Danger Will Robinson

Rick DeNatale — Thu, 05 Oct 2006 11:23:00 -0400

Ruby has a nifty method in kernel called open. It’s quite powerful in the way it interprets its first argument, a string telling it what to open. It can open a file, or it can open a pipe to a sub-process it creates to run a command in that string. It takes quite a bit of open function has a similar interpretation of it’s first argument. Again it takes quite a bit of documentation to describe.

Which is a cause for concern. Most things that powerful can be misused.

I use an application called Awstats to get statistics on my websites. Awstats is a very popular application which is written in perl.

But I long ago disallowed access to Awstats from the outsite world after I found that my system had been compromised by a bad guy exploiting perl’s open function.

Kernel#open, like perl’s open interprets a path starting with ”|” as a pipe, and effectively calls IO#popen under the covers, while File#open doesn’t.

This is dangerous if the path argument is coming from a user, say in a web application, because it opens the same security exposure which plagued Awstats, which has had several nasty security bugs because it wasn’t verifying urls and the nasties were doing things which exploited that like getting it to ‘pipe’ to wget to download worms.

When I first came across Ruby’s File#open I was happy to see that IT just treats the name argument as a file path, and chokes if it starts with a ”|”, and that there was IO#popen which explicitly opens pipes to a command running in a subprocess.

I think that it’s generally better practice in ruby to eschew Kernel#open and use either File#open to open files, and IO#popen to open pipes so that it’s clear what’s happening.

While the Kernel#open method might be convenient and safe in controlled cases, it seems like it might be the basis of a bad habit when it matters.

A Perl of Great Price

Rick DeNatale — Wed, 16 Aug 2006 11:03:18 -0400

An old programming adage goes: “You can write Fortran in any language.”

Computer languages, like natural languages, tend to spawn their own cultures and religions. And it’s not unexpected that the groups associated with these have different slants on things.

One of Ruby’s strengths is that it stole from the best. When I look at the language, it feels like Matz took the best features from a variety of languages including Smalltalk, Lisp, and not the least, Perl.

Two great features which Ruby inherited from Perl are integral support for regular expressions, and Perl’s excellent statement modifiers which allow things like:

if test
   statement
end

to be replaced with the more succinct and usually clearer:

statement if test

However, IMHO, overuse of the Perl features in Ruby can make code too Perl-like.

I’ve seen my share of Ruby code which is hard-to read and understand, and a lot of that looks suspiciously like Perl code re-written in Ruby.

A ruby, being a gemstone which is normally cut before being put to use, has facets, unlike a pearl.

The facets of Ruby, the language, let indiduals approach it from different directions. To me, as an old Smalltaker, it tends to look like Smalltalk. I tend to view it with Smalltalk-colored glasses.

I’m sure that, to a programmer deeply steeped in Perl, Ruby looks like Perl with a cleaned-up view of object-oriented features.

Literate Programming

I’ve long been a fan of the goals of literate programming. Source code should be viewed as literature, something which communcates to human readers, and not just fodder for a tool chain which produces something which is executable by a machine.

I read and write Perl on a level similar to how I converse in French. I’m told that I can speak French fairly well, and I can make myself understood. On the other hand I have a hard time understanding spoken French.

Too often, Perl looks to me like a write-only language, an impression which is not uniquely mine.

Some Perl programmers share a common predilection for something which users of another language often called read-only, APL, prided theselves on writing, one-liners. And this has inspired catalogs of Ruby one-liners

I’ve found that a lot of the literature of Perl isn’t very understandable. I’ve found that even Perl code which I’ve written myself is impenetrable when I come back to it weeks, or even days after writing it.

I’m sure that there are Perl programmers who don’t find this to be true, just like my French friends seem to be able to converse without problems, but I continue to only muddle along in both languages.

The key indicator of Perl programs written in Ruby is the use of all those global variables with funny names like $*, $&, $0, etc. Perl programmers love them since they are in Ruby for compatibility with Perl. When I see them, my eyes glaze over, and my mind says ”$&^+_”

I’m not trying to antagonize the Perl programmers among the Ruby community, anymore than I try to antagonize my francophone friends, in fact I’ve got great love for some particular francophones and perlographs.

But I’ll probably never understand them as well as I’d like to.

P.S. Not (Directly) Borrowed From Perl

One feature of Perl is the use of sigils as markers on variable names.

Ruby uses sigils to mark some variables as being globals (there’s that $ again, but the names don’t have to be funny), instance variables, or class variables.

The difference is that Perl uses sigils to distinguish the types of variables, something which is unnecessary in Ruby since everything is an object. Ruby instead uses them to find the variable binding in the case of a reference, or where to put it in the case of an initial definition. A Ruby variable comes into existance the first time it is mentioned in the execution of a Ruby program, and it goes into the global variable “pool”, the current instance, or the current instances class depending on the sigil. No declaration is necessary as compared to Smalltalk, for instance, where instance and class variables are ‘declared’ by telling the class about them, and globals are defined by putting them in the system dictionary. While Perl variables aren’t explicitly declared either, the real motivation for sigils in Perl is to associate a type with a variable.

Perl also makes use of the fact that all variables start with a sigil to automatically interpolate variables into strings. Since ruby variables don’t all start with a sigil, Ruby uses #{} as a marker to interpolate an expression int to a string. Note that if that expression is just a global, class or instance variable (all of which start with a sigil) a simple # will do the job.

So Perl uses sigils more as a way to express type, a static concept, in a dynamically executed language, and Ruby uses them to avoid static declarations, and make variable definition and use dynamic.

Talk Like A Duck: Tag perl

Danger Will Robinson

A Perl of Great Price

Literate Programming

P.S. Not (Directly) Borrowed From Perl