⬆️ ⬇️

A brief overview of the quality of commercial CMS on Perl

In the process of doing freelancing, I occasionally fall into the preparation of sites written in Perl. Looking at the code, I understand where the fame of Perl came from in the field of Web development. But let's not delve into holivar.

Yesterday I got the X1-forge engine in my hands. It should be noted that it is actively sold and very immodest praises on the site . So what's wrong with him?



The client complained about the inability to log into the admin area. According to the client, a failure occurred after the removal of a virus from the site (as it turned out later it was just a coincidence). After studying the code, I find that the cookie after entering the login / password in the admin panel is set with the parameter:

Cookie_Exp_Date = "Sat, 31-Dec-2011 12:00:00 GMT";

Those. From January 1, 2012, you can enter the admin area, but only for 1 request, nothing can be changed / saved. Bravo!

I go to the cgi-bin / admin / cookie.pl file to fix this mess and see:

#####################

## Site Makers X-forge (10.01) | -

## (c) " ". 2008. .

## 1998 .

## : " " | +7 (495) 544-88-61 | office@sitemakers.ru | www.sitemakers.ru

## : www.xforge.ru

#####################

## , , , , .

## " ".

## , -.

## .

#####################




It seems that everything is as it should, if it were not for one “but” - the code itself was taken from a free source (I used it myself, and therefore I recognized it) and can hardly be sold with such copyright.

Well, okay, I correct the date, I look at FireBug how cookies are put - and then I catch it, a bug with a capital letter.

The system after login to the admin panel puts two cookies:

1. codeadm - contains user login (universal admin is quite suitable)

2. loginadm - contains the text "loginadm", confirming the fact of login to admin panel

And that's it! No more checks! And why, because cookies can not be fake and they can be trusted absolutely!

Somehow it does not fit

- -. , - , .

But that's not all. Outside the window is the 21st century (for more than ten years, yes), and these professionals do not use strict mode! But, govnokod is actively used:

my $fii=0, @FIL=(), $FIS=0, $pat, $file_text="";

In general, the quality of the code suggests a team of schoolchildren. And this is a commercial product. Well, okay, SSZB.

I hooked another such moment - flat files are used as a database. It would be fine, but to call the directory with such files "cluster" and write that:

,

it's too hard. I would look like all this innovation scale to a couple of dozen cars.



The moral will be this - trust, but verify.



Ps. Version 10 came into my hands. Version 11 is current.


')

Source: https://habr.com/ru/post/136807/



All Articles