|
|
|
|
|
|
by bnegreve
4165 days ago
|
|
|
> As in eval()'ing code based on user input? That's pretty crazy, and I don't think (hope) a lot of real world security problems are caused by that! His claim is that the mere fact that the language contains an "eval()" function (which is a feature of dynamic languages) inevitably increases the risk. Quoting:
Most of the computer languages used to write web applications such as DCMS systems contain a feature called eval, where programming instructions can be deliberately promoted from data to code at runtime. [...] but when it is left accessible to unskilled or malicious users, eval is a recipe for disaster. > A TLDR of the original article: "Handling user input can be dangerous, it's safer if you don't." But we already knew that... I would say: 1. DCMS are bad for public facing webserver because they process user inputs with a language that supports function as powerful as "eval". 2. DCMS are bad for public facing webserver because they run slow interpreted which is "1000 times" slower and enable DDOS |
|
|