Ian Bicking: the old part of his blog

Re: The PHP Ghetto

As Python programmers, we should be a little bit careful to point the finger. After all, it wasn't too long ago that we also had a security hole in the Python XML-RPC server code included with the actual Python distribution. Granted, the Python problem was in part of the code which wouldn't have been commonly used, and was a bit more involved than inappropriate use of eval, but .... ;-)

In some respects, one could say the problem really lies with RPC protocols where a server implementer tries to be smart and provide some measure of automagic unmarshalling, traversal and dispatching. Unless they have a thorough knowledge of the ins and outs of the implementation language and supporting infrastructure, it can be all too easy to screw up at some point, with it not being detected that there is a problem until quite some time later. Because the point of the XML-RPC protocol is to allow remote access, any security problem is made worse because of the fact that the service is public to start with.

The same also holds to a degree with web frameworks which provide automagic object traversal to map a URL against a resource. Many Python web frameworks have this sort of feature and not all use an explicit mechanism to say what is visible. As a consequence you can get security problems in Python web frameworks along the same lines as the XML-RPC server problem that occurred in Python. In fact, it was the problem initially found in mod_python that led onto the similar problem being found in the Python XML-RPC server code.

Thus, PHP may be a worse base from which to start with, but Python also has a few dark and obscure corners. There are probably just a lot less of them in Python and they are harder to find. I do note though that Python programmers also seem to be less willing to accept that Python code could have security problems. The initial reactions when trying to find an appropriate forum to send details of the Python XML-RPC server problems gave testament to that. :-(

Comment on The PHP Ghetto
by Graham Dumpleton

Comments:

There is someplace now to contact about security problems: http://www.python.org/security/

Certainly this all can, and sometimes does, happen in Python. All the mechanisms that cause problems in PHP exist in Python, and I've seen people abuse them in very similar ways. But I see a much stronger emphasis on correcting problems and avoiding the same problem in the future. My initial impression of this bug was that it had something to do with the same problem as SQL injections ("blah '$string'"), but once I saw the actual code it was more complicated than that. It should have raised flags -- being complicated and using a dangerous construct -- but it wasn't blindingly obvious.

Though perhaps what surprised me more was that the code was just really really buggy, and no one noticed. It wouldn't accept any XMLRPC request that contained a string with ' in it. Geez. Anyone with the name O'Something must curse PHP, because PHP really hates that character.

# Ian Bicking

Such incidents should be finger-pointed. Not long ago there was a similar case in libpng (i think, some lib for graphics anyway). The problem was braindead code which had a buffer overflows. As a consequence if your web browser used that library, downloading and displaying an image from the internet could execute code on your computer!

At the time I thought this was intentional and that the person who wrote that library was a script kiddie who wanted a backdoor. Such cases should be punished imo. Finger-pointing and blacklisting is fair for such stupendous code. The people who write it should not be trusted for some years.

# jfj