Home » Blogs » greg's blog

cgiwrap

cgiwrap, the code that much of the internet relies on for security is a total mess, and a strong indicator that unqualified programmers should not be allowed near production code.

Here are just a few of many problems:

* The total number of unit tests included in cgiwrap is ... zero (how confident does that make you feel?). This has the depressing side-effect of making it extremely difficult to see the exact purpose of cgiwrap's functions, since unit tests make excellent use cases.
* The code is written in C and does not use the type system to differentiate between types of string for example a directory path and a file path, so it is incredibly easy for the code to get confused between the two concepts. For example
void ChangeToCGIDir(char *scriptPath) fails to insist that scriptPath points at a file and not a directory.
* The quality of commenting in the code is extremely low and function arguments are generally uncommented.

This code needs a complete overhaul. For a product that is so ubiquitous and so important the quality is depressingly low.