[16128] in Perl-Users-Digest
Perl-Users Digest, Issue: 3540 Volume: 9
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Sun Jul 2 18:15:32 2000
Date: Sun, 2 Jul 2000 15:15:21 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <962576120-v9-i3540@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Sun, 2 Jul 2000 Volume: 9 Number: 3540
Today's topics:
Re: Welcome to.... (Randal L. Schwartz)
Re: Welcome to.... <Magic@mattnet.freeserve.co.uk>
Re: Welcome to.... <Magic@mattnet.freeserve.co.uk>
Re: Welcome to.... <gellyfish@gellyfish.com>
Re: Welcome to.... <tony_curtis32@yahoo.com>
Re: Welcome to.... (brian d foy)
Re: Welcome to.... (Tad McClellan)
Re: Welcome to.... (Bart Lateur)
Re: Welcome to.... <care227@attglobal.net>
Re: Welcome to.... <care227@attglobal.net>
Re: Welcome to.... <Magic@mattnet.freeserve.co.uk>
Re: Welcome to.... <billy@erc.msstate.edu>
YES it's dangerous! (was Re: Is this code dangerous? ev (Randal L. Schwartz)
Digest Administrivia (Last modified: 16 Sep 99) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: 02 Jul 2000 11:26:42 -0700
From: merlyn@stonehenge.com (Randal L. Schwartz)
Subject: Re: Welcome to....
Message-Id: <m1sntscrrx.fsf@halfdome.holdit.com>
>>>>> "Magic" == Magic <Magic@mattnet.freeserve.co.uk> writes:
Magic> If you're using Perl the word "Security" is synonymous with the
Magic> words "Practical Joke".
Not at all. Most of the security problems are with naive Perl users
copying known bad code they got from friends or untrustworthy sources.
Perl is actually more secure than most other languages thanks to the
automatic memory management (no stack smashing) and the unique "taint"
mode.
But you gotta spend at least 15 minutes skimming "perldoc perlsec".
Most people that post code don't even get that far, and it's giving
the rest of us a bad name.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
------------------------------
Date: Sun, 02 Jul 2000 19:30:50 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: Welcome to....
Message-Id: <en0vlsct0vuuvdvc06sabj6h030j0ij97u@4ax.com>
On Sun, 2 Jul 2000 10:11:29 -0400, tadmc@metronet.com (Tad McClellan)
wrote:
> Feel free to go away if you do not like it here.
I fully intend to. If wankers like you are an indication of the type
of people who hang around here then I have far bettert things to do.
> You are confusing the programming language with the application.
Am I? Just use your fucking brain for a minute ok. I've come here with
a question that I *thought* would have a simple answer. I know JACK
SHIT about Perl and wanted to learn. What a fucking waist of time that
was, with arseholes like you around I can see why Newsgroups get a bad
reputation. Instead of pointing me in the right direction I get given
a script that will erase huge chunks of god knows what from the web
server.
> It is _CGI programs_ that are dangerous, regardless of what
> programming language you chose to write your program in.
No, it is wanker programmers who think it's funny to try to get you to
do damage to the files on the server that are dangerous.
> Perl is actually much _safer_ than any other programming language,
> due to its "taint checking", which no other language has.
I'd say the opposite. Due to the way Perl looks like encrypted trash
when you look at the program and seems to have no meaningful name to
the commands, it is far easier to make a mistake that will result in
damage being done. What the fuck is "+rm +rw r w r r r w w |?" when
it's at home? Why don't they just call the bloody caommand "Delete"
and save us all a headache??? WHat kind of dumb fuck enables you to
use the command "open" to erase things????
> There is no such thing as a simple problem if it has anything
> to do with "Security" and "CGI".
Really? Of it wasn't for the "open" command being stupid enough to
allow you erase everything then there wouldn't be a security issue
there at all.
<snip>
> Write your security holes in VB if you prefer.
-----------------------------------------
Begin
' Setup path to HTML files
Path$ = "/usr/home/mffr45/public_html/"
'Get filename and replace word from params passed to program
File$ = Param$("File")
Replace$ = Param$("Word")
' Dump header so browser knows what's coming
Print "Content-type: text/html"
' Open the file for ReadOnly access
FileHandle = Open (Path$+File$,ReadOnly)
' If the file end is reahed say so in the browser
If (EOF#FileHandle) print "The file was empty."
' If file doesn't exist EOF is triggered
' otherwise this loops until the file end is reached
While (NOT EOF#FileHandle)
Begin
' Read a line from the file. Terminated by CR, LF or NUL
FileRead$ = INPUT#FileHandle
' Execute REPLACE function (standard search and replace)
NewFileRead$ = REPLACE(FileRead$,"!LOOKPHRASE!",Replace$)
' Output the new text to the browser / screen
Print NewFileRead$
EndWhile
'Close the file
Close #FileHandle
End
> It is beginning to look like you also do not understand the
> (natural) language that you are using...
Oh dear, I made a typo, what a shame. Still, at least it didn't erase
my hard drive when I did it.
> Thanks oh so much for leaving.
>
> We all appreciate it!
No problem. Call me when you grow out of your diapers wont you cry
baby.
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: Sun, 02 Jul 2000 19:45:35 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: Welcome to....
Message-Id: <db3vls8au9oq1qk7m1b0btmm65ib3otenq@4ax.com>
On 02 Jul 2000 11:26:42 -0700, merlyn@stonehenge.com (Randal L.
Schwartz) wrote:
> But you gotta spend at least 15 minutes skimming "perldoc perlsec".
> Most people that post code don't even get that far, and it's giving
> the rest of us a bad name.
Well as that includes me I would hazard a guess that's because their
first exposure to Perl is in the CGI environment, where no Unix
commands are available and no documentation is supplied. Your only
source of scripts is sites off the web, and installing ActiveState
Perl onto Windows doesn't seem to offer anything in the way of
documentatoin... in fact on many computers it doesn't even seem to
work properly.
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: 2 Jul 2000 21:01:37 +0100
From: Jonathan Stowe <gellyfish@gellyfish.com>
Subject: Re: Welcome to....
Message-Id: <8jo731$38h$1@orpheus.gellyfish.com>
On Sun, 02 Jul 2000 14:42:49 +0100 Magic wrote:
> comp.lang.perl.lets-make-life-as-difficult-as-possible
>
It seems like someones fixing to gain a permanent killfile entry.
> Thought you might be interested to read what I have found by reading
> this group....
>
I very much doubt it.
> Although the people in it have good intentions and are willing to
> help, they are so concerned with the complicated things about the
> language that in order to answer a simple quastion they seem to think
> reading a 140+ page document is required.
>
I didnt read much of your original thread because it was crossposted into
alt.perl and much of the stuff that gets posted there just makes me
angry and upset so it gets scored so low I will never get to read it.
I think part of your problem arose because you posted into alt.perl in
the first place - but thats by the by now.
As I can work out your original question involved the creation of a CGI
program that would accept a filename and a string from the user and would
do substitutions on that file based on the string. The substitution part
is easy and is covered in the FAQ that comes with every Perl distribution.
The question of allowing a user to specify a filename that will be used
in the open(), however, is more problematic and is prone to grave
security risks. Perl however does provide a mechanism (taint checking)
that helps you do things in a more secure way by preventing you from
doing them without having taken steps to ameliorate that risk. Ignoring
this capability of Perl in the intrinsically insecure environment of
the CGI is insanity. Some people will use the -T flag to perl in *every*
CGI program they write - I tend not to do so because I know of the risky
operations and omit taint checking where I am not doing anything dangerous
with user input - however that is not to say that *you* should do that.
The perlsec document is not 140+ pages long - it has 528 lines which would
be some 8 pages if it were printed with pages of 66 lines per page. This
document contains information about securing programs in all sorts of
hostile or insecure environments and describes that taint checking
mechanism in a way that would be difficult to summarise in a Usenet post.
It is essential reading if you are creating CGI programs that will be using
tainted user input. You might not like being to told to do some further
reading but it is in your interest to do this if you care for the security
of the system, indeed it is in everyones interest that you do this because
someone might compromise *your* insecure system and use it to deliver an
attack against someone elses system.
If you intend on writing CGI programs that will be exposed to the wider
world then you probably want to read two other documents mentioned in the
FAQ :
WWW Security FAQ
<http://www.w3.org/Security/Faq/>
CGI Security FAQ
<http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt>
Now dont think you are being fobbed off with this, its just you are
expected to the research yourself. Of course if you have any difficulty
about any Perl matters these resources throw up then by all means ask here.
/J\
--
** This space reserved for venue sponsor for yapc::Europe **
<http://www.yapc.org/Europe/>
------------------------------
Date: 02 Jul 2000 13:52:40 -0500
From: Tony Curtis <tony_curtis32@yahoo.com>
Subject: Re: Welcome to....
Message-Id: <87g0psbc07.fsf@limey.hpcc.uh.edu>
>> On Sun, 02 Jul 2000 19:45:35 +0100,
>> Magic <Magic@mattnet.freeserve.co.uk> said:
> Well as that includes me I would hazard a guess that's
> because their first exposure to Perl is in the CGI
> environment, where no Unix commands are available and no
> documentation is supplied. Your only source of scripts
> is sites off the web, and installing ActiveState Perl
> onto Windows doesn't seem to offer anything in the way
> of documentatoin... in fact on many computers it doesn't
> even seem to work properly.
FUD FUD and more FUD.
AS. perl comes with documentation available in HTML format
straight off your Windows "Start" menu. And AS. perl
works fine. "I can't get it to work" is not the same as
"it doesn't work".
You said you were going to leave this group in a previous,
abusive, post. Please do so. That kind of language is
going to get you kicked off your ISP. Have you read
news.announce.newusers recently? A 'net search on
"netiquette" would be a good start too.
hth
t
--
"With $10,000, we'd be millionaires!"
Homer Simpson
------------------------------
Date: Sun, 02 Jul 2000 15:48:27 -0400
From: brian@smithrenaud.com (brian d foy)
Subject: Re: Welcome to....
Message-Id: <brian-ya02408000R0207001548270001@news.panix.com>
In article <8jo731$38h$1@orpheus.gellyfish.com>, Jonathan Stowe <gellyfish@gellyfish.com> posted:
> If you intend on writing CGI programs that will be exposed to the wider
> world then you probably want to read two other documents mentioned in the
> FAQ :
>
> WWW Security FAQ
> <http://www.w3.org/Security/Faq/>
>
> CGI Security FAQ
> <http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt>
there are even more security references listed in the CGI Meta
FAQ, and some of them highlight the benefits of a high level
language like Perl, such as memory managaement and tainting.
--
brian d foy
CGI Meta FAQ <URL:http://www.smithrenaud.com/public/CGI_MetaFAQ.html>
Perl Mongers <URL:http://www.perl.org/>
------------------------------
Date: Sun, 2 Jul 2000 14:51:10 -0400
From: tadmc@metronet.com (Tad McClellan)
Subject: Re: Welcome to....
Message-Id: <slrn8lv3ou.aoq.tadmc@magna.metronet.com>
On 2 Jul 2000 21:01:37 +0100, Jonathan Stowe <gellyfish@gellyfish.com> wrote:
>On Sun, 02 Jul 2000 14:42:49 +0100 Magic wrote:
>> comp.lang.perl.lets-make-life-as-difficult-as-possible
>>
>
>It seems like someones fixing to
^^^^^^^^^
Y'all talk purdy funny over they-er.
>gain a permanent killfile entry.
Make that past tense for me ("done fixed"?).
>I didnt read much of your original thread because it was crossposted into
>alt.perl and much of the stuff that gets posted there just makes me
^^^^^^^^
>angry and upset so it gets scored so low I will never get to read it.
^^^^^^^^^^^^^
Great minds (that's a joke son) run on the same track, it appears.
>mechanism in a way that would be difficult to summarise in a Usenet post.
^^^^^^^^^^^^^^^^^^^^^^^^^^
Some folks need more help than can be delivered through the
"sound bite" form of Usenet, hence config file entries for
the helpless cases.
>It is essential reading if you are creating CGI programs that will be using
>tainted user input. You might not like being to told to do some further
>reading but it is in your interest to do this if you care for the security
>of the system, indeed it is in everyones interest that you do this because
>someone might compromise *your* insecure system and use it to deliver an
^^^^ ^^^^^^
>attack against someone elses system.
^^^^^^ ^^^^^^^^^^^^^
That could get your name in the papers though.
But there are "bad" and "good" 15 minute periods, you should try
and get one of the good ones :-)
--
Tad McClellan SGML Consulting
tadmc@metronet.com Perl programming
Fort Worth, Texas
------------------------------
Date: Sun, 02 Jul 2000 20:51:19 GMT
From: bart.lateur@skynet.be (Bart Lateur)
Subject: Re: Welcome to....
Message-Id: <3960a8aa.896376@news.skynet.be>
Magic wrote:
>What the fuck is "+rm +rw r w r r r w w |?" when
>it's at home? Why don't they just call the bloody caommand "Delete"
>and save us all a headache???
The command is called "unlink", because there isn't a concept of
"deleting" files in Unix. See: files consist of name entries, and data
storage. Unlike with DOS, different names can share the same data.
That's where the "link" comes from. All you can do, is remove a "name"
entry in the filessystem. As long as there is at least one (hard) link
left to the data, it WON'T BE DELETED. That will happen automatically as
soon as ALL name->data links are severed. See? You cannot reliably
delete a file, not if you don't know how many links still remain. All
you can do, is delete a name entry. Hence the name "unlink".
>WHat kind of dumb fuck enables you to
>use the command "open" to erase things????
Oh, but that's another mechanism. Special formats of open arguments,
allow you to run external files, and read the output of that program
into a "filehandle", as if it was reading from a file. What you need to
do is give the name of the program ("rm") plus it's parameters, and end
the line with a "|" symbol, which means "pipe the output into my
program".
It's not the "open" that deletes the file, it's the external program,
"rm", short for "ReMove (files)".
There's a sibling to this, which is: start with a "|", and follow by a
command line, program name plus arguments. That way you can print to
this file handle, and that program will read what you print from it's
standard input.
Very handy, but only safe if you know what you're doing. GEtting data
from an anonymous user without checking it, and allowing it to run a
program on your system, is very unsafe indeed.
I think sysopen(), which is more difficult to call, but (probably) a lot
safer in this regard, would help a lot.
--
Bart.
------------------------------
Date: Sun, 02 Jul 2000 17:32:28 -0400
From: Drew Simonis <care227@attglobal.net>
Subject: Re: Welcome to....
Message-Id: <395FB4EC.7B29F6E4@attglobal.net>
Magic wrote:
>
> I'd say the opposite. Due to the way Perl looks like encrypted trash
> when you look at the program and seems to have no meaningful name to
> the commands, it is far easier to make a mistake that will result in
> damage being done. What the fuck is "+rm +rw r w r r r w w |?" when
> it's at home? Why don't they just call the bloody caommand "Delete"
> and save us all a headache???
rm = remove. It is not a Perl function or operator, it is a UNIX
system command.
> WHat kind of dumb fuck enables you to
> use the command "open" to erase things????
The answer to this is obvious. Perl lets you do whatever you want.
So does C, COBOL, Fortran, Pascal, PHP, ASP, etc. It is up to the
programmer to decide what to do. The language is just a tool. The
fault comes from the technique.
> Really? Of it wasn't for the "open" command being stupid enough to
> allow you erase everything then there wouldn't be a security issue
> there at all.
No. It is the responsibility of the programmer to be educated as to
the funtion of the tool (language) and use it properly. What you are
saying is similar to a carpenter who removes his finger with a table saw
and then says "what kind of moron makes a saw that removes fingers!".
Its not the fault of the saw.
>
> No problem. Call me when you grow out of your diapers wont you cry
> baby.
Seems you are the one acting like a child here today. Your foul
language and attacking attitude have certainly made you look the
fool.
------------------------------
Date: Sun, 02 Jul 2000 17:36:53 -0400
From: Drew Simonis <care227@attglobal.net>
Subject: Re: Welcome to....
Message-Id: <395FB5F5.996F5F92@attglobal.net>
Tad McClellan wrote:
>
> Y'all talk purdy funny over they-er.
>
> >gain a permanent killfile entry.
>
> Make that past tense for me ("done fixed"?).
I wondered how you knew the past tense of fixin until I read..
> Tad McClellan SGML Consulting
> tadmc@metronet.com Perl programming
> Fort Worth, Texas
^^^^^^^^^^^^^^^^^ <--
and it all made sense.
------------------------------
Date: Sun, 02 Jul 2000 22:54:08 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: Welcome to....
Message-Id: <ffevlsg51gfeiiofpfd7t15lhunk4cj4j5@4ax.com>
On Sun, 02 Jul 2000 17:32:28 -0400, Drew Simonis
<care227@attglobal.net> wrote:
> Seems you are the one acting like a child here today. Your foul
> language and attacking attitude have certainly made you look the
> fool.
Worked though didn't it. I actually got a sensible reply!
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: Sun, 2 Jul 2000 16:55:28 -0500
From: "Billy Chambless" <billy@erc.msstate.edu>
Subject: Re: Welcome to....
Message-Id: <8jodll$ona$1@nntp.msstate.edu>
Tad McClellan <tadmc@metronet.com> wrote in message
news:slrn8lujch.abr.tadmc@magna.metronet.com...
> Write your security holes in VB if you prefer.
Well, it *is* easier that way.....
------------------------------
Date: 02 Jul 2000 11:23:57 -0700
From: merlyn@stonehenge.com (Randal L. Schwartz)
Subject: YES it's dangerous! (was Re: Is this code dangerous? eval{$$_ = $q->param($_)})
Message-Id: <m1wvj4crwi.fsf@halfdome.holdit.com>
>>>>> "multiplexor" == multiplexor <abuse@localhost> writes:
multiplexor> As I understand it, what the foreach loop do is equivalent to the following:
multiplexor> $name = $q->param(name);
multiplexor> $email = $q->param(email);
multiplexor> That's why I can't find any security hole when someone type any dangerous
multiplexor> comand. Can you comment on this code?
Yes. It's dangerous. Don't do it.
Do you really wanna let an arbitary user do this:
$some_variable_that_was_important_to_authentication =
$q->param('some_variable_that_was_important_to_authentication');
without you noticing?
Don't mix user-defined variable names with your variables. Keep them
as keys in a hash. *NEVER* let the user data mix with your data.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
------------------------------
Date: 16 Sep 99 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 16 Sep 99)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
| NOTE: The mail to news gateway, and thus the ability to submit articles
| through this service to the newsgroup, has been removed. I do not have
| time to individually vet each article to make sure that someone isn't
| abusing the service, and I no longer have any desire to waste my time
| dealing with the campus admins when some fool complains to them about an
| article that has come through the gateway instead of complaining
| to the source.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V9 Issue 3540
**************************************
