Given the embarrassing talk that Netanel Rubin gave last year, in which he chose not to learn a language and then laugh at it for the mistakes he made, I’m surprised I have to respond to yet another of his talks. Surprisingly, CCC gave him another slot to present strawman arguments for cheap laughs again this year, and no doubt that’s what he did.

This year Netanel found two things and ran with them past the point of absurdity. Starting with the second one, he found an example in the CGI.pm documentation had contains an exploit. Sure, that’s kinda bad, except it was clearly a demo and in documentation for a library that has been lambasted for being old and broken for ages. CGI.pm’s problems are so well known that Perl has removed it from the core just so that it doesn’t seem like we are promoting its use. Now for the one that really irks me.

His first “exploit” was that he found some crappy code in Bugzilla in which it assumes (wrongly) that a user cannot create a data structure in an HTTP request, which of course many perl modules can create given any number of circumstances. His accusation is that people reuse methods in application logic for trusted and untrusted inputs. The code is basically this

sub doit { my ($input) = @_; if (ref $input) { # treat $input as trusted data } else { # treat input as untrusted } }

Well this is of course very silly and if you do that its your fault. The idea that because its a reference we all assume its trusted input is patently absurd and no one knows how he even got that idea. Fine; bugzilla did that, it doesn’t make it true generally. There are all kinds of better ways to do this, most appropriately (and very MVC), separate your business logic (which operates on validated data) from controllers (which accept and validate data).

This has nothing to do with Perl, it has everything to do with writing good code.

Now if that weren’t enough Netanel goes on to assume that since we all share this insane belief that data structures contain safe data (again, wat?) that any web frameworks that create data structures are broken and contain exploits. He accuses Mojolicious and Catalyst of this while providing no examples for only the reason that they can create data structures. I should note that at least in Mojolicious’ case, there are never ambiguities about which data structures are returned (as was his complaint last year).

It all got great laughs. Of course it did. Anyone can build a strawman and beat it to death for the amusement of a neophyte crowd. Where this is supposed to stop is with the organizers. CCC you should be embarrassed for giving this guy a stage again. Please don’t make the same mistake for a third year in a row.