Evan Martin (evan) wrote in evan_tech,
Evan Martin

black magic

snej commented:
Yes, macro languages are generally bad. It’s so easy to make use-vs-mention mistakes and accidentally evaluate bad or malicious user input.

There’s a [unintentionally] hilarious paper I once read on “Security Issues in MUSHes” that describes all of these kinds of security holes. What made it hilarious is that they are exactly the same kinds of security holes you get in Unix systems — where a shellscript running setuid to root has a quoting bug so a hacker can pass it input that gives them control over the script — only in this case it’s a more concrete metaphor where for instance you say some magic string to a poorly-coded dragon and suddenly you have total control over the dragon, which has its ‘wizard’ bit set so it can grant you anything you want. It is, literally, black magic.

Raph Levien wrote something about macro languages a while back... here, which I think I’ve linked to before, talking about the monstrosity that is autoconf. (Since then, I’ve used svn quite a bit, and it felt like I got that database recovery message almost twice a day...)

  • blog moved

    As described elsewhere, I've quit LiveJournal. If you're interested in my continuing posts, you should look at one of these (each contains feed…

  • dremel

    They published a paper on Dremel, my favorite previously-unpublished tool from the Google toolchest. Greg Linden discusses it: "[...] it is capable…

  • treemaps

    I finally wrote up my recent adventures in treemapping, complete with nifty clickable visualizations.

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.