March 29, 2012

the bash way is faster, but only with bash

Some bashisms are syntax sugar at first sight, such as the += concatenation syntax. Usually, they happen to be faster than their more portable counterparts. But only with bash itself.

Take the following script as an example:
#!/bin/sh
# script1-portable.sh
part="$(seq 1 100000)"

for i in $(seq 1 10); do
seq="${part}"
seq="${seq}${part}"
done
$ time bash script1-portable.sh
user 0m20.837s

Now, compare to the following script that uses += :
#!/bin/sh
# script1-bash.sh
part="$(seq 1 100000)"

for i in $(seq 1 10); do
seq="${part}"
seq+="${part}"
done
$ time bash script1-bash.sh
user 0m14.227s

Yes, it's faster. However, when the first script is run with dash:
$ time dash script1-portable.sh
user    0m0.609s

[[ is another example:
#!/bin/sh
# script2-portable.sh
a="$(seq 1 100000)"; b="$(seq 1 100)"

for i in $(seq 1 10); do
[ "$a" = "$b" ]
done
$ time bash script2-portable.sh
user    0m9.148s
And the version using the bashism:
#!/bin/sh
# script2-bash.sh
a="$(seq 1 100000)"; b="$(seq 1 100)"

for i in $(seq 1 10); do
[[ $a = $b ]]
done
$ time bash script2-bash.sh
user    0m4.223s

Then again, the bash way is faster, yet it doesn't compare to dash:
$ time dash script2-portable.sh
user    0m0.588s

tainted foolishness

You enable tainting checks, you hack some code to untaint the input, you run the code and no error message appears: you succeeded.

Did you?

No, of course you didn't: not triggering any tainted data warning (or error) doesn't guarantee that your code is "safe". It doesn't mean you can take untrusted input and handle it correctly. It doesn't mean there are no code arbitrary execution vulnerabilities, no XSS vulns, no SQL injections, you name it.

What does it mean then? that, is left as an exercise to the reader.

I have a blog, again

I'm back with a blog.

After being inactive for a while on my previous blog, hosted at my.opera.com, they apparently nuked my account. Blog, pictures, and other files, all gone; no prior notification. I'm rather sad of such lack of courtesy.
Even when some months ago a friend asked me about my blog (by saying something along the lines of it being unavailable) it never occurred to me that it had been cancelled. It was until I tried to post about something the other day that I noticed it was gone, for real.

There doesn't even appear to be a way to recover the account.

Anyway, time for a fresh start (sort of). This time at blogger. Hello blogosphere, hello world.