[15786] in Perl-Users-Digest
Perl-Users Digest, Issue: 3199 Volume: 9
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Mon May 29 18:10:31 2000
Date: Mon, 29 May 2000 15:10:19 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <959638219-v9-i3199@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Mon, 29 May 2000 Volume: 9 Number: 3199
Today's topics:
Re: security problems in Perl code <gellyfish@gellyfish.com>
Re: seeking method to encode email addresses in web pag <godzilla@stomp.stomp.tokyo>
Re: seeking method to encode email addresses in web pag (brian d foy)
Re: seeking method to encode email addresses in web pag <Tbone@pimpdaddy.com>
Re: Summary: Simple Perl syntax question <owen.sullivan@worldzap.com>
Re: thank yon Philip,but.... <gellyfish@gellyfish.com>
Re: Waxing Philosophical - constructive ideas (Neil Kandalgaonkar)
Re: Waxing Philosophical - constructive ideas <godzilla@stomp.stomp.tokyo>
Digest Administrivia (Last modified: 16 Sep 99) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: 29 May 2000 19:03:40 +0100
From: Jonathan Stowe <gellyfish@gellyfish.com>
Subject: Re: security problems in Perl code
Message-Id: <8gubds$2e3$1@orpheus.gellyfish.com>
On Thu, 25 May 2000 18:38:26 GMT jdimov@cis.clarion.edu wrote:
> Folx,
>
> I am trying to put together an extensive list of common security
> problems in Perl scripts. More precisely, I'm looking for commonly
> used functions and other constructs that can result in compromised
> security if used improperly. I'd like to know which of those
> problems can be automatically detected by statically scanning Perl
> source code. I have compiled a short, pretty vague list of things
> that I'm aware of. I'd appreciate help in extending and refining
> this list, as well as any ohter comments.
>
> Common security vulnerabilities in Perl code
>
> - opening files with user specified filenames
> - failure to escape backslash when filtering CGI metacharacters:
> @insecure_data =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g;
> - forking a shell, as in the following:
> - using backticks with user input:
> $output = `program $userinput`;
> - opening pipes with user input:
> open (OUTPUT,"|program $userinput");
> - system() calls with user input:
> system ("program $userinput");
> - exec() calls with user input:
> exec ("program $userinput");
> - execing insecure external programs;
> - poison NULL byte /r.f.p/ - passing \0 in user input to shell or
> other programs. Solution: $userinput=~s/\0//g;
> - not using Perl taint mode for CGI scripts
This above will prevent any of the prior constructs from being used
in an unsafe way. Please read the perlsec manpage.
/J\
--
Stealing! How could you?! Haven't you learned anything from that guy
who gives those sermons at church? Captain Whats-his-name?
--
fortune oscar homer
------------------------------
Date: Mon, 29 May 2000 12:52:00 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: seeking method to encode email addresses in web page forms
Message-Id: <3932CA60.687C1212@stomp.stomp.tokyo>
Elaine Ashton wrote:
(Godzilla! wrote:)
> >> year for an exceptionally busy site at
> >> 274 hits per day. In 30 years, a 15 minute
> That was such an obvious troll that even I laughed....
A review of internet statistics and Bell curved
statistical averages for stereotypical average
internet sites, show my stats to be quite right.
The topic of this thread pertains to protecting
email addresses for a small chat / board type of
circumstances. A chat / board of this type under
discussion, could not handle millions of hits per
day as you and others indicate. Your comments are
most unrealistic and most illogical.
I will ask you to stop falsely accusing me of
being a troll, this is, I am asking you to
stop trolling and harassing me.
Godzilla!
------------------------------
Date: Mon, 29 May 2000 17:08:08 -0400
From: brian@smithrenaud.com (brian d foy)
Subject: Re: seeking method to encode email addresses in web page forms
Message-Id: <brian-ya02408000R2905001708080001@news.panix.com>
In article <3932CA60.687C1212@stomp.stomp.tokyo>, "Godzilla!" <godzilla@stomp.stomp.tokyo> posted:
> Elaine Ashton wrote:
>
> (Godzilla! wrote:)
>
> > >> year for an exceptionally busy site at
> > >> 274 hits per day. In 30 years, a 15 minute
>
> > That was such an obvious troll that even I laughed....
>
> A review of internet statistics and Bell curved
> statistical averages for stereotypical average
> internet sites, show my stats to be quite right.
statistics mean nothing. it's the behaviour of the individual
site at peak capacity that counts, not the average. just ask
Toys-R-Us if their average traffic meant anything to the Federal
Trade Commission last Christmas.
however, feel free to cite the relevant resources. i contend that
you are lying, especially since you can't make proper sentences
with the buzzwords.
--
brian d foy
CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html>
Perl Mongers <URL:http://www.perl.org/>
------------------------------
Date: 29 May 2000 21:56:18 GMT
From: Intergalactic Denizen of Mystery <Tbone@pimpdaddy.com>
Subject: Re: seeking method to encode email addresses in web page forms
Message-Id: <8gup22$2d98$1@news.enteract.com>
brian@smithrenaud.com writes:
>> A review of internet statistics and Bell curved
>> statistical averages for stereotypical average
>> internet sites, show my stats to be quite right.
>
>statistics mean nothing. it's the behaviour of the individual
>site at peak capacity that counts, not the average. just ask
>Toys-R-Us if their average traffic meant anything to the Federal
>Trade Commission last Christmas.
>
>however, feel free to cite the relevant resources. i contend that
>you are lying, especially since you can't make proper sentences
>with the buzzwords.
You have posted an unnecessary follow-up to a known troll.
Longstanding Usenet trad^W^W^W the hell with it, you know how it
continues :-)
Yours for a better usenet,
------------------------------
Date: Mon, 29 May 2000 18:31:44 GMT
From: "Owen Sullivan" <owen.sullivan@worldzap.com>
Subject: Re: Summary: Simple Perl syntax question
Message-Id: <kIyY4.219$QT5.20878@news.iol.ie>
Thank you for all the replies. I used the first one second suggestion
below, which worked perfectly.
Ala Qumsieh <aqumsieh@hyperchip.com> wrote in message
news:7ar9al4dfn.fsf@Merlin.i-did-not-set--mail-host-address--so-shoot-me...
>
> "Owen Sullivan" <owen.sullivan@worldzap.com> writes:
>
> > $Titlesub1=param("Titlesub1");
> > $Titlesub2=param("Titlesub2");
> > $Titlesub3=param("Titlesub3");
> >
> > for ($i = 1; $i < 4; $i++) {
> > print "Variable value: ${Titlesub}{$i}";
> > }
> >
> > I do not know the correct syntax to achieve printing out the values for
each
> > of the 3 variables mentioned above. The above code is incorrect, the
values
> > do not print out. Does anybody know the correct syntax? Thanks.
>
> You are trying to use hard references, which are frowned upon in this
> part of the computing world (unless you really know what you're
> doing). Try using an array @Titlesub instead of a buch of variables:
>
> $Titlesub[1] = param("Titlesub1");
> $Titlesub[2] = param("Titlesub2");
> $Titlesub[3] = param("Titlesub3");
>
> or even:
>
> for my $i (1 .. 3) {
> $Titlesub[$i] = param("Titlesub$i");
> }
>
> Then you can access each of your variables using only the index:
>
> for my $i (1 .. 3) {
> print "Variable value: $Titlesub[$i].\n";
> }
>
> HTH,
> --Ala
------------------------------
Date: 29 May 2000 15:43:17 +0100
From: Jonathan Stowe <gellyfish@gellyfish.com>
Subject: Re: thank yon Philip,but....
Message-Id: <8gtvm5$r5r$1@orpheus.gellyfish.com>
On Mon, 29 May 2000 22:46:05 +0800 "´ô´ô¹Ï" wrote:
> thank you philip:
> that format is the last thing in the file,I run the file in Redhat
> 6.1+perl5.0,use perl scriptname,I put a blank lint after the final '.',but
> the error massage still exist.please give me more advive ,thanks a lot .
You appear to have started a new thread for something is infact a
followup to a previous post.
Are you sure that the '.' that terminates the format is on the extreme
left hand side ?
/J\
--
There's a New Mexico?
--
fortune oscar homer
------------------------------
Date: 29 May 2000 21:09:00 GMT
From: nj_kanda@alcor.concordia.ca (Neil Kandalgaonkar)
Subject: Re: Waxing Philosophical - constructive ideas
Message-Id: <8gum9c$u7s$1@newsflash.concordia.ca>
In article <8guhm7$2628$1@news.enteract.com>,
Intergalactic Denizen of Mystery <Tbone@pimpdaddy.com> wrote:
>There are no "tangible" solutions; people need to stop responding, that's
>all.
Yes, I have been suckered by Kiralynne on more than one occasion.
She walks the line between apparent sincere cluelessness and malicious
trolling very effectively.
I apologize for the rant I posted the other day.
I've been thinking about better solutions. I like what Ilmari does,
I assume that is a special sig for c.l.p.misc :)
The problem is that people will be endlessly repeating the cycle as
long as Kiralynne hangs around here, so how about a web page explaining
the situation? Then we can just post:
This person is a known troll.
It is recommended you do not post followups, except to make
absolutely necessary factual corrections.
See http://somewhere.org/comp.lang.perl.misc-trolls/ for details.
...in front of any dispassionate correction we may have to offer. Kind of
like what Intergalactic Denizen of Mystery suggested. This should divert
any flames and anger out of band.
(Aside: is there a comp.lang.perl.misc FAQ, apart from the perl faq?
rtfm.mit.edu doesn't seem to have one.)
I'd be happy to draft a "known troll" page, submit it to the group for
revisions, and host it, if the rest of you think it's a good idea. Obviously
this list of trolls should be rather exclusive, requiring world-class
newsgroup disruption. For now, IMO, only one person qualifies.
--
Neil Kandalgaonkar
neil@brevity.org
------------------------------
Date: Mon, 29 May 2000 14:22:31 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Waxing Philosophical - constructive ideas
Message-Id: <3932DF97.1F7B0143@stomp.stomp.tokyo>
Neil Kandalgaonkar wrote:
> I've been thinking about better solutions. I like what Ilmari does,
> I assume that is a special sig for c.l.p.misc :)
> The problem is that people will be endlessly repeating the cycle as
> long as Kiralynne hangs around here, so how about a web page explaining
> the situation? Then we can just post:
> This person is a known troll.
> It is recommended you do not post followups, except to make
> absolutely necessary factual corrections.
> See http://somewhere.org/comp.lang.perl.misc-trolls/ for details.
This constitutes civil and criminal libel.
Is it truly your intent to promote and
encourage injurious crimes against my
family? Promotion of criminal activity
is a crime in itself. You have just
committed a state level crime against
my family.
I will ask you stop trolling and harassing me.
Godzilla!
------------------------------
Date: 16 Sep 99 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 16 Sep 99)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
| NOTE: The mail to news gateway, and thus the ability to submit articles
| through this service to the newsgroup, has been removed. I do not have
| time to individually vet each article to make sure that someone isn't
| abusing the service, and I no longer have any desire to waste my time
| dealing with the campus admins when some fool complains to them about an
| article that has come through the gateway instead of complaining
| to the source.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V9 Issue 3199
**************************************
