[16215] in Perl-Users-Digest
Perl-Users Digest, Issue: 3627 Volume: 9
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Tue Jul 11 18:25:51 2000
Date: Tue, 11 Jul 2000 15:25:37 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <963354337-v9-i3627@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Tue, 11 Jul 2000 Volume: 9 Number: 3627
Today's topics:
syntax error in cgi script under IIS causes download pr <fchanny@lbl.gov>
Re: syntax error in cgi script under IIS causes downloa (Clinton A. Pierce)
Re: syntax error in cgi script under IIS causes downloa <bart.lateur@skynet.be>
Re: syntax error in cgi script under IIS causes downloa <fchanny@lbl.gov>
tunnel DBI through ssh? <memmett@fraser.sfu.ca>
Re: tunnel DBI through ssh? <care227@attglobal.net>
Re: tunnel DBI through ssh? <brian@bluecoat93.org>
Re: Unique Items (Tim)
Re: Welcome to.... <richie@entrian.com>
Re: Welcome to.... <uri@sysarch.com>
Re: Welcome to.... (Craig Berry)
Re: Welcome to.... <uri@sysarch.com>
Re: Welcome to.... (Malcolm Dew-Jones)
Re: Which one is better? $_[0] or shift? <prakash@gate.net>
Re: Which one is better? $_[0] or shift? <lr@hpl.hp.com>
Re: Which one is better? $_[0] or shift? <thoren@southern-division.com>
Re: Which one is better? $_[0] or shift? (Craig Berry)
Re: Which one is better? $_[0] or shift? (Tad McClellan)
Re: Which one is better? $_[0] or shift? <lr@hpl.hp.com>
Digest Administrivia (Last modified: 16 Sep 99) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Tue, 11 Jul 2000 11:30:38 -0700
From: Frank Hanny <fchanny@lbl.gov>
Subject: syntax error in cgi script under IIS causes download prompt
Message-Id: <396B67CE.343E75A5@lbl.gov>
We are running perl ( Active State ver. 5.00503) CGI scripts from an NT
server using Microsoft IIS.
Ordinarily, syntax errors in the perl program display in the browser
window. The commented out version of the "foreach" (with semicolon) in
the
sample program below produces:
CGI Error
The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are: syntax error at
mypath\ftpbug.pl line 11, near "$msg;" Execution of mypath\ftpbug.pl
aborted due to compilation errors.
However, certain syntax errors (the foreach without the semicolon )
cause the browser (both Netscape 4.73 and IE 5) to prompt the user to
download the offending perl script, and no useful error messages are
produced. This makes debugging difficult and presents a security
problem.
The sample program below will cause this condition.
Is this an IIS configuration issue, a perl configuration issue, a perl
bug, or something else? It has been suggested that IIS is reporting the
wrong MIME type for the error message.
Thanks for any assistance,
Frank Hanny
FCHanny@lbl.gov
#!/bin/perl -w
use strict;
use CGI;
my $q;
my $msg;
$q = new CGI;
foreach $msg #<<<<<< syntax error causes download prompt
#foreach $msg; #<<<<<< syntax error causes useful error msg
print
$q->header(),
$q->start_html(),
$msg,
$q->end_html(),
;
------------------------------
Date: Tue, 11 Jul 2000 21:05:45 GMT
From: clintp@geeksalad.org (Clinton A. Pierce)
Subject: Re: syntax error in cgi script under IIS causes download prompt
Message-Id: <J_La5.32466$fR2.299947@news1.rdc1.mi.home.com>
[Posted and mailed]
In article <396B67CE.343E75A5@lbl.gov>,
Frank Hanny <fchanny@lbl.gov> writes:
> Is this an IIS configuration issue, a perl configuration issue, a perl
> bug, or something else? It has been suggested that IIS is reporting the
> wrong MIME type for the error message.
No, no. When the CGI program fails and bizarre headers are sent back
anything goes. Downloading of the script, though, is just weird. And
probably a configuraion issue.
> #!/bin/perl -w
> use strict;
> use CGI;
One of these is helpful right after there:
use CGI::Carp qw(fatalsToBrowser);
Will cause Perl to emit some rudimentary headers if the script dies
prematurely. This can help a lot during debugging.
--
Clinton A. Pierce Teach Yourself Perl in 24 Hours!
clintp@geeksalad.org for details see http://www.geeksalad.org
"If you rush a Miracle Man,
you get rotten Miracles." --Miracle Max, The Princess Bride
------------------------------
Date: Tue, 11 Jul 2000 23:31:08 +0200
From: Bart Lateur <bart.lateur@skynet.be>
Subject: Re: syntax error in cgi script under IIS causes download prompt
Message-Id: <d64nms81c1ndtn18uuo8k576taii2ikcpp@4ax.com>
Frank Hanny wrote:
>We are running perl ( Active State ver. 5.00503) CGI scripts from an NT
>server using Microsoft IIS.
>However, certain syntax errors (the foreach without the semicolon )
>cause the browser (both Netscape 4.73 and IE 5) to prompt the user to
>download the offending perl script, and no useful error messages are
>produced.
Probably an IIS problem, if it fails on Netscape as well.
Look, try this script:
print "Content-type: text/plain\n\n";
print "Hello, world!\n";
Do what you like, but my guess is that you can't make this work, i.e.
simply print out "Hello, world!" in the browser window. It will probably
try to download the source for this script. Maybe it's fixed in newer
versions of IIS, but I'm not sure.
I found a similar bug in in IE5, with any server. Make a script like the
one above, i.e. one returning content-type "text/plain"give it a .pl
extension, and now, IE5 will insist on downloading the output of this
script, and run it using Perl. Of course, this give proper results.
You can always depend on MS to screw things up.
--
Bart.
------------------------------
Date: Tue, 11 Jul 2000 14:44:11 -0700
From: Frank Hanny <fchanny@lbl.gov>
To: "Clinton A. Pierce" <clintp@geeksalad.org>
Subject: Re: syntax error in cgi script under IIS causes download prompt
Message-Id: <396B952B.8B4A3FA@lbl.gov>
Clinton,
Thanks for the suggestion. However, in my environment, Carp produces
less, rather than more, informative messages, and does not prevent the
download prompt.
Frank Hanny
FCHanny@lbl.gov
"Clinton A. Pierce" wrote:
>
> [Posted and mailed]
>
> In article <396B67CE.343E75A5@lbl.gov>,
> Frank Hanny <fchanny@lbl.gov> writes:
> > Is this an IIS configuration issue, a perl configuration issue, a perl
> > bug, or something else? It has been suggested that IIS is reporting the
> > wrong MIME type for the error message.
>
> No, no. When the CGI program fails and bizarre headers are sent back
> anything goes. Downloading of the script, though, is just weird. And
> probably a configuraion issue.
>
> > #!/bin/perl -w
> > use strict;
> > use CGI;
>
> One of these is helpful right after there:
>
> use CGI::Carp qw(fatalsToBrowser);
>
> Will cause Perl to emit some rudimentary headers if the script dies
> prematurely. This can help a lot during debugging.
>
> --
> Clinton A. Pierce Teach Yourself Perl in 24 Hours!
> clintp@geeksalad.org for details see http://www.geeksalad.org
> "If you rush a Miracle Man,
> you get rotten Miracles." --Miracle Max, The Princess Bride
------------------------------
Date: 11 Jul 2000 12:58:15 -0700
From: Matthew Emmett <memmett@fraser.sfu.ca>
Subject: tunnel DBI through ssh?
Message-Id: <yvw9ituce8x4.fsf@fraser.sfu.ca>
Hi all,
Is it possible to tunnel DBI connections through ssh?
Thanks,
Matt
------------------------------
Date: Tue, 11 Jul 2000 15:59:28 -0400
From: Drew Simonis <care227@attglobal.net>
Subject: Re: tunnel DBI through ssh?
Message-Id: <396B7CA0.C0059966@attglobal.net>
Matthew Emmett wrote:
>
> Hi all,
>
> Is it possible to tunnel DBI connections through ssh?
Might want to try asking this one in comp.security.ssh
------------------------------
Date: Tue, 11 Jul 2000 16:31:41 -0400
From: "Brian Landers" <brian@bluecoat93.org>
Subject: Re: tunnel DBI through ssh?
Message-Id: <DtLa5.6381$6s4.80081@news1.atl>
It depends on the database you're connecting to. For databases that are
accessed using TCP (or UDP, although I can't think of one that uses UDP),
you should very easily be able to tunnel the socket connection to the
database over ssh.
It isn't really an issue of Perl/DBI as much as your database client. Might
be better off asking this on an SSH newsgroup.
Cheers,
Brian
"Matthew Emmett" <memmett@fraser.sfu.ca> wrote in message
news:yvw9ituce8x4.fsf@fraser.sfu.ca...
>
> Hi all,
>
> Is it possible to tunnel DBI connections through ssh?
>
> Thanks,
> Matt
------------------------------
Date: Tue, 11 Jul 2000 21:09:50 GMT
From: SPAM+indigo@dimensional.com (Tim)
Subject: Re: Unique Items
Message-Id: <8F6E9E7BFindigodimcom@166.93.207.145>
philip.hibbs@tnt.co.uk wrote in <8kc7gh$bt1$1@nnrp1.deja.com>:
>From the FAQ:
>
>How can I extract just the unique elements of an array?
>
>b) If you don't know whether @in is sorted:
>
>undef %saw;
>@out = grep(!$saw{$_}++, @in);
>
>
>How can I modify this to build an array of modified elements? I tried
>this:
>
>@out = grep(!$saw{s/(.*)/xxx$1/}++, @in);
>
>but it didn't work, it just made a single element array.
Yup. s// returns the number of substitutions, not the resulting
string.
>Does the above (the FAQ answer) retain the order of the original array,
>or is it just a coincidcence that it looks like it does?
Order is retained.
While there might be some esoteric magic way to do what you want
in once swell foop, you probably want to uniquify, then modify.
If you don't require order to be retained, this is a little more
approachable to new Perl programmers:
my %saw;
$saw{$_} = 1 for @in;
my @modout = map "xxx$_", keys %saw;
Otherwise, you can use map with the sexier version:
my %saw;
my @modout = map "xxx$_", grep !$saw{$_}++, @in;
-T
------------------------------
Date: Tue, 11 Jul 2000 19:46:44 +0100
From: Richie Hindle <richie@entrian.com>
Subject: Re: Welcome to....
Message-Id: <esqmms0m8pceu3j30nm27jvitlk9ervab5@4ax.com>
> The question of allowing a user to specify a filename that will be used
> in the open(), however, is more problematic and is prone to grave
> security risks. Perl however does provide a mechanism (taint checking)
> that helps you do things in a more secure way
Forgive me if I'm wrong, but isn't taint checking a red herring in this
discussion? perlsec says, "Perl doesn't prevent you from opening tainted
filenames for reading" and that seems to be true for "rm -rf / |" as well
as for 'normal' filenames.
I've tested Magic's original script with taint checking on (and a couple
of minor tweaks to make it work, like cleaning up the PATH), and it still
removed all my files. 8-)
This is the least of the problems I have with taint checking. Since
extracting strings from other strings using regular expressions is just
about the most common construct in (my) Perl code, taint checking seems to
be barely useful. I can't help but think that I've missed something (or
else taint checking was ill-conceived, which is hard to believe), but I've
not seen anything that explains _what_ I've missed. Why was regular
expression matching chosen as the method by which strings should be
untainted? I'm having trouble following that decision - I'm sure there's
a good reason for it but I've never seen it. Also, is there a way to use
regular expression matching _without_ untainting the strings?
--
Richie Hindle
richie@entrian.com
------------------------------
Date: Tue, 11 Jul 2000 18:57:59 GMT
From: Uri Guttman <uri@sysarch.com>
Subject: Re: Welcome to....
Message-Id: <x7sntglcjw.fsf@home.sysarch.com>
>>>>> "RH" == Richie Hindle <richie@entrian.com> writes:
RH> Forgive me if I'm wrong, but isn't taint checking a red herring in this
RH> discussion? perlsec says, "Perl doesn't prevent you from opening tainted
RH> filenames for reading" and that seems to be true for "rm -rf / |" as well
RH> as for 'normal' filenames.
you are forgiven.
RH> I've tested Magic's original script with taint checking on (and a couple
RH> of minor tweaks to make it work, like cleaning up the PATH), and it still
RH> removed all my files. 8-)
tough luck.
RH> This is the least of the problems I have with taint checking. Since
RH> extracting strings from other strings using regular expressions is just
RH> about the most common construct in (my) Perl code, taint checking seems to
RH> be barely useful. I can't help but think that I've missed something (or
RH> else taint checking was ill-conceived, which is hard to believe), but I've
RH> not seen anything that explains _what_ I've missed. Why was regular
RH> expression matching chosen as the method by which strings should be
RH> untainted? I'm having trouble following that decision - I'm sure there's
RH> a good reason for it but I've never seen it. Also, is there a way to use
RH> regular expression matching _without_ untainting the strings?
you are missing the point. tainting doesn't prevent anything from
happening. it is meant to make sure YOU (the programmer) is consciously
aware of the potentially dirty data coming into the program. what you do
to untaint it is up to you and can still be massively wrong.
so to prevent the open/rm fiasco you check for meta chars and quote them
or other similar thing. you just don't match the string, you match it
against a pattern which will leave you with a safe file name to try to
open (without pipes, etc.).
uri
--
Uri Guttman --------- uri@sysarch.com ---------- http://www.sysarch.com
SYStems ARCHitecture, Software Engineering, Perl, Internet, UNIX Consulting
The Perl Books Page ----------- http://www.sysarch.com/cgi-bin/perl_books
The Best Search Engine on the Net ---------- http://www.northernlight.com
------------------------------
Date: Tue, 11 Jul 2000 20:34:20 GMT
From: cberry@cinenet.net (Craig Berry)
Subject: Re: Welcome to....
Message-Id: <smn16c1nnd658@corp.supernews.com>
Uri Guttman (uri@sysarch.com) wrote:
: so to prevent the open/rm fiasco you check for meta chars and quote them
: or other similar thing. you just don't match the string, you match it
: against a pattern which will leave you with a safe file name to try to
: open (without pipes, etc.).
I believe the point was that it would seem reasonable for open() to choke
on tainted arguments under -T, as e.g. system() does. That it does not is
a trap for those relying on -T to catch places they should be screening
user-supplied data.
--
| Craig Berry - http://www.cinenet.net/users/cberry/home.html
--*-- "Beauty and strength, leaping laughter and delicious
| languor, force and fire, are of us." - Liber AL II:20
------------------------------
Date: Tue, 11 Jul 2000 20:58:45 GMT
From: Uri Guttman <uri@sysarch.com>
Subject: Re: Welcome to....
Message-Id: <x7og44l6yk.fsf@home.sysarch.com>
>>>>> "CB" == Craig Berry <cberry@cinenet.net> writes:
CB> Uri Guttman (uri@sysarch.com) wrote:
CB> : so to prevent the open/rm fiasco you check for meta chars and quote them
CB> : or other similar thing. you just don't match the string, you match it
CB> : against a pattern which will leave you with a safe file name to try to
CB> : open (without pipes, etc.).
CB> I believe the point was that it would seem reasonable for open() to choke
CB> on tainted arguments under -T, as e.g. system() does. That it does not is
CB> a trap for those relying on -T to catch places they should be screening
CB> user-supplied data.
good point. in fact, it should detect a piped open (it has to as it is)
and barf if that is tainted. plain opens might be let through. or just
barf on any tainted open. but relying on taint to hold your hand is not
good. it is a tool, not s safeguard. you should check all critical data
without taint telling you to do so
uri
--
Uri Guttman --------- uri@sysarch.com ---------- http://www.sysarch.com
SYStems ARCHitecture, Software Engineering, Perl, Internet, UNIX Consulting
The Perl Books Page ----------- http://www.sysarch.com/cgi-bin/perl_books
The Best Search Engine on the Net ---------- http://www.northernlight.com
------------------------------
Date: 11 Jul 2000 13:58:34 -0800
From: yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones)
Subject: Re: Welcome to....
Message-Id: <396b8a7a@news.victoria.tc.ca>
Richie Hindle (richie@entrian.com) wrote:
: be barely useful. I can't help but think that I've missed something (or
: else taint checking was ill-conceived, which is hard to believe), but I've
For what its worth, JavaScript in an earlier version on Netscape Browser
had the same concept - tainting. It was presumably based on the perl
ideas, since they copied some other stuff like RE syntax.
It was abandoned, because it
" was an evolutionary dead end."
(JavaScript, The Definitive Guide 3rd ed. by O'Reilly, page 387)
------------------------------
Date: 11 Jul 2000 19:52:28 GMT
From: Prakash Kailasa <prakash@gate.net>
Subject: Re: Which one is better? $_[0] or shift?
Message-Id: <8kftts$ub4$1@news.gate.net>
Ilmari Karonen <iltzu@sci.invalid> wrote:
: In article <8k8vrn$d7g$1@localhost.localdomain>, Neil Kandalgaonkar wrote:
: >I usually do:
: > my ($var) = @_;
: >
: >shift gets tedious after two or more arguments. Sometimes it
: >is good for idioms like
: > my $arg = shift if (condition);
: A useful idiom for optional arguments is:
: my $optional = @_ ? shift : 'default';
How about:
my $optional = shift || 'default';
/prakash
------------------------------
Date: Tue, 11 Jul 2000 13:27:02 -0700
From: Larry Rosler <lr@hpl.hp.com>
Subject: Re: Which one is better? $_[0] or shift?
Message-Id: <MPG.13d522f45c2c5bb98abb5@nntp.hpl.hp.com>
In article <8kftts$ub4$1@news.gate.net> on 11 Jul 2000 19:52:28 GMT,
Prakash Kailasa <prakash@gate.net> says...
> Ilmari Karonen <iltzu@sci.invalid> wrote:
> : In article <8k8vrn$d7g$1@localhost.localdomain>, Neil Kandalgaonkar wrote:
> : >I usually do:
> : > my ($var) = @_;
> : >
> : >shift gets tedious after two or more arguments. Sometimes it
> : >is good for idioms like
> : > my $arg = shift if (condition);
>
> : A useful idiom for optional arguments is:
>
> : my $optional = @_ ? shift : 'default';
>
> How about:
>
> my $optional = shift || 'default';
Provided any of the possible defined-but-false values (0 or '0' or "")
is to be replaced by 'default'.
The interest in the '??' operator -- (A ?? B) is the same as (defined A
? A : B) -- seems to have waned. Someone should revive it, at it is a
natural for problems such as this.
--
(Just Another Larry) Rosler
Hewlett-Packard Laboratories
http://www.hpl.hp.com/personal/Larry_Rosler/
lr@hpl.hp.com
------------------------------
Date: Tue, 11 Jul 2000 22:38:04 +0200
From: "Thoren Johne" <thoren@southern-division.com>
Subject: Re: Which one is better? $_[0] or shift?
Message-Id: <8kg0ki$dc$17$1@news.t-online.com>
Prakash Kailasa <prakash@gate.net> wrote in message
news:8kftts$ub4$1@news.gate.net...
> Ilmari Karonen <iltzu@sci.invalid> wrote:
> : A useful idiom for optional arguments is:
> : my $optional = @_ ? shift : 'default';
> How about:
>
> my $optional = shift || 'default';
how about a test?
###########
#!/usr/local/bin/perl -w
use strict;
sub good_solution {
my $optional = @_ ? shift : 'default';
}
sub bad_try {
my $optional = shift || 'default';
}
my $value = 0.0;
print good_solution $value;
print "\n";
print bad_try $value;
###########
result:
0
default
do we need to explain? ;)
gruß
thoren
8#X
--
----------------------------------------------------------------------
Thoren Johne - 8#X - thoren@southern-division.com
Southern Division Classic Bikes - www.southern-division.com
------------------------------
Date: Tue, 11 Jul 2000 20:54:33 GMT
From: cberry@cinenet.net (Craig Berry)
Subject: Re: Which one is better? $_[0] or shift?
Message-Id: <smn2c9lrnd6175@corp.supernews.com>
Prakash Kailasa (prakash@gate.net) wrote:
: Ilmari Karonen <iltzu@sci.invalid> wrote:
: : A useful idiom for optional arguments is:
:
: : my $optional = @_ ? shift : 'default';
:
: How about:
:
: my $optional = shift || 'default';
What if the caller wants $optional to be 0 or '' or undef?
--
| Craig Berry - http://www.cinenet.net/users/cberry/home.html
--*-- "Beauty and strength, leaping laughter and delicious
| languor, force and fire, are of us." - Liber AL II:20
------------------------------
Date: Tue, 11 Jul 2000 15:41:02 -0400
From: tadmc@metronet.com (Tad McClellan)
Subject: Re: Which one is better? $_[0] or shift?
Message-Id: <slrn8mmu2e.4he.tadmc@magna.metronet.com>
On 11 Jul 2000 19:52:28 GMT, Prakash Kailasa <prakash@gate.net> wrote:
>Ilmari Karonen <iltzu@sci.invalid> wrote:
>: A useful idiom for optional arguments is:
>
>: my $optional = @_ ? shift : 'default';
>
>How about:
>
> my $optional = shift || 'default';
Thats fine if you don't mind it not working correctly when
$_[0] = '0'; # exists, but is false
or
$_[0] = 0;
"existance" (what Ilmari tests) and "truth" (what you test)
are not the same thing.
--
Tad McClellan SGML Consulting
tadmc@metronet.com Perl programming
Fort Worth, Texas
------------------------------
Date: Tue, 11 Jul 2000 14:54:15 -0700
From: Larry Rosler <lr@hpl.hp.com>
Subject: Re: Which one is better? $_[0] or shift?
Message-Id: <MPG.13d5375eb2b87da598abb7@nntp.hpl.hp.com>
In article <smn2c9lrnd6175@corp.supernews.com> on Tue, 11 Jul 2000
20:54:33 GMT, Craig Berry <cberry@cinenet.net> says...
> Prakash Kailasa (prakash@gate.net) wrote:
> : Ilmari Karonen <iltzu@sci.invalid> wrote:
> : : A useful idiom for optional arguments is:
> :
> : : my $optional = @_ ? shift : 'default';
> :
> : How about:
> :
> : my $optional = shift || 'default';
>
> What if the caller wants $optional to be 0 or '' or undef?
I'm sure the point is to replace undef by 'default'. Otherwise why
bother with providing the default at all?
But you are of course right about 0 or "", as several posts have
observed.
--
(Just Another Larry) Rosler
Hewlett-Packard Laboratories
http://www.hpl.hp.com/personal/Larry_Rosler/
lr@hpl.hp.com
------------------------------
Date: 16 Sep 99 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 16 Sep 99)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
| NOTE: The mail to news gateway, and thus the ability to submit articles
| through this service to the newsgroup, has been removed. I do not have
| time to individually vet each article to make sure that someone isn't
| abusing the service, and I no longer have any desire to waste my time
| dealing with the campus admins when some fool complains to them about an
| article that has come through the gateway instead of complaining
| to the source.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V9 Issue 3627
**************************************
