On Thursday, Nov 21, 2002, at 16:41 Europe/London, Perrin Harkins wrote:
There's a huge difference in what they are trying to achieve though. POE doesn't open any files and it doesn't write any files to disk. None of it is written in C (yet), so unless there's a buffer overrun or type mismatch bug in perl you can exploit, you're not going to get in that way.Rob Nagler wrote:Matt Sergeant writes:
>>of these in POE than Apache. The more eyes, the fewer the defects.
>
>As someone who has worked on POE, and has a *great* deal of respect for
>Rocco, I would really like to see that backed up. I haven't seen any
>exploits in POE during my 2 years of using it, neither private nor
>public. Got any example exploits, or any CVS changes that fixed an
>exploit? (that's all public data)
I'm sorry. I didn't mean to impugn anybody's credibility.
The data are available that show the more people reviewing code, the
more reliable it is.
I would have to agree. I don't know Rocco at all, but the people coding Apache aren't exactly trying to add bugs either. A lack of reported exploits usually means no one is trying, not no one can do > it.
I'm not honestly suggesting it's bug free, but I fail to see how a bug in POE would give you access to the system.
Now user code written on top of POE (or Apache) is another matter altogether.
Matt.
