D3ve1inE's comments

It will be released in the next day or 2 so people will have time patching up their systems.

Hi guys, Netanel Rubin here.

First of, I'm not a Pythonist. Python has nothing to do with the faults of Perl - Perl does.

Perl was a great language back at the 90's and early 2000 - it doesn't now. That is mainly because of the 'write-only' code style and many not-that-intuitive behaviors other languages practice better. It is true that my talk was based on bad programming practices, but that's the practices actually used in the wild - in Bugzilla, TWiki, MovableType, and I haven't even started talking about what cPanel developers did. So, if 99% of programmers doesn't use the language properly, who's fault is that? A company needs to provide its costumers with a working, intuitive product. So is a programming language. If so many people doesn't know how to use it properly, I'm sorry, but it's the language fault.

Another thing pointed out is prepare(). Yes, you can use it, no SQLIs there. BUT, this has nothing to do with the point. The point is that list expansion behavior in function calls is a problem most programmers weren't aware of. These are some code sections used at Bugzilla 4.4.6 (fully patched as of 30/12/2014) at different places: $attachment->_check_content_type($cgi->param('content_type')); $cgi->uploadInfo($cgi->param('data'))->{'Content-Type'}; IsValidQueryType($cgi->param('query_type'))

And it also has 2 different quote() occurrences: $dbh->quote($cgi->param('requester')); $dbh->quote($cgi->param('requestee'));

Now, I'm not saying all of those leads to a vulnerability, but as you can see there's a very visible trend here.

Did all of those programmers and maintainers never read the tutorial for the language? Or did the language documentation confused them to the point they simply weren't aware of this behavior?

From a personal perspective of one that did try to figure out what's going on with lists I can definitely say that this behavior is documents - At several places, very differently. As a simple example go back to my slides and look at the CGI documentation screen shot. VERY confusing, and honestly, just false.

As for the attitude, I do apologize for everyone offended by the young douchebag that attacked your language. But, as recent vulnerabilities showed us, without a proper show no one's gonna notice you and your point, important as it may be. So, yes, I added a couple of funny images and built a momentum for a punch line, but otherwise this talk wouldn't have got the buzz it's getting right now and programmers would've still be blind to this behaviors, as sad as it may be.

For an ending note, I do believe Perl has done it course, especially for large, maintained systems such as Bugzilla and cPanel. It may be the end of an era, but who said this is such a bad thing?

Thank you for your comments (positive or negative) and for reading this.