Saturday, December 31, 2011

The Buzz

You may have heard that using Bash for web applications is an open invitation for security issues.  There is some real truth to that but there is also much not understood.

In the modern era of web 2.0 the everyday programmer has it easy.  If they want to implement an email function they import a module for it.  If they want to compress data, they import a module for it too.  Indeed modules add a luxury to programming making it fun and the programmer grin from cheek to cheek. While the load of work is being reduced so other important tasks can be accomplished.  No more breaking the back, or neck or whatever it is that breaks!

Modules are created for the masses. This means modules are written so they will work for most all situations.  At least that was the intentions. In Bash there aren't any modules. Instead there exists pipes.  Now unlike modules, pipes aren't written to work for the masses.  They are not even intended to work with bash!  They are independent applications.

Because there are no modules to exploit, any security holes that may crop up from Bash would have to be exploited by the unique code of the user.  In reality this is never an issue.

Bash is quite unique in and of itself. It is flexible enough to be the default shell on most Linux distributions.  It is this flexibility that has actually hurt it.