[16169] in Perl-Users-Digest
Perl-Users Digest, Issue: 3581 Volume: 9
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Mon Jul 10 17:53:33 2000
Date: Mon, 10 Jul 2000 14:53:18 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <963265998-v9-i3581@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Mon, 10 Jul 2000 Volume: 9 Number: 3581
Today's topics:
Re: My "replace a word in an HTML file" problem (CGI) <ozette@imaginative-creations.com>
Re: My "replace a word in an HTML file" problem (CGI) <Magic@mattnet.freeserve.co.uk>
Re: My "replace a word in an HTML file" problem (CGI) <tony_curtis32@yahoo.com>
Re: My "replace a word in an HTML file" problem (CGI) <Magic@mattnet.freeserve.co.uk>
Re: My "replace a word in an HTML file" problem (CGI) <jeff@vpservices.com>
Re: My "replace a word in an HTML file" problem (CGI) <jeff@vpservices.com>
Re: My "replace a word in an HTML file" problem (CGI) <Magic@mattnet.freeserve.co.uk>
Re: My "replace a word in an HTML file" problem (CGI) <tony_curtis32@yahoo.com>
Re: My "replace a word in an HTML file" problem (CGI) <Magic@mattnet.freeserve.co.uk>
Re: My "replace a word in an HTML file" problem (CGI) (Malcolm Dew-Jones)
Re: My "replace a word in an HTML file" problem (CGI) (Malcolm Dew-Jones)
Re: My "replace a word in an HTML file" problem (CGI) (Malcolm Dew-Jones)
Re: My "replace a word in an HTML file" problem (CGI) <tony_curtis32@yahoo.com>
Re: My "replace a word in an HTML file" problem (CGI) <godzilla@stomp.stomp.tokyo>
Re: My "replace a word in an HTML file" problem (CGI) (Malcolm Dew-Jones)
Re: My "replace a word in an HTML file" problem (CGI) <sariq@texas.net>
Re: My "replace a word in an HTML file" problem (CGI) <Magic@mattnet.freeserve.co.uk>
Re: My "replace a word in an HTML file" problem (CGI) <Magic@mattnet.freeserve.co.uk>
ndbm store returned -1, errno 28, key "342333" <pavelk@netscape.com>
Re: ndbm store returned -1, errno 28, key "342333" <bwalton@rochester.rr.com>
Digest Administrivia (Last modified: 16 Sep 99) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Mon, 03 Jul 2000 12:02:12 -0400
From: "Mr. Ozette Brown" <ozette@imaginative-creations.com>
To: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <3960B904.2EDF8984@imaginative-creations.com>
Magic,
I think I see what you are trying to accomplish. You should really use a module
called CGI.pm. It will make what you want to do soooo easy. CGI.pm should be in
your standard distribution of perl.
Enjoy,
Ozette
Magic wrote:
> Hi all,
>
> I've managed to knock up some code with the kind help of a few who
> took pity on me for being a cluebie. I've commented my code so I hope
> it's nice and easy for people to understand what I'm attempting to
> achieve.
>
> The code itself works (miracle!!) but what I would appreciate is
> if somebody could look it over and see if I've done enough to prevent
> commands etc. being executed (like rm) which could do some damage.
> I've attempted to remove any "|" and ".." from the filename, do I need
> to do any more?
>
> Many thanks
>
> Code follows...
>
> ------------------------------------------------------------------------
> # Filename : parsepage.pl
> # Version : 0.42
> # Author : Matthew Charman
> # Date : 3rd July 2000
>
> #! /usr/local/bin/perl
>
> # Home directory for my HTML files
> $html_dir = "/usr/home/fut589/public_html";
>
> #Tell browser what is being sent to it
> print "Content_Type: text/html\n\n";
>
> # Call the ReadParse function copy-pasted from cgi.pl
> &ReadParse;
>
> # Get the word parameter
> $myword = $in{'word'};
>
> # Get the file parameter
> $myfile = $in{'file'};
>
> # The file to open is 'the path to HTML files' / 'file parameter'
> $file_to_open = "$html_dir/$myfile";
>
> # Get rid of nasty pipe things and ".."
> # to stop people executing commands and
> # moving up directories.
> $_ = $file_to_open;
> s/\|//g ;
> s/\.\.//g ;
> $file_to_open = $_ ;
>
> # Open the file
> open(FILE, $file_to_open);
>
> # While end is not reached read a string into $_
> while(<FILE>) {
> # Replace any occurences of !MYWORD! with the contents of $myword
> s/\!MYWORD\!/$myword/g ;
> # Ouput the altered string to the browser
> print "$_";
> }
> # Close the file
> close(FILE);
>
> # Exit the program cleanly.
> exit(0);
>
> ###############################################################################
> #
> # Copy-pasted from "cgi.pl" as whole library was not needed.
> #
>
> sub ReadParse {
> local(*in)=@_ if @_;
> local ($i,$key,$val);
>
> if ($ENV{'REQUEST_METHOD'} eq "GET") {
> $in=$ENV{'QUERY_STRING'};
> }
> elsif ($ENV{'REQUEST_METHOD'} eq "POST") {
> read(STDIN,$in,$ENV{'CONTENT_LENGTH'});
> }
>
> @in=split(/&/,$in);
>
> foreach $i (0 .. $#in) {
> $in[$i] =~ s/\+/ /g;
> ($key,$val)=split(/=/,$in[$i],2);
> $key =~ s/%(..)/pack("c",hex($1))/ge;
> $val =~ s/%(..)/pack("c",hex($1))/ge;
> $in{$key} .= "\0" if (defined($in{$key}));
> $in{$key} .=$val;
> }
> return length($in);
> }
>
> ------------------------------------------------------------------------
>
> Magic ==|:o)
> --
> Location : Portsmouth, England, UK
> Homepage : http://www.mattnet.freeserve.co.uk
> EMail : mailto:Magic@mattnet.freeserve.co.uk
--
Mr. Ozette J. Brown <President>
Imaginative Creations <webmaster@imaginative-creations.com>
A Website Development and Consulting Company.
http://www.imaginative-creations.com
------------------------------
Date: Mon, 03 Jul 2000 17:28:16 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <bkf1ms4hq5me8lo3p484a8ar9bviv85aii@4ax.com>
On Mon, 03 Jul 2000 12:02:12 -0400, "Mr. Ozette Brown"
<ozette@imaginative-creations.com> wrote:
> Magic,
>
> I think I see what you are trying to accomplish. You should really
use a module
> called CGI.pm. It will make what you want to do soooo easy. CGI.pm
should be in
> your standard distribution of perl.
>
> Enjoy,
>
> Ozette
Thanks for the suggestion Ozette, but I've received mixed advise about
"CGI.pl". Some people say it's good because it makes things simple,
but others say there are a lot of errors in it and it isn't
"standardised" so it's bad practice to get into the habit of using it.
As I only needed one function from it I decided just to copy that
function into my script as a subroutine.
The code does actually work, I'd just like to know if it is enough to
remove "|" and ".." from the filename in order for the script to be
safe on the web server, or if there is anymore I need to do to the
filename before I open it.
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: 03 Jul 2000 11:34:33 -0500
From: Tony Curtis <tony_curtis32@yahoo.com>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <874s672mw6.fsf@limey.hpcc.uh.edu>
>> On Mon, 03 Jul 2000 17:28:16 +0100,
>> Magic <Magic@mattnet.freeserve.co.uk> said:
> Thanks for the suggestion Ozette, but I've received
> mixed advise about "CGI.pl". Some people say it's good
> because it makes things simple, but others say there are
> a lot of errors in it and it isn't "standardised" so
CGI.pm comes with perl, so I'd say that makes it
"standard".
If you look at the code you posted, you'll notice that it
handles POST by blithely reading data of length
$ENV{CONTENT_LENGTH} without checking to see how much it
will read. That's only one problem with it.
There are some people who claim that CGI.pm is full of
bugs, yet strangely I've never seen a list or any details
of those bugs. It's just more FUD for some unknown
reason.
(http://www.tuxedo.org/~esr/jargon/html/entry/FUD.html)
Switch to CGI.pm and "use strict;", plus -w and -T
checking, it will make your life much easier.
hth
t
--
"With $10,000, we'd be millionaires!"
Homer Simpson
------------------------------
Date: Mon, 03 Jul 2000 18:04:47 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <3qh1mskmkqb5olo6pctuo6hsrotl1sqlbj@4ax.com>
On 03 Jul 2000 11:34:33 -0500, Tony Curtis <tony_curtis32@yahoo.com>
wrote:
> If you look at the code you posted, you'll notice that it
> handles POST by blithely reading data of length
> $ENV{CONTENT_LENGTH} without checking to see how much it
> will read. That's only one problem with it.
Great! :o)
In that case as I don't think I'll be using POST at all (only GET)
I'll just "die" if it uses POST.
> There are some people who claim that CGI.pm is full of
> bugs, yet strangely I've never seen a list or any details
> of those bugs. It's just more FUD for some unknown
> reason.
>
> (http://www.tuxedo.org/~esr/jargon/html/entry/FUD.html)
>
> Switch to CGI.pm and "use strict;", plus -w and -T
> checking, it will make your life much easier.
I don't know what "-w -T" will do, but I will endevour to find out
(thanks to the kind person who sent me most of the PerlMan in Email)
:o)
As for why not to use "CGI.pl" - I have been told it's the same as
"CGI-Lib.pl" which was written by Steve Brenner. I suppose the first
question is, have I been told correct or are they different?
I have a text file I could post which gives a lot of explanation as to
why cgi-lib.pl shouldn't be used if they are indeed the same.
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: Mon, 03 Jul 2000 10:09:44 -0700
From: Jeff Zucker <jeff@vpservices.com>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <3960C8D8.2C59CBB2@vpservices.com>
Magic wrote:
>
> but I've received mixed advise about
> "CGI.pl".
Are you talking about cgi-lib.pl or CGI.pm? The former is outdated, the
latter is highly recommended by 1) www.perl.com, 2) the perl FAQs, 3)
many recognized authorities on Perl such as Randal Schwartz, co-author
of three of the most important books on Perl, and many others. Who are
these people that advise against it and what is their qualification to
offer advice?
> Some people say it's good because it makes things simple,
And because it has built in protections against many common mistakes in
designing CGI handling scripts. And because it is very actively updated
and maintained by its author. And because it has excellent
documentation.
> but others say there are a lot of errors in it
If there were lots of errors in it, it would not be part of the standard
Perl distribution and would not be consistently recommended by those
qualified to make a recommendation. The author updates the module every
couple of months or as needed to fix any problems.
> As I only needed one function from it I decided just to copy that
> function into my script as a subroutine.
As shown in other threads on this newsgroup, you do not yet have a firm
grasp on what is required for CGI security (as most of us didn't when we
got started), so how do you know that you only need one function from
it? It has many built in protections against problems you may not even
know exist.
--
Jeff
------------------------------
Date: Mon, 03 Jul 2000 10:16:26 -0700
From: Jeff Zucker <jeff@vpservices.com>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <3960CA6A.2BC8414F@vpservices.com>
Magic wrote:
>
> In that case as I don't think I'll be using POST at all (only GET)
> I'll just "die" if it uses POST.
VERY BAD IDEA! There are many reasons in many situations why POST is
better than GET. Please read up on CGI if you doubt me.
> As for why not to use "CGI.pl" - I have been told it's the same as
> "CGI-Lib.pl" which was written by Steve Brenner. I suppose the first
> question is, have I been told correct or are they different?
They are completely different. Use CGI.pm, do not use cgi-lib.pl. I've
listed some of the reasons why in another posting on this thread.
--
Jeff
------------------------------
Date: Mon, 03 Jul 2000 18:48:41 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <f1k1msg6g01ggefq3e9590uohjdibgkt76@4ax.com>
On Mon, 03 Jul 2000 10:16:26 -0700, Jeff Zucker <jeff@vpservices.com>
wrote:
> Magic wrote:
> >
> > In that case as I don't think I'll be using POST at all (only GET)
> > I'll just "die" if it uses POST.
>
> VERY BAD IDEA! There are many reasons in many situations why POST
is
> better than GET. Please read up on CGI if you doubt me.
But this script is only intended to be called from a link on a web
page <A HREF="/cgi-bin/parsepage.pl?file=navbar.html&word=hello"
target="navFrame">
I don't intend to do anything else with it, so surely it's safe *in
this instance* to remove support for POST which I would only use with
a form ?
I can see why POST has advantages if dealing with more than the very
rudemaentary task I am attempting (perhaps a little badly) to
accomplish.
> > As for why not to use "CGI.pl" - I have been told it's the same as
> > "CGI-Lib.pl" which was written by Steve Brenner. I suppose the
first
> > question is, have I been told correct or are they different?
>
> They are completely different. Use CGI.pm, do not use cgi-lib.pl.
I've
> listed some of the reasons why in another posting on this thread.
Is it possible that CGI.pl is not in the installation of Perl on my
ISP's server? I simply added the line "use CGI;" to the script and I
get "Internal Server Error 500".
Could I just upload CGI.pl in the cgi-bin along with my program?
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: 03 Jul 2000 13:58:50 -0500
From: Tony Curtis <tony_curtis32@yahoo.com>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <87vgyn11n9.fsf@limey.hpcc.uh.edu>
>> On Mon, 03 Jul 2000 18:48:41 +0100,
>> Magic <Magic@mattnet.freeserve.co.uk> said:
> But this script is only intended to be called from a
> link on a web page <A
> HREF="/cgi-bin/parsepage.pl?file=navbar.html&word=hello"
> target="navFrame">
> I don't intend to do anything else with it, so surely
> it's safe *in this instance* to remove support for POST
> which I would only use with a form ?
Oh, *you* don't intend doing anything else with it.
However, there are people out there who are only too
willing to do things with networked software that wasn't
intended. Usually with some very bad consequences.
> Is it possible that CGI.pl is not in the installation of
It's CGI.pm .pm indicates a module.
> Perl on my ISP's server? I simply added the line "use
> CGI;" to the script and I get "Internal Server Error
> 500".
You're probably not outputting the right headers, or
CGI.pm and your hand-coded header output are getting
confused. There could be any number of reasons. CGI.pm
has the huge advantage of making it easier to test your
code locally on the command-line, you can pass parameters
in interactively. Also put
use CGI::Carp 'fatalsToBrowser';
in your code and "die" on errors. Then the errors show up
in the browser output rather than be buried mysteriously
in the web server's logfiles.
> Could I just upload CGI.pl in the cgi-bin along with my
> program?
You could do that (CGI.pm). A more interesting question
is why it might not be on the server, since CGI.pm *is* a
standard part of the perl distribution...
Try this simple test program:
use CGI ':standard';
print header, start_html, h1('A test'), end_html;
Does it work?
(In a real case, you'd want to put sane info into the
start_html() etc. methods).
And isn't that nice code? No raw HTTP header lines. No
embedded HTML tags to confuse quoting characters with?
Proselytisation over... :-)
hth
t
--
"With $10,000, we'd be millionaires!"
Homer Simpson
------------------------------
Date: Mon, 03 Jul 2000 22:11:53 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <8tv1ms8f6vssc0o5jqfsn1bdrl0g2c5kdq@4ax.com>
On 03 Jul 2000 13:58:50 -0500, Tony Curtis <tony_curtis32@yahoo.com>
wrote:
> It's CGI.pm .pm indicates a module.
Ok... :o)
> You're probably not outputting the right headers, or
> CGI.pm and your hand-coded header output are getting
> confused.
Nope... it aint there!
> use CGI::Carp 'fatalsToBrowser';
......I'm going fishing?
> in your code and "die" on errors. Then the errors show up
> in the browser output rather than be buried mysteriously
> in the web server's logfiles.
Very useful! :o)
[ref uploading CGI.pm to my cgi-bin]
> You could do that (CGI.pm). A more interesting question
> is why it might not be on the server, since CGI.pm *is* a
> standard part of the perl distribution...
Pass, I've Emailed support and asked them.
> Try this simple test program:
>
> use CGI ':standard';
> print header, start_html, h1('A test'), end_html;
>
> Does it work?
Nope.
However, I did find a copy of "CGI.pm" in my ActiveState Perl folder
so I uploaded that into my cgi-bin and now it does. I wonder what else
is missing from the "default installation" on my ISP... and how much
bad luck can one guy have with Perl.. :o(
> (In a real case, you'd want to put sane info into the
> start_html() etc. methods).
>
> And isn't that nice code? No raw HTTP header lines. No
> embedded HTML tags to confuse quoting characters with?
Yep... although now I really want to know why it's not there by
default on my ISP... *shrug*
> Proselytisation over... :-)
Prosewhat? Oh nevermind, I've had enough confusing things for one day,
I'll find the dictionary tomorrow!
Thanks! :o)
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: 4 Jul 2000 13:14:39 -0800
From: yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones)
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <396245af@news.victoria.tc.ca>
Magic (Magic@mattnet.freeserve.co.uk) wrote:
: Hi all,
: I've managed to knock up some code with the kind help of a few who
: took pity on me for being a cluebie. I've commented my code so I hope
: it's nice and easy for people to understand what I'm attempting to
: achieve.
: The code itself works (miracle!!) but what I would appreciate is
: if somebody could look it over and see if I've done enough to prevent
: commands etc. being executed (like rm) which could do some damage.
: I've attempted to remove any "|" and ".." from the filename, do I need
: to do any more?
: $_ = $file_to_open;
: s/\|//g ;
: s/\.\.//g ;
: $file_to_open = $_ ;
: # Open the file
: open(FILE, $file_to_open);
Its hard to say 100% that this makes the filename safe.
Instead of trying to decide what makes the name *unsafe*, you should
instead decide what makes a name safe and then check the name is safe.
That's a general security rule - define what's good, test that things
are good and reject anything not known to be good.
# \w checks for word characters (alphanumeric plus "_")
# \W checks for anything NOT a word
#
# word characters are pretty flexible for filenames, and totally
# safe, so lets allow only them.
#
# test for non-word character anywhere in name
if ($file_to_open =~ m/\W/)
{ # reject the file
print "sorry, filename must be only word characters";
}
------------------------------
Date: 4 Jul 2000 14:40:27 -0800
From: yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones)
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <396259cb@news.victoria.tc.ca>
Tony Curtis (tony_curtis32@yahoo.com) wrote:
: >> On Mon, 03 Jul 2000 17:28:16 +0100,
: >> Magic <Magic@mattnet.freeserve.co.uk> said:
: > Thanks for the suggestion Ozette, but I've received
: > mixed advise about "CGI.pl". Some people say it's good
: > because it makes things simple, but others say there are
: > a lot of errors in it and it isn't "standardised" so
: CGI.pm comes with perl, so I'd say that makes it
: "standard".
: If you look at the code you posted, you'll notice that it
: handles POST by blithely reading data of length
: $ENV{CONTENT_LENGTH} without checking to see how much it
: will read. That's only one problem with it.
Which is exactly what CGI.pm does by default. (the default $POST_MAX is
-1 which allows any CONTENT_LENGTH, and CGI.pm reads() it all into memory
on regular POST input.)
------------------------------
Date: 4 Jul 2000 14:52:46 -0800
From: yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones)
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <39625cae@news.victoria.tc.ca>
Magic (Magic@mattnet.freeserve.co.uk) wrote:
: On 03 Jul 2000 11:34:33 -0500, Tony Curtis <tony_curtis32@yahoo.com>
: wrote:
: > If you look at the code you posted, you'll notice that it
: > handles POST by blithely reading data of length
: > $ENV{CONTENT_LENGTH} without checking to see how much it
: > will read. That's only one problem with it.
: Great! :o)
: In that case as I don't think I'll be using POST at all (only GET)
: I'll just "die" if it uses POST.
Better yet, just check the CONTENT_LENGTH for some reasonable maximum.
Also, check the CONTENT_TYPE (I don't recall if that is the correct
parameter name) to make sure the data is its url encoded, cause you don't
handle multipart.
: I don't know what "-w -T" will do, but I will endevour to find out
: (thanks to the kind person who sent me most of the PerlMan in Email)
: :o)
-w = perl warns you about various things that are commonly mistakes.
Highly recommended.
-T = perl warns you if user input is used in any potentially unsafe
statement, BUT be careful, lack of taint errors DOES NOT MEAN
YOUR PROGRWM IS SAFE. Correctly untainting data can be difficult, and
you can untaint data without meaning too if you use the data in regular
expressions for other purposes. E.g. If you check the input for some
flag, then the data may be untainted, even though that wasn't the reason
for the check, and -T will not warn you about the use of the still-unsafe
data.
Recommended, but don't trust tainting to keep your script safe.
Also use strict, which requires variables to be predeclared which helps
you to avoid typos, especially important for subtle typos such
as using $array when only @array has been declared.
------------------------------
Date: 04 Jul 2000 17:43:50 -0500
From: Tony Curtis <tony_curtis32@yahoo.com>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <8766qla53t.fsf@limey.hpcc.uh.edu>
>> On 4 Jul 2000 14:40:27 -0800,
>> yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones) said:
>> [ unrestricted uploads ]
> Which is exactly what CGI.pm does by default. (the
> default $POST_MAX is -1 which allows any CONTENT_LENGTH,
> and CGI.pm reads() it all into memory on regular POST
> input.)
Yes, but it is easy to restrict it, and without modifying
code (well, obviously you have to modify code, but not the
actual code that does the CGI stuff. The module abstracts
and provides an interface to shield you from the dirty
details).
hth
t
--
"With $10,000, we'd be millionaires!"
Homer Simpson
------------------------------
Date: Tue, 04 Jul 2000 16:14:45 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <39626FE5.6915449A@stomp.stomp.tokyo>
Malcolm Dew-Jones wrote:
> Magic wrote:
> : Tony Curtis wrote:
> : > If you look at the code you posted, you'll notice that it
> : > handles POST by blithely reading data of length
> : > $ENV{CONTENT_LENGTH} without checking to see how much it
> : > will read. That's only one problem with it.
> : Great! :o)
> : In that case as I don't think I'll be using POST at all (only GET)
> : I'll just "die" if it uses POST.
> Better yet, just check the CONTENT_LENGTH for some reasonable maximum.
Brenner's cgi.lib does an adequate job of protecting
against content length problems. Those who claim cgi.lib
does not control content length are displaying a lack
of knowledge of Perl and of her history:
# maximum bytes to accept via POST - 2^17
$cgi_lib'maxdata = 131072;
> : I don't know what "-w -T" will do, but I will endevour to find out
> : (thanks to the kind person who sent me most of the PerlMan in Email)
> : :o)
> -w = perl warns you about various things that are commonly mistakes.
> Highly recommended.
Pragma warnings display an unacceptable error rate. It is
quite common for wording of pragma hints to be incomprehensible
gibberish or simply wrong. Not uncommon at all for pragma hints
to create a wild goose chase by returning an error message
which is several hundred lines off target. Even more common
are pragma errors based in variations of more recent Perl
versions rendering portability near zero. Pragma warnings
should carry a warning as well:
"This error message might be in error itself. Who knows?"
> -T = perl warns you if user input is used in any potentially unsafe
> statement, BUT be careful, lack of taint errors DOES NOT MEAN
> YOUR PROGRWM IS SAFE. Correctly untainting data can be difficult, and
> you can untaint data without meaning too if you use the data in regular
> expressions for other purposes. E.g. If you check the input for some
> flag, then the data may be untainted, even though that wasn't the reason
> for the check, and -T will not warn you about the use of the still-unsafe
> data.
> Recommended, but don't trust tainting to keep your script safe.
Taint checking causes a lot of scripts to crash without good
reason. Taint checking also severely restricts what you can
do with a Perl script; Taint limits effectiveness and imagination.
Taint checking creates a false sense of security. For best
security, address your security problems personally. Your
advice to not trust Taint checking is of excellent quality.
Trusting Taint is like trusting O.J. Simpson.
> Also use strict, which requires variables to be predeclared which helps
> you to avoid typos, especially important for subtle typos such
> as using $array when only @array has been declared.
Use of strict promotes lazy programmers and promotes ignorance
of Perl itself. Strict leads so called programmers to be lax
and careless in knowing Strict will catch most but not all of
his or her errors. True programmers scoff at use of Strict.
We know how to write programs correctly sans babysitter.
All-in-all, cgi.pm, pragma warnings, taint checking and use
of strict, are annoying Perl 5 Cargo Cult mule manure all of
which lead to inexcusable problems and makes for lax ineffective
programmers or, what I have come to term with ironic biting
endearment, "Copy and Paste Technicians" rather than what
I personally consider to be programmers.
Avoid Perl 5 Cargo Cult and you will becoming a better programmer
through hard work, planning, thinking and by learning unforgettable
hard lessons by actually writing your programs rather than being
just another Copy and Paste Technician worshipping Perl 5 Cargo Cult.
Godzilla!
------------------------------
Date: 4 Jul 2000 21:45:28 -0800
From: yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones)
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <3962bd68@news.victoria.tc.ca>
Tony Curtis (tony_curtis32@yahoo.com) wrote:
: >> On 4 Jul 2000 14:40:27 -0800,
: >> yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones) said:
: >> [ unrestricted uploads ]
: > Which is exactly what CGI.pm does by default. (the
: > default $POST_MAX is -1 which allows any CONTENT_LENGTH,
: > and CGI.pm reads() it all into memory on regular POST
: > input.)
: Yes, but it is easy to restrict it, and without modifying
: code (well, obviously you have to modify code, but not the
: actual code that does the CGI stuff. The module abstracts
: and provides an interface to shield you from the dirty
: details).
Sure its easy ** if you think to do it **.
It would be just as easy to add it to the code we were shown.
In many ways its easier, since CONTENT_LENGTH is a broader standard so
easier to learn about. (By broader I mean that anyone working on any CGI
related project has likely seen it, not just someone who's worked with
Perl/CGI.pm).
------------------------------
Date: Wed, 05 Jul 2000 08:46:20 -0500
From: Tom Briles <sariq@texas.net>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <39633C2C.F95EC3E@texas.net>
Magic wrote:
>
> I did find a copy of "CGI.pm" in my ActiveState Perl folder
> so I uploaded that into my cgi-bin and now it does. I wonder what else
> is missing from the "default installation" on my ISP... and how much
> bad luck can one guy have with Perl.. :o(
Check the output of perl -v (or -V). If you are using a Perl that's too
old to have CGI.pm in the distribution, the security holes *you* leave
open may be the least of your problems.
- Tom
------------------------------
Date: Wed, 05 Jul 2000 21:39:41 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <n577ms4imvg16avtm9l9mlhendjv11m9qc@4ax.com>
On Wed, 05 Jul 2000 08:46:20 -0500, Tom Briles <sariq@texas.net>
wrote:
> Magic wrote:
> >
> > I did find a copy of "CGI.pm" in my ActiveState Perl folder
> > so I uploaded that into my cgi-bin and now it does. I wonder what
else
> > is missing from the "default installation" on my ISP... and how
much
> > bad luck can one guy have with Perl.. :o(
>
> Check the output of perl -v (or -V). If you are using a Perl that's
too
> old to have CGI.pm in the distribution, the security holes *you*
leave
> open may be the least of your problems.
>
> - Tom
I have Perl5.. but (and this is so stupid I can hardly believe it)
"access to many of the modules supplied with it is on application only
and you must specifically request them for use with your account".
What a pain in the.....
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: Wed, 05 Jul 2000 21:52:34 +0100
From: Magic <Magic@mattnet.freeserve.co.uk>
Subject: Re: My "replace a word in an HTML file" problem (CGI)
Message-Id: <tr77msobb3gvs841nsom686rue0e2el80t@4ax.com>
On 4 Jul 2000 13:14:39 -0800, yf110@vtn1.victoria.tc.ca (Malcolm
Dew-Jones) wrote:
> Instead of trying to decide what makes the name *unsafe*, you should
> instead decide what makes a name safe and then check the name is
safe.
>
> That's a general security rule - define what's good, test that
things
> are good and reject anything not known to be good.
>
> # \w checks for word characters (alphanumeric plus "_")
> # \W checks for anything NOT a word
> #
> # word characters are pretty flexible for filenames, and totally
> # safe, so lets allow only them.
> #
> # test for non-word character anywhere in name
> if ($file_to_open =~ m/\W/)
> { # reject the file
> print "sorry, filename must be only word characters";
> }
This is a good idea, but I think it presents me with a problem... my
filenames contain a "." and can also contain a "/", because they are
HTML files which do not always have to be parsed by the script.
How would I modify this to allow "." and "/" so thay the file
"folder/page.html" could be processed?
Magic ==|:o)
--
Location : Portsmouth, England, UK
Homepage : http://www.mattnet.freeserve.co.uk
EMail : mailto:Magic@mattnet.freeserve.co.uk
------------------------------
Date: Wed, 05 Jul 2000 17:09:19 -0700
From: Pavel Klimochkin <pavelk@netscape.com>
Subject: ndbm store returned -1, errno 28, key "342333"
Message-Id: <3963CE2F.D7B6EA28@netscape.com>
This is a multi-part message in MIME format.
--------------08A0218A95A9DC73592DDE2B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Can anyone explain what exactly errno 28 and 29 mean?
I'm getting this error when using hash tied to NDBM.
How to avoid this?
--------------08A0218A95A9DC73592DDE2B
Content-Type: text/x-vcard; charset=us-ascii;
name="pavelk.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Pavel Klimochkin
Content-Disposition: attachment;
filename="pavelk.vcf"
begin:vcard
adr;dom:;;501 E. Middlefield Rd.;;;;
adr:;;501 E. Middlefield Rd.;Mountain View;CA;94043;USA
n:Klimochkin;Pavel
tel;fax:650.937.5434
tel;home:650.631.4358
tel;work:6898
x-mozilla-html:FALSE
org:;Shopping Platforms & Tools
version:2.1
email;internet:pavelk@netscape.com
fn:Pavel Klimochkin
end:vcard
--------------08A0218A95A9DC73592DDE2B--
------------------------------
Date: Thu, 06 Jul 2000 01:58:40 GMT
From: Bob Walton <bwalton@rochester.rr.com>
Subject: Re: ndbm store returned -1, errno 28, key "342333"
Message-Id: <3963E817.B6C81253@rochester.rr.com>
Pavel Klimochkin wrote:
>
> Can anyone explain what exactly errno 28 and 29 mean?
> I'm getting this error when using hash tied to NDBM.
> How to avoid this?
I think you'll have to look up the docs for your computer's version of
NDBM. Probably man ndbm. Your problems, though, are probably related
to keys or values which exceed the length limits imposed by your
implementation of NDBM. Things are happiest with keys and values that
are less than a few hundred bytes long. If that is the problem, the
easiest fix would be to switch to DB_File, with which you shouldn't have
those hassles.
--
Bob Walton
------------------------------
Date: 16 Sep 99 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 16 Sep 99)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
| NOTE: The mail to news gateway, and thus the ability to submit articles
| through this service to the newsgroup, has been removed. I do not have
| time to individually vet each article to make sure that someone isn't
| abusing the service, and I no longer have any desire to waste my time
| dealing with the campus admins when some fool complains to them about an
| article that has come through the gateway instead of complaining
| to the source.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V9 Issue 3581
**************************************
