingered for a reason. Nobody uses CGI anymore, expect for a handful of packages (of which you found three). There is no reason to stop using Perl because CGI is badly designed. There are plenty of reasons to criticise it, but at least take five minutes to get a basic grasp of the language syntax before doing so. The existance of variable contexts (which is the language feature where you can ask to flatten a list or count the elements by the calling convention alone) is simply not it.

Perl is a stable systems integration language with rock solid bindings to big database systems. The only language that even comes close is Python. The declarative object model of Moose can give you many features of a strongly typed language, and with the heavy focus on testing being ingrained in the community, it can be quite useful. That you should stay away from CGI in 2014 goes without saying.

[laumars]

Your logic is completely broken though. You're looking at projects written back when the only real competitor to Perl was classic ASP (PHP was still in it's infancy) and then saying that Perl as a language is terrible because you're too lazy to look at all the modern frameworks that have been added since then (have you even heard of mod_perl, Mojolicious, Dancer or Catalyst? All of them do away with CGI)

Yes, there are some bad Perl programmers, but there are bad programmers in every language. If someone missuses pointers in C/C++, you blame the developer. Or if someone cocks up the whitespacing in Python, you'd blame the developer. Of course the buck stops at the developer - he is the guy writing the code to begin with. Who else are you going to blame if someone writes bad code?

Lists aside, ironically Perl has better type safety than many other loosely typed languages due to the lack of operator overloading - thus avoiding the often overlooked triple character operators (eg ===, !==, etc). So while Perl (like any language) does have it's hidden traps, it also has protection against hidden traps that other languages exhibit. However you conveniently overlook this when ranting about how poor Perl's type system is.

The problem here is that you clearly have some deep seated prejudice against Perl and it's caused you to create a presentation that's, at best, rude, but realistically it's just down right ignorant flamebait.

If you really cared half as much about good programming practices and secure web applications as you make out, then half your presentation would have been explaining how to avoid those pitfalls you demonstrated, instead of smugly shrugging whenever the question was raised. And since you continually explained how "shit" Perl is, you could have also demonstrated the equivalent features in other languages which are safe (the problem here is that examples you'd given would have been bad practice in any programming language - as has been discussed on here already).

This is why you're receiving so many negative comments, both from HN, Youtube commenters and even half your peers in the audience that day.

Hopefully the next time you decide to give a presentation, you will put your personal feelings aside and can give a more up-to-date, balanced and better researched talk.

[eCa]

My main problem with the talk is not that you make fun of Perl (every langauge is easy to make fun of), but that you don't seem to have more than a superficial grasp of Perl. No one that doesn't understand a language should make recommendations as to its use.

A couple of examples:

* "You need to backslash the variable" (near-quote) - no, you need to pass the array as a reference (which can be done in several ways).

* Anyone expecting my $var = scalar @array; to return anything but the number of items in @array hasn't spent much time writing/reading Perl.

* "Most, if not all, Perl web apps use CGI.pm" - Not in a world of Mojolicious [1], Dancer [2], Catalyst [3] and others. You should check them out.

[1] https://metacpan.org/pod/Mojolicious

[2] https://metacpan.org/pod/Dancer2

[3] https://metacpan.org/release/Catalyst-Runtime

[kbenson]

No to mention, CGI is deprecated in the latest Perl release.

[zzzcpan]

> list expansion behavior in function calls is a problem most programmers weren't aware of.

Actually, what lists do in list context is one thing every Perl programmer knows. You cannot go too far without it in Perl.

[pwr22]

Most Python programmers switching to Perl an assuming it works the same way is probably true though :P

[Ad_Nauseam]

Rather than switching to perl, most python programmers i know always badmouthing perl