[11075] in Perl-Users-Digest
Perl-Users Digest, Issue: 4675 Volume: 8
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Sun Jan 17 20:04:39 1999
Date: Sun, 17 Jan 99 17:00:22 -0800
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Sun, 17 Jan 1999 Volume: 8 Number: 4675
Today's topics:
Re: == and = , again (Bart Lateur)
Re: == and = , again (Fluffy)
[Q] cgi ? <factory@factory.co.kr>
Re: A plea for less goofy signature files! (Bart Lateur)
Re: Can I pass # char thru script? <damian@infoxchange.net.au>
Re: Comments on my new site, please! <info@kn1.com>
custom counter question (sorry if duplicated) <ijp@thornlea.force9.co.uk>
Re: custom counter question (sorry if duplicated) <staffan@ngb.se>
Formatting Numbers in Perl? kwlii 1 <kwlii@worldnet.att.net>
Help please!!! Automatic running of scripts <support@mekagames.com>
Re: HELP: Netscape 4.5 doesn't like text/html header fr <bigos@cs.sbu.edu>
Re: HELP: Netscape 4.5 doesn't like text/html header fr (I R A Aggie)
I have got a Perl problem <NO_SPAM_PLEASE_ilya@napavlly.rose.hp.com>
Re: I have got a Perl problem (Ronald J Kimball)
Re: Newbie problem, HTTP_REFERER, setting cookies <eugene@snailgem.org>
Number found where operator expected (Newbie) lisawagner72@my-dejanews.com
Re: Number found where operator expected (Newbie) <staffan@ngb.se>
Re: Perl and the Windows April Fools 2001 bug <Russell_Schulz@locutus.ofB.ORG>
Re: Perl Criticism tiptopmind@my-dejanews.com
Re: Perl Programer Wanted (Rich)
Re: Perl, Netscape and Internet Explorer...:( <mickeyt@hcranches.com>
Re: reading from IO::Socket (Fluffy)
Re: Secuity hole with perl (suidperl) and nosuid mounts <rasmusin@paramount.ind>
Re: Secuity hole with perl (suidperl) and nosuid mounts (Ilya Zakharevich)
URI:: and converting text to url-encoded <spam@dikkelul.com>
Warnings vs Errors [Was: A plea for less goofy signatur <new_email@see.web.page>
Special: Digest Administrivia (Last modified: 12 Dec 98 (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Sun, 17 Jan 1999 21:19:39 GMT
From: bart.lateur@skynet.be (Bart Lateur)
Subject: Re: == and = , again
Message-Id: <36a85295.3160384@news.skynet.be>
Jim and Paula wrote:
>I know they hate to expand reserved words, but it would be nice to
>have "equals" for = , and "becomes" for ==
It would be nicer still, if those were reversed.
Bart.
------------------------------
Date: 17 Jan 1999 21:53:39 GMT
From: meowing@banet.net (Fluffy)
Subject: Re: == and = , again
Message-Id: <slrn7a4mul.8dd.meowing@meowhost.meow.invalid>
Jim and Paula <gemhound@gemhound.com> wrote:
> Or something else. Anything but = and == which just seem to get
> mistyped all the time.
If you really, really want that, you could use the -P switch to drop in
some macros.
#define assign(a,b) b = a
#define define(a,b) a = b
#define becomes =
#define equals ==
--
"Meow." --me
------------------------------
Date: Sat, 16 Jan 1999 12:22:27 +0900
From: "Yeong Mo/Director Hana co." <factory@factory.co.kr>
Subject: [Q] cgi ?
Message-Id: <77tpj6$e0f$20@news.kornet.nm.kr>
[Q]multiple selection option on cgi script.
* Under unix server.
* This cgi is for free homepage building script for my site visitors who
want to build their homepage in my site.
* I am modifing ezhomepg.pl found at manny juan's script page.
"inet-images.com/manny/"
Question A>
1. I put following selectoption in 000.pl
print "Want to save my html file under directory name <select multiple
name="category"><option> D_1 <option> D_2 <option> D_3</select>\n";
2. When 000.pl file run by pre.html, I see this selct option on 000.pl at
the browser,(done by myself)
3. [Question point]= The selected option value should be printed at
output.html.
ex) Want to save my html file under directory name "D_2".........
However it does not. How can I modify the 000.pl ?
#!/usr/local/bin/perl
print "Content-type:text/html\n\n";
??????????
print "</html>";
exit;
Question B> One more, If you know, please answer me this question also.
5. This output.html file made and saved on my server as different file name
according to each visiter.
?9) If the visitor's name is "abc", the otput.html file name is "abc.html".
(done)
However, output.html file <(ex)abc.html> is saved in only one directory.
6. [Question point]= Is there a solution that the output.html <(ex)abc.html>
will be saved at the directory <(ex), D_2> which visitor selected ?
Thank you for your help.
------------------------------
Date: Sun, 17 Jan 1999 21:19:37 GMT
From: bart.lateur@skynet.be (Bart Lateur)
Subject: Re: A plea for less goofy signature files!
Message-Id: <36a75170.2867085@news.skynet.be>
Snowhare wrote:
>Have you ever tried *running* one of those signatures (hint1)?
>my $name=join('',reverse(split(//,'Benjamin "Snowhare" Franz')));
>$_='024e046b794c446f25423a6375477d6c14450a39447a07637e';
>s/(..)/push(@ARGV,hex($1))/eg;while($_=chop $name){
>$_=ord^shift;$_+=$a;$_%=108;print chr(($a=$_)+10)}
Use of uninitialized value at test.pl line 4.
Bart.
------------------------------
Date: Mon, 18 Jan 1999 11:30:00 +1100
From: "Damian" <damian@infoxchange.net.au>
Subject: Re: Can I pass # char thru script?
Message-Id: <916619369.388260@atlas.onthe.net.au>
>I have setup a script for password protection of a page at my site.
>all works well except links with # character. ie /file.htm#toc
>The script parses a .db file to access protected pages listed there.
>I have tried to use the ASCII hex equivalent as in:
>/file.htm%23toc
>No luck
>What would yall recomend?
>
>From what I understand, you have a .db file to store the file names
of the html files needing protection?
If so, just s/#.*//; ... turning /file.htm#toc into /file.htm ... which
would
be listed in the .db file.
I hope I'm not too far of the mark. :)
You could look into .htaccess for password protecting documents,
it's part of the Apache web server.
------------------------------
Date: Sun, 17 Jan 1999 21:51:59 +0100
From: "newO" <info@kn1.com>
Subject: Re: Comments on my new site, please!
Message-Id: <36a25044.0@news.ecore.net>
Very nice try.
Owen
<fw13@my-dejanews.com> wrote in message
news:77tg0j$1sh$1@nnrp1.dejanews.com...
>I am a novice in website construction. And we appreciate comment on our
>site at http://disc.server.com/Indices/41259.html
>
>Thank you very much.
>
>
>
>
>-----------== Posted via Deja News, The Discussion Network ==----------
>http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Sun, 17 Jan 1999 23:33:38 -0000
From: "Ian" <ijp@thornlea.force9.co.uk>
Subject: custom counter question (sorry if duplicated)
Message-Id: <Asuo2.7004$dh1.1531@wards>
(sorry if this was duplicated, i was having a LOT of trouble with my news
reader)
I was involved with the development of a site that is hosted on a
btwebworld server. The access logs they provide do not really include the
information they want. The site has to remain on bt webworld for the
customers political reasons, I was wondering if the following would be
possible:
we would like to have a cgi script (that will have to be hosted on a
different server as the bt server does not permit cgi access) that can be
accessed from the remote server and would print the date/time, browser
type and referring page to a text file. It was suggested to me that this
could be done by creating a script that returns a small image, and
setting it up in the html document as <IMG
SRC="http://remote.server/my.script">.
Can someone please tell me if this is feasible or not?, and if not, do
you have any other ideas?
------------------------------
Date: Mon, 18 Jan 1999 01:00:42 +0100
From: Staffan Liljas <staffan@ngb.se>
Subject: Re: custom counter question (sorry if duplicated)
Message-Id: <36A279AA.A3417037@ngb.se>
Hi!
> we would like to have a cgi script (that will have to be hosted on a
> different server as the bt server does not permit cgi access) that can
> be accessed from the remote server and would print the date/time,
> browser type and referring page to a text file. It was suggested to me
> that this could be done by creating a script that returns a small
> image, and setting it up in the html document as <IMG
> SRC="http://remote.server/my.script">.
Yes, this is pretty straightforward, if you have write permissions on
the remote server. The following 10 lines should do it.
#!/usr/local/perl
open( IMG, "myimage.gif" );
$/ = undef;
my $img = <IMG>;
close IMG;
open ( LOG, ">>mylog" );
# your logging routine
close LOG;
print "Content-Type: image/gif\n\n";
print $img;
------------------------------
Date: 17 Jan 1999 22:23:41 GMT
From: "Kenneth LaRue" <kwlii@worldnet.att.net>
Subject: Formatting Numbers in Perl? kwlii 1
Message-Id: <77tntd$b1f@bgtnsc03.worldnet.att.net>
Thanks for everyone's help. For some reason I could not get the file to
work, it was corrupted. Besides, after what I read there, I need to know
more about loading perl extensions. So, to get around my problem
I worked with another developer to create a little routine ourselves.
It is as simple as interjecting a ',' between numbers.
kwlii@bigfoot.com
------------------------------
Date: 18 Jan 1999 00:54:27 GMT
From: "MekaGames Staff" <support@mekagames.com>
Subject: Help please!!! Automatic running of scripts
Message-Id: <01be427c$eb0e1860$6d8aaccf@default>
Hello,
I am a perl programmer and I would like to know how to set up a server to
run a script periodically. For example, I want the server to run a script
which
deletes the contents of a temp. file every 24 hours. How can I do this? Any
help would
be VERY appreciated.
- Kaveh Pahlevan
------------------------------
Date: Sun, 17 Jan 1999 16:12:52 -0500
From: "Michael J. Bigos" <bigos@cs.sbu.edu>
Subject: Re: HELP: Netscape 4.5 doesn't like text/html header from Perl script
Message-Id: <36A25254.FDE04BC8@cs.sbu.edu>
Can you email me the full text of the perl script so I can check it out?
And did you properly upload the script under the cgi-bin folder so that
the web server could run it?
Michael Bigos
bigos@geocities.com
------------------------------
Date: Sun, 17 Jan 1999 19:49:28 -0500
From: fl_aggie@thepentagon.com (I R A Aggie)
Subject: Re: HELP: Netscape 4.5 doesn't like text/html header from Perl script
Message-Id: <fl_aggie-1701991949290001@aggie.coaps.fsu.edu>
In article <77t6r8$qgo$1@nnrp1.dejanews.com>, cndawes@my-dejanews.com wrote:
+ I have written a perl script, which outputs some HTML. It does this very
+ nicely with IE4, however, when I use Netscape 4.5 it is as though it is
+ completely ignoring the "Content-type: text/html\n\n" which I am sending it,
+ as it prints the source to the screen, HTML tags and all.
And your perl question is? You may want to try asking your question in
comp.infosystems.www.authoring.cgi or comp.infosystems.www.authoring.misc.
You'll probably get more, better answers.
James
------------------------------
Date: 17 Jan 1999 22:57:11 GMT
From: Ilya <NO_SPAM_PLEASE_ilya@napavlly.rose.hp.com>
Subject: I have got a Perl problem
Message-Id: <77tps7$oc8$1@ocean.cup.hp.com>
I am getting the following errors in my Perl scripts. I would like to know
what I can do to fix these errors. I don't have that many lines in the
files.
Thanks.
I get this error message with Perl 5.004, but not 5.003. The platform is
HP-UX 10.20 and 9.*.
Value of <HANDLE> construct can be "0"; test with defined() at probe_components.pl line 65535.
Value of <HANDLE> construct can be "0"; test with defined() at swlist_process.pl line 65535.
Value of <HANDLE> construct can be "0"; test with defined() at swlist_process.pl line 65535.
Value of <HANDLE> construct can be "0"; test with defined() at swlist_process_bundle.pl line 65535.
Value of <HANDLE> construct can be "0"; test with defined() at swlist_process_bundle.pl line 65535.
------------------------------
Date: Sun, 17 Jan 1999 19:37:50 -0500
From: rjk@linguist.dartmouth.edu (Ronald J Kimball)
Subject: Re: I have got a Perl problem
Message-Id: <1dlsjax.ki4vk41x8onb4N@bay2-322.quincy.ziplink.net>
[newsgroups edited to just comp.lang.perl.misc - no Unix content]
Ilya <NO_SPAM_PLEASE_ilya@napavlly.rose.hp.com> wrote:
> I am getting the following errors in my Perl scripts.
> I would like to know what I can do to fix these errors.
It tells you what you can do.
> Value of <HANDLE> construct can be "0"; test with defined() at
^^^^^^^^^^^^^^^^^^^
> probe_components.pl line 65535.
Specifically, instead of:
while ($line = <FH>) {
for example, you would want to write:
while (defined($line = <FH>)) {
--
_ / ' _ / - aka - rjk@linguist.dartmouth.edu
( /)//)//)(//)/( Ronald J Kimball chipmunk@m-net.arbornet.org
/ http://www.ziplink.net/~rjk/
"It's funny 'cause it's true ... and vice versa."
------------------------------
Date: Sun, 17 Jan 1999 19:09:28 -0500
From: Eugene Sotirescu <eugene@snailgem.org>
Subject: Re: Newbie problem, HTTP_REFERER, setting cookies
Message-Id: <36A27BB8.B24B6D13@snailgem.org>
KC Hunt wrote:
>
> Your problem might be in the way you are saving the variable $trailer.
> Specifically, you're putting a semi-colon IN the string your saving. I don't
> think you can do that. In stead of making one big string, make several
> variables which make up the parts of the cookie and save that. Example:
>
> $x = "path=/";
> $y = "domain=.{our domain}";
>
> But this line <$trailer = "; path=/; domain=.{our domain}";> is just wrong.
> How is Perl suppose to know where the line ends?? You've got three
> semi-colons in there!!!
>
While the line probably doesn't do what its author thinks it does, it
is perfectly legal Perl code. It sets $trailer to:
; path=/; domain=.{our domain}
--
Eugene
"I have an Apache Web Server that uses CGI forms written in COBOL."
Post in clpm
------------------------------
Date: Sun, 17 Jan 1999 22:50:25 GMT
From: lisawagner72@my-dejanews.com
Subject: Number found where operator expected (Newbie)
Message-Id: <77tpff$9gu$1@nnrp1.dejanews.com>
I realize I am a complete idiot for not knowing what this error message means
but can someone please tell me anyway?
Number found where operator expected at [script name & path] line 122, near
"$check_referer = "0"
(Might be a runaway multi-line "" string starting on line 68)
(Missing operator before 0?)
syntax error at [script name & path] line 122, near "$check_referer = "0"
String found where operator expected at [script name & path] line 151, near
"&error(""
(Might be a runaway multi-line "" string starting on line 122)
(Missing semicolon on previous line?)
Execution of [script name & path] aborted due to compilation errors.
I am *attempting* to install Formhandler.cgi from the CGI Cookbook onto an NT
webserver.
Thank you very much!
Lisa Wagner
Oregon
-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Mon, 18 Jan 1999 00:49:45 +0100
From: Staffan Liljas <staffan@ngb.se>
Subject: Re: Number found where operator expected (Newbie)
Message-Id: <36A27719.112FE150@ngb.se>
Hi!
> I realize I am a complete idiot for not knowing what this error
> message means but can someone please tell me anyway?
No, you're not, but I'd better reply before someone writes something
mean...
> Number found where operator expected at [script name & path] line 122,
> near "$check_referer = "0"
You should have posted a little bit of your code, But from where I'm
sitting, it looks like we will have to take perl's advice that the error
is on line 68. This means that you've put a double quote somewhere on
this line without an ending double quote. Something like this:
$somevar = "somevalue;
which makes perl interpret everything until the next " as a double
quoted string. This means
$somevar = "somevalue; #line 68
.
. # a LOT of code interpreted as a double quoted string.
.
$check_referer = "0"; #line 122
^
perl considers this as the end of the doble quote
beginning much above, and doesn't know what to do
with the zero after the quote. It is as if you'd
written
$somevar = "something"0;
which doesn't make sense. Check line 68!
Staffan
------------------------------
Date: Sat, 16 Jan 1999 16:50:51 -0500
From: Russell Schulz <Russell_Schulz@locutus.ofB.ORG>
Subject: Re: Perl and the Windows April Fools 2001 bug
Message-Id: <19990116.165051.3r4.rnr.w164w@locutus.ofB.ORG>
"Richard M. Smith" <smiths@tiac.net> writes:
> My question, will Win32 Perl programs also fail on April 1, 2001
> because the Windows Perl interpreter uses the broken Visual C++
> localtime() function? I am was hoping that someone could write
> a quick test in Perl for this bug and post the results.
even better: add it into the test suite, along with one to make sure
the year returned in 11 months is 3 digits (not 2).
--
Russell_Schulz@locutus.ofB.ORG Shad 86c
------------------------------
Date: Sun, 17 Jan 1999 22:22:13 GMT
From: tiptopmind@my-dejanews.com
Subject: Re: Perl Criticism
Message-Id: <77tnqe$85f$1@nnrp1.dejanews.com>
In article <77terh$um$1@nnrp1.dejanews.com>,
topmind@technologist.com wrote:
> Reply to: tiptopmind@my-dejanews.com
>
> Tippy,
>
> I can't believe you went through the trouble of
> obtaining a copycat alias just to slander me.
>
Wow, you really are paranoid arn't you Bryce. Let's review. I posted that
your real name is Bryce Jacobs. Ok, that is true. I posted that you have a
web site devoted to Howard Stern. Ok, that is true too. I said that your
wife nags you about the size of your stomach. Ok, I took that off you web
site. I posted that you had a UFO site. Ok, that is true. In fact
everything I posted I took off your web sites so if anyone is slandering you,
it must be you.
On the other hand you accused me of stealing peoples credit card numbers.
Being social defective, anti-social. Hmm, interesting behavior.
> It must be that I am reaching celebrity
> status in this group
Now lets think about this for a minute. You use the newsgroup equivalent of
screaming to call people names while hiding behind an alias. You post a long
series of messages in which you advocate an obscure, generally deprecated
position, and then respond to the thoughtful posts of others in as
provacative a manner as possible; apparently never really interested in the
content. This behavior is generally consistant with that of an insecure
individual that doesn't feel important or valued in their real world,
necessitating the creation of an alter ego that is a wise important person.
Such a person often views continued interaction as validation of their
importance regardless of the content. Of course this may not be true of you.
I have no way of knowing. The invocation of celebrity status in your post
does not bode well however.
Well, that concludes my part of this interaction. Good luck with the rest of
your life Bryce. I hope all your fondest wishes come true.
Tippy
-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Sun, 17 Jan 1999 21:07:53 GMT
From: richm@ucesucks.rochester.rr.com (Rich)
Subject: Re: Perl Programer Wanted
Message-Id: <slrn7a4kfo.r3e.richm@ll.aa2ys.ampr.org>
On Sun, 17 Jan 1999 18:21:01 GMT, airplanes@altavista.net <airplanes@altavista.net> wrote:
>Hello,
> I need somebody to edit perl scripts to allow multiple users. The purpose
>is to allow me offer remotely hosted scripts. The process should be automated
>and have an admin control panel. For more details, please send questions to
>David. Experience is required and the contract will be given to the person
===================================================================
>offering the most value.
=========================
Does this mean that the developer who produces extremely high quality
code at a high cost will lose out to the mediocre developer who
produces code that "works", at a ( theoretically ) low cost?
One thing that I've learned after developing software over the
past 15 years is that you really *do* get what you pay for, in most
cases.
- Rich
--
Rich Mulvey
http://mulvey.dyndns.com
Amateur Radio: aa2ys@wb2wxq.#wny.ny.usa
------------------------------
Date: Sun, 17 Jan 1999 15:10:05 -0700
From: Mickey Todd <mickeyt@hcranches.com>
Subject: Re: Perl, Netscape and Internet Explorer...:(
Message-Id: <36a25fea.0@news3.ibm.net>
I have a similar problem. I'm not running a server from my windows 95
workstation, but just trying to 'test' my perl scripts (dynamic HTML creation)
from my workstation before uploading them to my web site.
Have Perl.exe installed at E:\Perl\bin\perl.exe and the first line of my script
is #!E:\Perl\bin\perl.exe. From a DOS window the script executes fine, if I
upload the script to my web site both Netscape and Explorer execute the script
fine. But if I try to 'Open' the file into either browser they BOTH want to
'download' the file. Netscape identifies it as an 'application/perl-x' but
Explorer indicates an 'Unkown file type.'
I was thinking it was a 'file type' or a Registry issue, but then why will it
execute properly from my web site? Anyone able to help me out here??
Thanks in advance,
Mickey :-)
Tojo wrote:
> Hi,
>
> I have a HTML Form page where, I have put some text fields , radio buttons
> and all. And there is a Submit button, which will execute a Perl script and
> will send a mail to me. This page is working fine Internet Explorer3.0 to
> IE5.0.
>
> But when I use Neescape, instead of ececuting the Perl script, it tries to
> download
> (
>
> I am using Microsoft Peer Web Server on my machine.
>
> Someone Please help me......
>
> Tojo.
>
> mailto:tojo.punnoose@blr.sni.de
------------------------------
Date: 17 Jan 1999 22:21:00 GMT
From: meowing@banet.net (Fluffy)
Subject: Re: reading from IO::Socket
Message-Id: <slrn7a4oi1.8dd.meowing@meowhost.meow.invalid>
Michael J. Bigos <bigos@cs.sbu.edu> wrote:
> There may have been similar postings to this, but the group is rather
> unweildy. I am able to open and read a line from a socket using
>
> $line = <$sockethandle>;
>
> when only one line is returned. But if I try to account for a possible
> multiline return, as when retreiving mail from a POP server, any read of
> a second-line on commands that only return one line fails.
This is normal. If you're going to use blocking I/O, you have to plan
your reads ahead of time. That means you have to decide if there is
more data to read *before* trying to read more lines.
If you're not sure when to expect single-line or multiline responses,
you'd do well to pick up a copy of the appropriate standard for the
protocol you're trying to implement. It's all well defined to prevent
exactly this kind of problem.
> Is this
> because the value of $sockethandle changes as data is read from the
> socket, or because the "end of data returned from socket" character is
> not being read correctly?
No, it's because there isn't really such thing as end-of-file on a
stream. Sockets aren't files. That sounds obvious, but the
distinction can be easy to miss since both can be read and written to
with the same commands.
Have you considered using the Net::POP3 module?
--
"Meow." --me
------------------------------
Date: 17 Jan 1999 16:34:39 -0500
From: Frank Sweetser <rasmusin@paramount.ind>
Subject: Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux
Message-Id: <873e59k2hc.fsf@paramount.ind>
ilya@math.ohio-state.edu (Ilya Zakharevich) writes:
> Somehow I'm lost on this description (I have seen Linux several times,
> but have no idea how perms in a removable media can work).
>
> Did I understand it correct: you chown/set-suid script.pl while it is
> in your laptop, insert it in a server floppy, and run user-level perl
> on it and it bombs? How so?
right. you see, on machine machines, there's an entry in /etc/fstab
allowing any user to mount the local cdrom or floppy drive. by default, the
user option also implies nosuid, which means that the setuid bit on any
exe's on that mount will be ignored.
the problem here is with the way that perl handles setuid perl scripts.
linux, like some other unices, simply ignores the setuid bit on scripts
outright, due to a race condition in the way they're handled. so, when
perl is invoked on a script, among other things, it checks for the setuid
bit. if the bit is present, then the regular perl interpreter re-invokes
the script under a sepreate setuid perl interpredir (typically named
suidperl). the script then runs as a regular setuid program.
so, user A mounts a floppy in his own machine, and writes a malicious
setuid perl script on it. he then goes and mounts it as an unprivileged
user on the target machine, and runs the malicious program. the kernel
sees it's mounted nosuid, and so ignores it. however, then perl comes
along, sees the setuid bit, and, not knowing that it should be ignored,
happily invokes suidperl. since suidperl is on a partition not mounted
nosuid, it gets root privs, hence the script runs with root privs - boom,
malicious script has a field day.
--
Frank Sweetser rasmusin at wpi.edu fsweetser at blee.net | PGP key available
paramount.ind.wpi.edu RedHat 5.2 kernel 2.2.0pre5ac1 i586 | at public servers
checking for mass_quantities_of_bass_ale in -lFridge... no
checking for mass_quantities_of_any_ale in -lFridge... no
Warning: No ales were found in your refridgerator.
We highly suggest that you rectify this situation immediately.
-- from configure script of enlightenment 0.14
------------------------------
Date: 18 Jan 1999 00:03:33 GMT
From: ilya@math.ohio-state.edu (Ilya Zakharevich)
Subject: Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux
Message-Id: <77ttol$plj$1@mathserv.mps.ohio-state.edu>
[A complimentary Cc of this posting was sent to Frank Sweetser
<rasmusin@paramount.ind>],
who wrote in article <873e59k2hc.fsf@paramount.ind>:
> > Somehow I'm lost on this description (I have seen Linux several times,
> > but have no idea how perms in a removable media can work).
> >
> > Did I understand it correct: you chown/set-suid script.pl while it is
> > in your laptop, insert it in a server floppy, and run user-level perl
> > on it and it bombs? How so?
>
> right. you see, on machine machines, there's an entry in /etc/fstab
> allowing any user to mount the local cdrom or floppy drive. by default, the
> user option also implies nosuid, which means that the setuid bit on any
> exe's on that mount will be ignored.
>
> the problem here is with the way that perl handles setuid perl scripts.
> linux, like some other unices, simply ignores the setuid bit on scripts
> outright, due to a race condition in the way they're handled. so, when
> perl is invoked on a script, among other things, it checks for the setuid
> bit. if the bit is present, then the regular perl interpreter re-invokes
> the script under a sepreate setuid perl interpredir (typically named
> suidperl). the script then runs as a regular setuid program.
But my understanding is that this will happens only on very old
systems which do not have secure suid scripts. How did suidperl
appear on a contemporary clone of Unix?
Ilya
------------------------------
Date: Sun, 17 Jan 1999 23:42:10 +0100
From: "Willem" <spam@dikkelul.com>
Subject: URI:: and converting text to url-encoded
Message-Id: <77tp6h$dje$1@dinkel.civ.utwente.nl>
How do I use the URI module to convert text to url-encoded? (eg %20 for
spaces)
(Or) How do I use the CGI module to accomplish this?
Thanks in advance
------------------------------
Date: 17 Jan 1999 13:52:25 PST
From: "Phlip" <new_email@see.web.page>
Subject: Warnings vs Errors [Was: A plea for less goofy signature files!]
Message-Id: <77tm2p$m5n@journal.concentric.net>
Bart Lateur wrote:
>Snowhare wrote:
>
>>Have you ever tried *running* one of those signatures (hint1)?
>
>>my $name=join('',reverse(split(//,'Benjamin "Snowhare" Franz')));
>>$_='024e046b794c446f25423a6375477d6c14450a39447a07637e';
>>s/(..)/push(@ARGV,hex($1))/eg;while($_=chop $name){
>>$_=ord^shift;$_+=$a;$_%=108;print chr(($a=$_)+10)}
>
>Use of uninitialized value at test.pl line 4.
That's "just" a warning! Run it without -w and you get a common Perl
sig file slogan.
-- Phlip at politizen dot com (address munged)
======= http://users.deltanet.com/~tegan/home.html =======
-- The first few lines of code must "hook" the computer,
and make it "care" about the program. --
------------------------------
Date: 12 Dec 98 21:33:47 GMT (Last modified)
From: Perl-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Special: Digest Administrivia (Last modified: 12 Dec 98)
Message-Id: <null>
Administrivia:
Well, after 6 months, here's the answer to the quiz: what do we do about
comp.lang.perl.moderated. Answer: nothing.
]From: Russ Allbery <rra@stanford.edu>
]Date: 21 Sep 1998 19:53:43 -0700
]Subject: comp.lang.perl.moderated available via e-mail
]
]It is possible to subscribe to comp.lang.perl.moderated as a mailing list.
]To do so, send mail to majordomo@eyrie.org with "subscribe clpm" in the
]body. Majordomo will then send you instructions on how to confirm your
]subscription. This is provided as a general service for those people who
]cannot receive the newsgroup for whatever reason or who just prefer to
]receive messages via e-mail.
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.misc (and this Digest), send your
article to perl-users@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
The Meta-FAQ, an article containing information about the FAQ, is
available by requesting "send perl-users meta-faq". The real FAQ, as it
appeared last in the newsgroup, can be retrieved with the request "send
perl-users FAQ". Due to their sizes, neither the Meta-FAQ nor the FAQ
are included in the digest.
The "mini-FAQ", which is an updated version of the Meta-FAQ, is
available by requesting "send perl-users mini-faq". It appears twice
weekly in the group, but is not distributed in the digest.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V8 Issue 4675
**************************************