[lug] Perl question: how to print embedded metacharacters

Rob Nagler nagler at bivio.biz
Sun Nov 29 08:27:30 MST 2009


On 11/28/09, Tkil wrote:
>  This thread went a little off the rails.

Ya think? ;-)

>  (Perl 'eval' is also substantially slower than the simple hash lookup
>  I describe below, but the security implications alone are enough to
>  keep me from recommending it.)

bOP has been using eval ("do", actually) for about 10 years now.  I
don't think there are any security implications to using eval unless
your system allows end-users to write files to arbitrary locations.
In that case, it probably doesn't matter that you can modify a Perl config
file of the server, because someone will just overwrite, say, /etc/passwd
or /bin/ls or /etc/httpd/conf/httpd.conf.  Crackers don't generally tear
apart custom apps to figure out if there are exploits.  There are enough
cracks in the workaday apps on Linux to give them access.  Yes, this
is security through obscurity, but the "million doors" problem is a real
phenomenon.

I don't think speed is an issue.  The Freikometer evals a "large" config file
every time it sees a new RFID tag to determine what "ring" it should play.
It does this in real time on a <1ghz processor from a flash card.  It's also
doing other things (poor little guy).  It could have cached the config file,
but it turns out that it works just fine as it is.

While we're on the subject of performance, yesterday, I redid our search
management software to cache excerpts and titles.  I was tired of viarob.com
being so slow.  Every time you hit any page on viarob.com, it parses all
the articles to produce the list of documents on the right side.  Every time
you did a search on any of our sites, it does the same thing with the results.
I'm quite sure that the 4 hours I spent restructuring the search layer to allow
for caching and reuse of the cache by other apps will never make up for
the few seconds savings per hit.  In this case it's an interactivity issue.
The "feeling" of the site is better if the page comes back in less than a second
than in less than five seconds.

Relating back to config files.  I find it hard to believe that performance
would ever be an issue with config files, esp. if you are using Perl's eval.
Perl's interpreter has to be one of the fastest out there.  It can string
process faster than most C programs, because that's what it is
optimized for.  bivio's apps contain 10KLOCs of code, and they start
in seconds, most of which is program initialization, not the Perl parser
itself.

When in doubt, measure it.  The same is true for security. :)

Rob



More information about the LUG mailing list