You've got nice code.
I suppose that's one of the highest compliments I've ever been paid in the workplace. I'm quite accustomed to being the most senior perl guy in the building. Typically, I have to explain to people why I used a + to disambiguate a print statement, and even then it doesn't make sense to them
So I was demonstrating to one of my new coworkers today how I thought Taint checking would bitch about a particular flavor of system call (don't ask). I sat down and started a small cgi program, and he told me "You've got nice code." That made me feel great. After the years of working with people who don't really understand the effort and craftsmanship I put into my code, somebody finally gets it. And now it really is worth all that effort. Yay.
On another note, he's real sharp [ed: hi jimmyG if you read this]. He has a very strong grasp of perl, and when you explain something to him that he doesn't get, he picks up quickly. I hope that we'll be able to grow as professionals. Seems that way.
Little Shop of Horrors
I was asked to convert the script this piece of code lived in to something that was -T compliant:
So I was demonstrating to one of my new coworkers today how I thought Taint checking would bitch about a particular flavor of system call (don't ask). I sat down and started a small cgi program, and he told me "You've got nice code." That made me feel great. After the years of working with people who don't really understand the effort and craftsmanship I put into my code, somebody finally gets it. And now it really is worth all that effort. Yay.
On another note, he's real sharp [ed: hi jimmyG if you read this]. He has a very strong grasp of perl, and when you explain something to him that he doesn't get, he picks up quickly. I hope that we'll be able to grow as professionals. Seems that way.
Little Shop of Horrors
I was asked to convert the script this piece of code lived in to something that was -T compliant:
$Dir = $in{"Dir"};
$VAR1 = $in{"VAR1"};
$VAR2 = $in{"VAR2"};
$VAR3 = $in{"VAR3"};
$VAR4 = $in{"VAR4"};
$cmd = "${XXXX}/bin/XXXX $Dir $VAR1 $VAR2 $VAR3 $VAR4 $XXXX ${XXXX}";
open(CMD, "$cmd |");
while ($line=) {
print $line;
}
close(CMD); What you're seeing here is the %in hash being populated by the CGI parameters passed to the script in question. Then they're being interpolated into a large string, and that string is being passed as the arguments to RELATIVE_PATH/bin/SomeProgram (which is written in Java, but calls a perl script in turn).
I joked to a coworker, "Oh look, how cool! He wrote a web shell for the customer" (in this case the Defense Logistics Agency). It really isn't funny, though, when you think about it.
I guess we see these everywhere, as programmers. I guess it is totally impractical to expect these to not show up at each new place we work. Maybe it is just that I've been working on my own code for six months and getting back into the swing of code-for-hire is a rough transition.
So, it looks like I have a lot of work ahead of me, but that is a good thing. I'm hourly, so more work truly does == more money. Since I'll only have the opportunity to work six months of this year, more money is better.
Just one closing thought. How in the hell do these people, who write code like that, ever get hired in the first place? Why don't they just get fired the *instant* they're caught doing that?
