[18643] in Perl-Users-Digest
Perl-Users Digest, Issue: 811 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Tue May 1 11:06:46 2001
Date: Tue, 1 May 2001 08:05:12 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <988729512-v10-i811@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Tue, 1 May 2001 Volume: 10 Number: 811
Today's topics:
Re: Capturing the output of perl -c myfile.pl (Rudolf Polzer)
Re: CGI/Perl scripts not readable ! <gtoomey@usa.net>
Re: CGI/Perl scripts not readable ! <gtoomey@usa.net>
Re: CGI/Perl scripts not readable ! (Rudolf Polzer)
Re: Closures and hash tables <e_bachmann@hotmail.com>
Re: Closures and hash tables (Randal L. Schwartz)
Re: Closures and hash tables (Tad McClellan)
Re: Getting IP address and not a proxy one? <bowman@montana.com>
Re: Getting IP address and not a proxy one? (Michael Fuhr)
Re: Getting IP address and not a proxy one? (Rudolf Polzer)
Re: glob questions <bart.lateur@skynet.be>
Re: glob questions <"relaxedrob@optushome.com.au">
Re: Hacker challenge. Can you break this script for me? <godzilla@stomp.stomp.tokyo>
Re: Hacker challenge. Can you break this script for me? <jfreeman@tassie.net.au>
Re: Hacker challenge. Can you break this script for me? <jfreeman@tassie.net.au>
Re: Hacker challenge. Can you break this script for me? <godzilla@stomp.stomp.tokyo>
Re: Hacker challenge. Can you break this script for me? (Randal L. Schwartz)
Re: Hacker Challenge. Can you break this script for me? <godzilla@stomp.stomp.tokyo>
Re: How to: Create Regex which extracts N number of wor (Richard J. Rauenzahn)
Re: How to: Create Regex which extracts N number of wor <notmyrealemail@example.com>
Re: misleading taint error message with DBI? (William Herrera)
Re: misleading taint error message with DBI? (William Herrera)
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Tue, 1 May 2001 18:45:13 +0200
From: eins@durchnull.de (Rudolf Polzer)
Subject: Re: Capturing the output of perl -c myfile.pl
Message-Id: <slrn9etq0o.d8k.eins@www42.t-offline.de>
Jfreeman <jfreeman@tassie.net.au> wrote:
> Hi All
>
> I have a perl parsing script that will strip the comments off 100% of the perl
> in the standard distribution (about 120,000 lines in ~600 scripts). For details
> on this program see the Hacker Challenge thread.
>
> A central part of this script is a compile checker. Because a parser that strips
> comments and concatenates a script may potentially break a script if it makes a
> parsing error the simple approach taken in this script is as follows:
Perhaps you could look at B::Bytecode. At least it compiles
#!/usr/bin/perl
print 1;
and
#!/usr/bin/perl
print 000000000001; # some comment
created different output on
perl -MO=Bytecode,-O6,-S x.pl > x.out
, but the .S files differed only in one line: a cop_line directive (line
number). I think when you strip out these lines, you can directly compare
and leave out an optimization when it fails.
--
#!/usr/bin/perl -- Random sig generator. Editor command in slrn => ~/siggs
$F=shift;open H,"+<$F";$_=join"",<H>;$s=index$_,"\n\n-- \n";$s<0||truncate
H,$s;close H;system"$ENV{EDITOR} $F</dev/tty>/dev/tty";$s=$n=0;for#sichtig
(<~/siggs/*>){++$n;int rand$n or$s=$_};`(echo "\n\n-- ")|cat - $s>>$F`+nan
------------------------------
Date: Tue, 1 May 2001 23:14:24 +1000
From: "Gregory Toomey" <gtoomey@usa.net>
Subject: Re: CGI/Perl scripts not readable !
Message-Id: <qryH6.15577$482.79867@newsfeeds.bigpond.com>
Unix ends lines with carriage return.
Windoze ends lines with line feed, carriage return.
This causes problems in notepad when you copy files from Unix.
Try an windows editor like Lemmy 3.0 (at download.com).
It handles all the line termination stuff properly.
gtoomey
---------
"Tony Van der Voort" <tvdv@advalvas.be> wrote in message
news:3aeeb164.13858992@news.skynet.be...
> I'm hosting webspace and on that space there are a lot of CGI/Perl
> scripts pre-installed. But, when I download them on my harddisk and
> want to look to the code, i have only unreadable rubbish.
>
> What's the reason of that ? Is there a way to compile CGI/Perl code
> before uploading to the server, so that other people that comes on
> that server cannot look in the original code ?
------------------------------
Date: Tue, 1 May 2001 23:14:24 +1000
From: "Gregory Toomey" <gtoomey@usa.net>
Subject: Re: CGI/Perl scripts not readable !
Message-Id: <EAyH6.15591$482.79592@newsfeeds.bigpond.com>
Unix ends lines with carriage return.
Windoze ends lines with line feed, carriage return.
This causes problems in notepad when you copy files from Unix.
Try an windows editor like Lemmy 3.0 (at download.com).
It handles all the line termination stuff properly.
gtoomey
---------
"Tony Van der Voort" <tvdv@advalvas.be> wrote in message
news:3aeeb164.13858992@news.skynet.be...
> I'm hosting webspace and on that space there are a lot of CGI/Perl
> scripts pre-installed. But, when I download them on my harddisk and
> want to look to the code, i have only unreadable rubbish.
>
> What's the reason of that ? Is there a way to compile CGI/Perl code
> before uploading to the server, so that other people that comes on
> that server cannot look in the original code ?
------------------------------
Date: Tue, 1 May 2001 18:59:41 +0200
From: eins@durchnull.de (Rudolf Polzer)
Subject: Re: CGI/Perl scripts not readable !
Message-Id: <slrn9etqrt.d8k.eins@www42.t-offline.de>
Gregory Toomey <gtoomey@usa.net> wrote: [Jeopardy rearranged]
> "Tony Van der Voort" <tvdv@advalvas.be> wrote in message
> news:3aeeb164.13858992@news.skynet.be...
> > I'm hosting webspace and on that space there are a lot of CGI/Perl
> > scripts pre-installed. But, when I download them on my harddisk and
> > want to look to the code, i have only unreadable rubbish.
> >
> > What's the reason of that ? Is there a way to compile CGI/Perl code
> > before uploading to the server, so that other people that comes on
> > that server cannot look in the original code ?
>
> Unix ends lines with carriage return.
> Windoze ends lines with line feed, carriage return.
> This causes problems in notepad when you copy files from Unix.
>
> Try an windows editor like Lemmy 3.0 (at download.com).
> It handles all the line termination stuff properly.
Even the MS-DOS Editor (Start -> Run -> type "edit" in the box) can read UNIX
files. But it makes CRLF files on saving. Alternatively, one can try downloading
the files in ASCII mode from the server (any good FTP client can do this,
plain IE 5.x cannot).
And please write your answer _under_ the text.
--
#!/usr/bin/perl -- Random sig generator. Editor command in slrn => ~/siggs
$F=shift;open H,"+<$F";$_=join"",<H>;$s=index$_,"\n\n-- \n";$s<0||truncate
H,$s;close H;system"$ENV{EDITOR} $F</dev/tty>/dev/tty";$s=$n=0;for#sichtig
(<~/siggs/*>){++$n;int rand$n or$s=$_};`(echo "\n\n-- ")|cat - $s>>$F`+nan
------------------------------
Date: Tue, 1 May 2001 15:59:04 +0200
From: "Erik Bachmann" <e_bachmann@hotmail.com>
Subject: Re: Closures and hash tables
Message-Id: <KizH6.204$Qj7.12081@news.get2net.dk>
"Damian James" <damian@qimr.edu.au> wrote in message
news:slrn9et8ee.7vm.damian@puma.qimr.edu.au...
> $MAIN::format{$fieldcode}{$subfield_tag}{func}->();
>
> or
>
> &{$MAIN::format{$fieldcode}{$subfield_tag}{func}};
>
> See perldoc perlref.
>
> You should familiarise yourself with the online docs.
Re-reading the output AND the code is a nice trick too :-/
Using:
%MAIN::format = ( "001" => { "a" => { "func" => \&myfunc(
$subfield ) } } );
makes
$MAIN::format{$fieldcode}{$subfield_tag}{func} ;
a scalar reference.
Using:
%MAIN::format = ( "001" => { "a" => { "func" => sub { myfunc(
$subfield ) } } } );
turns it into CODE.
Conclusion: CODE refences are easier to execute than SCALAR ones.
Thanks
Erik Bachmann
------------------------------
Date: 01 May 2001 07:12:05 -0700
From: merlyn@stonehenge.com (Randal L. Schwartz)
Subject: Re: Closures and hash tables
Message-Id: <m1zocx40qy.fsf@halfdome.holdit.com>
>>>>> "Erik" == Erik Bachmann <e_bachmann@hotmail.com> writes:
Erik> Closures and hash tables
Your subject line is misleading. You're not making a closure,
because you're not referencing any variables that are going out
of scope. The "going out of scope" part is crucial.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
------------------------------
Date: Tue, 1 May 2001 10:04:24 -0400
From: tadmc@augustmail.com (Tad McClellan)
Subject: Re: Closures and hash tables
Message-Id: <slrn9etgj8.iom.tadmc@tadmc26.august.net>
Erik Bachmann <e_bachmann@hotmail.com> wrote:
>
>The examples in the various O'Reiley Perl books are quite simple, but I
>can't figure out how to dereference the function in the example below.
>
>Can anyone help?
tacking "->(arguments)" onto the end of a CODE ref will dereference it.
>#!/usr/bin/perl
>
#!/usr/bin/perl -w
use strict;
>my $fieldcode="001";
>my $subfield_tag= "a" ;
>my $fields="";
>
>$subfield = "123";
>
>sub myfunc($) {
> my ($str) = @_ ;
> print STDERR "\nHello [$str]\n" ;
>}
>
>%MAIN::format = ( "001" => { "a" => { "func" => \&myfunc(
>$subfield ) } } );
You have not taken a reference to myfunc() there, you have taken
a reference to the return value from *calling* myfunc().
Including the parenthesis *calls* (executes) the function.
You should be able to tell that, as you are getting "Hello" output,
but have not called the func (because you haven't figured out how
to deref it yet).
>#===============================================================
>
>$subfield = "world" ;
>
>if ( $MAIN::format{$fieldcode}{$subfield_tag}{func} )
>{
> print "Function found\n" ;
> print STDERR ref $MAIN::format{$fieldcode}{$subfield_tag}{func} ;
ref() should be returning "CODE" there.
> $MAIN::format{$fieldcode}{$subfield_tag}{func} ;
$MAIN::format{$fieldcode}{$subfield_tag}{func}->($subfield);
It seems that what you really want to do is communicate with the
function via a global variable ($subfield) rather than passing
an argument. That is a Bad Idea, though it can be done. I recommend
doing it as above instead.
# add the arg to the hash
%MAIN::format = ( "001" => { "a" => { "func" => \&myfunc,
arg => \$subfield } } );
# deref in sub myfunc
print STDERR "\nHello [$$str]\n" ;
# call the function
$MAIN::format{$fieldcode}{$subfield_tag}{func}->
($MAIN::format{$fieldcode}{$subfield_tag}{arg}) ;
> print "Done\n" ;
>}
>else
>{
> print "Function NOT found\n" ;
>}
>
>__DATA__
>
>Current output:
>
> Hello [123]
> Function found
> SCALARDone
>
>Expected output:
>
> Function found
> SCALAR
Why are you expecting SCALAR there?
Seems you should be expecting CODE instead.
> Hello [world]
> Done
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: Tue, 1 May 2001 07:29:44 -0600
From: "bowman" <bowman@montana.com>
Subject: Re: Getting IP address and not a proxy one?
Message-Id: <9RyH6.75$%g1.1946@newsfeed.slurp.net>
"Paul Brown" <paul.brown@ukinternetsites.com> wrote in message
news:xjxH6.20696$PP3.1583072@nnrp3.clara.net...
>
> Is there a modual or another env which returns the users actually IP
address
> and not the network/proxy one?
What actual? I use a dialup account at home, so my IP address is dynamically
assigned and only persistent for the one session. Form work, I'm firewalled,
so you only can see the front end, not my subnet addresses.
------------------------------
Date: 1 May 2001 07:30:51 -0600
From: mfuhr@dimensional.com (Michael Fuhr)
Subject: Re: Getting IP address and not a proxy one?
Message-Id: <9cmdqb$nbo@flatland.dimensional.com>
damian@qimr.edu.au (Damian James) writes:
> Paul Brown chose Tue, 1 May 2001 12:43:28 +0100 to say this:
> >...
> >After some digging I found it was done to that visitor using a proxy server
> >or a have a funny network setup. So my script logs the proxy server or the
> >network IP address - and not the users IP.
> >
> >Is there a modual or another env which returns the users actually IP address
> >and not the network/proxy one?
> >
>
> No, this is not even possible. The reasons have nothing to do with Perl.
It may be possible in a few cases. The Squid proxy by default adds the
HTTP header "X-Forwarded-For" with the requestor's IP address, which a
CGI program can read via the HTTP_X_FORWARDED_FOR environment variable.
However, less than 7% of the people who visit my site are using a Squid
proxy (as reported by the HTTP Via header), so this method would work
for only a small percentage of cases (your mileage may vary). And it
most definitely isn't a Perl issue.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
------------------------------
Date: Tue, 1 May 2001 18:52:28 +0200
From: eins@durchnull.de (Rudolf Polzer)
Subject: Re: Getting IP address and not a proxy one?
Message-Id: <slrn9etqeb.d8k.eins@www42.t-offline.de>
bowman <bowman@montana.com> wrote:
>
> "Paul Brown" <paul.brown@ukinternetsites.com> wrote in message
> news:xjxH6.20696$PP3.1583072@nnrp3.clara.net...
> >
> > Is there a modual or another env which returns the users actually IP
> address
> > and not the network/proxy one?
>
> What actual? I use a dialup account at home, so my IP address is dynamically
> assigned and only persistent for the one session. Form work, I'm firewalled,
> so you only can see the front end, not my subnet addresses.
Of course he could do this using Java. But then he will get the _real_ IP
(the IP before the proxy). Dial-in users that use a proxy in their browser
setup which they would not really need (Germany: browsers on the T-Online
CD-ROMs are preconfigured to use a proxy, but it can be disabled) would give
you the right IP then. But you may often get IPs like 192.168.0.1 (LAN) when
the user is behind a firewall. You could however combine these approaches:
use Java to get the IP; when Java is disabled or an internal IP is sent
(192.168.*, 10.*, 127.* and another range I do not know) is returned, look
at the headers sent by Squid; otherwise use REMOTE_ADDR.
--
#!/usr/bin/perl -- Random sig generator. Editor command in slrn => ~/siggs
$F=shift;open H,"+<$F";$_=join"",<H>;$s=index$_,"\n\n-- \n";$s<0||truncate
H,$s;close H;system"$ENV{EDITOR} $F</dev/tty>/dev/tty";$s=$n=0;for#sichtig
(<~/siggs/*>){++$n;int rand$n or$s=$_};`(echo "\n\n-- ")|cat - $s>>$F`+nan
------------------------------
Date: Tue, 01 May 2001 13:18:30 GMT
From: Bart Lateur <bart.lateur@skynet.be>
Subject: Re: glob questions
Message-Id: <1tdtet8q5tifbl14kg1r6clmnkc9alcrrr@4ax.com>
Rob wrote:
>@files = glob ("$file_descriptors {directory}/*"); # line 78
Get rid of that space in front of the '{'. IT works in plain perl code,
but not in interpolation.
$foo = 'SCALAR';
%foo = ( bar => 'HASH' );
print "$foo {bar}\n";
-->
SCALAR {bar}
--
Bart.
------------------------------
Date: Tue, 01 May 2001 13:47:19 GMT
From: "Rob" <"relaxedrob@optushome.com.au">
Subject: Re: glob questions
Message-Id: <H7zH6.1321$76.4978@news1.rdc1.nsw.optushome.com.au>
Thanks!
:)
"Bart Lateur" <bart.lateur@skynet.be> wrote in message
news:1tdtet8q5tifbl14kg1r6clmnkc9alcrrr@4ax.com...
> Rob wrote:
>
> >@files = glob ("$file_descriptors {directory}/*"); # line 78
>
> Get rid of that space in front of the '{'. IT works in plain perl code,
> but not in interpolation.
>
> $foo = 'SCALAR';
> %foo = ( bar => 'HASH' );
> print "$foo {bar}\n";
> -->
> SCALAR {bar}
>
> --
> Bart.
------------------------------
Date: Tue, 01 May 2001 06:12:42 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Hacker challenge. Can you break this script for me?
Message-Id: <3AEEB64A.66CC990C@stomp.stomp.tokyo>
Jfreeman wrote:
(snipped)
> The code, with online pod, is available here:
> http://www.dynamicflight.com.au/Perl/stripcomments.pl
404 File not Found
The document that you requested
(http://www.dynamicflight.com.au/Perl/stripcomments.pl)
does not exist on this server. Please check the spelling
of the document, and make sure there are no spaces in the
address. If there is still a problem, please contact the
Webmaster.
This type of inane mistake is indicative of very sloppy work
and is quite inexcusable. There is not a chance I personally
would trust your coding. My mistrust is further resolved by
your making duplicate postings of your article, failing to
subject line note your second article is an address correction.
My presumption is you fell off the Turnip Truck, yesterday.
Godzilla!
------------------------------
Date: Tue, 01 May 2001 23:30:15 +1000
From: Jfreeman <jfreeman@tassie.net.au>
Subject: Re: Hacker challenge. Can you break this script for me?
Message-Id: <3AEEBA67.2734CE14@tassie.net.au>
Gwyn Judd wrote:
> "mein Luftkissenfahrzeug ist voll von den Aalen"
> said Jfreeman (jfreeman@tassie.net.au) in
> <3AEEA10A.E2DC57C7@tassie.net.au>:
> > $stmt =~ s{
> > (?sx) # Snazzy extended regexp coming up. Also, treat
>
> >OK so the author obviously meant to add a /x modifier but forgot so his snazzy
> >regex is not as functional as hoped. The comments are interpretted by the perl
> >parser as literal strings to be matched literally.
>
> Not so. See the perlre manpage (search for "(?imsx-imsx)").
Thanks Gwyn
Checked the manpage. Lights go on. I was not aware of that syntax and will arrange
to parse for it. Thank you. It seems to be missed in the Camel book, but may be I
got inattentive. The little engine who blinked perhaps!
I can now see why this partially concatenated regex parses:
$stmt =~ s{(?sx) # Snazzy extended regexp coming up. Also, treat# string as a
single line so.* eats \n characters.^\s* # Ignore leading whitespace
([^"]* # A double quote '"' indicates a string argument. If we# find a double
quote, the match fails and we strip nothing.
)\s*\# # Any amount of whitespace plus the comment marker....*$ # ...which
carries on to end-of-string.}{$1};
Although the closing }{$1}; appears hidden behind the comment the parser is
following the rule expressed in the Camel book a don't put your closing delimiter
in the comments of a /x regex and still finding it. This odd behaviour was
troubling me.
I played with this regex a lot, as some concatenations were OK but others not. This
finally explains why if you concatenate the partially concatenated regex above onto
a single line it is OK but if you try to concatenate any two of the lines above
together (partially concatenating it) it breaks The problem stems from the
unmatched parentheses - vis the opening ( on line 2, and the closing ) on line 3.
Concat the script to two lines and you lose one or the other behind a comment, have
unmatched parenths and the syntax error. I feel better now even if I have to admit
that stripcomments.pl will only parse just over 98.8% of entire standard perl
distrubution until the fix goes in. Damn beaten by the parser again!
Thanks for the info, much appreciated.
James
>
>
> --
> Gwyn Judd (print `echo 'tjla@guvfybir.qlaqaf.bet' | rot13`)
> LSD melts your mind, not in your hand.
------------------------------
Date: Tue, 01 May 2001 23:30:52 +1000
From: Jfreeman <jfreeman@tassie.net.au>
Subject: Re: Hacker challenge. Can you break this script for me?
Message-Id: <3AEEBA8C.D62F4B86@tassie.net.au>
Gwyn Judd wrote:
> "mein Luftkissenfahrzeug ist voll von den Aalen"
> said Jfreeman (jfreeman@tassie.net.au) in
> <3AEEA10A.E2DC57C7@tassie.net.au>:
> > $stmt =~ s{
> > (?sx) # Snazzy extended regexp coming up. Also, treat
>
> >OK so the author obviously meant to add a /x modifier but forgot so his snazzy
> >regex is not as functional as hoped. The comments are interpretted by the perl
> >parser as literal strings to be matched literally.
>
> Not so. See the perlre manpage (search for "(?imsx-imsx)").
Thanks Gwyn
Checked the manpage. Lights go on. I was not aware of that syntax and will arrange
to parse for it. Thank you. It seems to be missed in the Camel book, but may be I
got inattentive. The little engine who blinked perhaps!
I can now see why this partially concatenated regex parses:
$stmt =~ s{(?sx) # Snazzy extended regexp coming up. Also, treat# string as a
single line so.* eats \n characters.^\s* # Ignore leading whitespace
([^"]* # A double quote '"' indicates a string argument. If we# find a double
quote, the match fails and we strip nothing.
)\s*\# # Any amount of whitespace plus the comment marker....*$ # ...which
carries on to end-of-string.}{$1};
Although the closing }{$1}; appears hidden behind the comment the parser is
following the rule expressed in the Camel book a don't put your closing delimiter
in the comments of a /x regex and still finding it. This odd behaviour was
troubling me.
I played with this regex a lot, as some concatenations were OK but others not. This
finally explains why if you concatenate the partially concatenated regex above onto
a single line it is OK but if you try to concatenate any two of the lines above
together (partially concatenating it) it breaks The problem stems from the
unmatched parentheses - vis the opening ( on line 2, and the closing ) on line 3.
Concat the script to two lines and you lose one or the other behind a comment, have
unmatched parenths and the syntax error. I feel better now even if I have to admit
that stripcomments.pl will only parse just over 98.8% of entire standard perl
distrubution until the fix goes in. Damn beaten by the parser again!
Thanks for the info, much appreciated.
James
>
>
> --
> Gwyn Judd (print `echo 'tjla@guvfybir.qlaqaf.bet' | rot13`)
> LSD melts your mind, not in your hand.
------------------------------
Date: Tue, 01 May 2001 06:47:03 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Hacker challenge. Can you break this script for me?
Message-Id: <3AEEBE57.A437E58D@stomp.stomp.tokyo>
Jfreeman wrote:
> Gwyn Judd wrote:
> > Jfreeman wrote:
(significant snippage)
> ...Damn beaten by the parser again!
This is clear in your first posting of this article
of yours. However, your second and third posting of
your article, does not make this any clearer. Most
of us are capable of understanding a message upon
first reading. Do consider not posting this article
again. This is really not needed although considerate.
Perhaps a Turnip Truck will pass your way today and,
offer you a ride to market.
Godzilla!
------------------------------
Date: 01 May 2001 06:58:50 -0700
From: merlyn@stonehenge.com (Randal L. Schwartz)
Subject: Re: Hacker challenge. Can you break this script for me?
Message-Id: <m17l015fxh.fsf@halfdome.holdit.com>
>>>>> "Jfreeman" == Jfreeman <jfreeman@tassie.net.au> writes:
Jfreeman> Stripcomments.pl is a script that will parse a perl script
Jfreeman> and remove all comments. It will optionally also crunch the
Jfreeman> script down JAPH style to a user defined line length.
I'm curious. Will the resulting program, as assisted by this
beta testing, be always free under the GPL/AL? Or are you planning
on charging for your program?
If you're planning on charging, will you also compensate financially
the use of this public resource to make your program better? As in,
pay the people who are trying to break your program (which I bet I
could do given a spare half hour or so)?
So, speak out.
print "Just another Perl hacker,"
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
------------------------------
Date: Tue, 01 May 2001 07:35:30 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Hacker Challenge. Can you break this script for me?
Message-Id: <3AEEC9B2.5CB59BC5@stomp.stomp.tokyo>
Jfreeman wrote:
> It has long been axiomatic that only (the Perl parser) can parse perl.
(snipped)
Randal sorely underestimates his abilities in his article
relative to this thread. My belief is Randal has forgotten
more about Perl than I have learned over a number of years.
After unzipping your file, setting up a test directory,
it took me less than three minutes to break your script.
C:\APACHE\USERS\TEST>perl stripcom.pl chahta.cgi
Compile check .\chahta.cgi
Compile check failed!
Sorry perl script .\chahta.cgi does not compile, Aborting!
Can't localize lexical variable $found at (eval 1) line 1152
Relative lines out of a total 3565 lines:
1148 sub Ikbi_Himmona
1149
1150 { ## Ikbi_Himmona
1151
1152 local ($buf, $tbuf, $last_para, $found, $amount_to_read);
1153 local ($para_num, $ipa, $dns, $date1, $hochifo_holba, $hochifo,
$holisso_holba,
1154 $takla_holisso, $special_output);
Godzilla! Turnip Truck Driver
------------------------------
Date: 1 May 2001 00:00:44 GMT
From: nospam@hairball.cup.hp.com (Richard J. Rauenzahn)
Subject: Re: How to: Create Regex which extracts N number of words before target word
Message-Id: <988675244.168176@hpvablab.cup.hp.com>
"BarryK" <notmyrealemail@fake.com> writes:
^^^^^^^^
^^^^^^^^
<off topic>
Be aware that someone out there (tucows, to be specific)
owns fake.com and has to handle (i.e., bounce) all of your
spam/misdirected replies. If you want to use a fake email address,
append .invalid to your address or use @example.com. For more info,
see the email munging faq.
</off topic>
>Assume you have a target word, e.g. "cat", and you want to extract that word
>and a certain number of words before it. How is one to do this in a
>non-literal manner with a regular expression which will support any number
>of pre-words to be extracted?
>
>Following does not work. It should replace target and previous two words, to
>wit: word1 word2 Z
You would do yourself a great service by having perl give you warnings
about your code:
#!perl -w
use strict;
>
>#code
>
>$_ = "word1 word2 word3 word4 cat";
>
>s: \b.+\b{2}?cat :Z:xg;
>
>print $_;
>
>#end code
How about...
#!/usr/bin/perl -w
use strict;
$_ = "word1 word2 word3 word4 cat";
s/(\w+\W+){2}cat/Z/xg;
print $_;
--
Rich Rauenzahn ----------+xrrauenza@cup.hp.comx+ Hewlett-Packard Company
Technical Consultant | I speak for me, | 19055 Pruneridge Ave.
Development Alliances Lab| *not* HP | MS 46TU2
ESPD / E-Serv. Partner Division +--------------+---- Cupertino, CA 95014
------------------------------
Date: Tue, 01 May 2001 13:40:59 GMT
From: "BarryK" <notmyrealemail@example.com>
Subject: Re: How to: Create Regex which extracts N number of words before target word
Message-Id: <L1zH6.46638$U4.11009733@news1.rdc1.tn.home.com>
That's quite brilliant. Most elegant.
I tried to extend this to also include 2 words after the word, but this
mucks up the elegant code
===
$_ = "word1 word2 word3 word4 cat word5 word6 word7";
s/(\w+\W+){2}cat(\w+\W+){2}/Z/xg;
print $_;
===
"Richard J. Rauenzahn" <nospam@hairball.cup.hp.com> wrote in message
news:988675244.168176@hpvablab.cup.hp.com...
>
> How about...
>
> #!/usr/bin/perl -w
> use strict;
>
> $_ = "word1 word2 word3 word4 cat";
>
> s/(\w+\W+){2}cat/Z/xg;
>
> print $_;
>
>
> --
> Rich Rauenzahn ----------+xrrauenza@cup.hp.comx+ Hewlett-Packard Company
> Technical Consultant | I speak for me, | 19055 Pruneridge Ave.
> Development Alliances Lab| *not* HP | MS 46TU2
> ESPD / E-Serv. Partner Division +--------------+---- Cupertino, CA 95014
------------------------------
Date: Tue, 01 May 2001 13:18:54 GMT
From: posting.account@lynxview.com (William Herrera)
Subject: Re: misleading taint error message with DBI?
Message-Id: <3aeeb5ee.86851147@west.usenetserver.com>
On 1 May 2001 06:31:32 GMT, damian@qimr.edu.au (Damian James) wrote:
>William Herrera chose Tue, 01 May 2001 05:06:16 GMT to say this:
>>Why, when I use potentially tainted environment variables in building an
>>otherwise valid query with DBD::CSV, do I get the bizarre and misleading error
>>below:
>>
>>DBD::CSV::Statement=HASH(0x1c9bf18) is not a valid SQL::Statement object
>>
>>instead of the usual "Insecure dependency in ... while running with -T switch "
>>error?
>>
>
>Err, you have a reason to believe this has something to do with taint
>checking? Looks pretty straightforward to me -- somewhere, somehow you have
>a typo that is including a reference to a hash in your sql statement,
>rather than some value in that hash. Or there's a typo with some DBD::CSV
>object (that happens to be implemented as a hashref). Either way, it looks
>like a syntax error to me. I'd say, double check your code.
I think that you have just proven my point about the error being misleading.
The point is that after 15 minutes of trying to figure out where the syntax
error was, I found that:
1) this error message appears when taint checking is on and goes away when it
is off
2) running the ID string that is combined into the query string through the
following:
sub cln {
# fast cleanup of taint for database stuff. No " allowed, all else goes
shift =~ /([^\"]+)/;
if ($1) { return $1 } else { return };
}
fixes the error even though there are no " characters in the ID string and so
the subroutine does nothing but remove taint.
---
The above from: address is spamblocked. Use wherrera (at) lynxview (dot) com for the reply address.
------------------------------
Date: Tue, 01 May 2001 13:48:30 GMT
From: posting.account@lynxview.com (William Herrera)
Subject: Re: misleading taint error message with DBI?
Message-Id: <3aeebdc1.88854939@west.usenetserver.com>
On 1 May 2001 06:31:32 GMT, damian@qimr.edu.au (Damian James) wrote:
>object (that happens to be implemented as a hashref). Either way, it looks
>like a syntax error to me. I'd say, double check your code.
Okay, here is an example.
# --------------------------------------------
#!perl.exe
use strict;
use CGI;
use DBI;
my $query = new CGI;
my($lastname, $city, $sql_query, $dbh, $sth, $CITY, $LAST_NAME);
# here is a tainted line
$lastname = $ENV{lastname};
$sql_query = "SELECT * FROM pres WHERE LAST_NAME CLIKE \"$lastname\" ";
$dbh = DBI->connect("DBI:CSV:f_dir=/temp") or die("Cannot connect: " .
$DBI::errstr);
$dbh->{'csv_tables'}->{'pres'} = { 'file' => 'pres.csv'};
$sth = $dbh->prepare($sql_query) or die("Cannot prepare: " . $dbh->errstr());
$sth->execute() or die("Cannot execute: " . $sth->errstr());
$sth->bind_columns(\$LAST_NAME,\$CITY);
$sth->fetch or die("bad fetch of ( $sql_query ): no results");
$sth->finish();
$dbh->disconnect();
print $query->header,
$query->start_html,
$query->h1('Results:'),
$query->h2("President $LAST_NAME lives in $CITY"),
$query->end_html;
#------------------------------------------------------
here is the csv file put in /temp:
#--------------------------------
"LAST_NAME","CITY"
"Bush","Washington DC"
"Clinton", "New York"
# -----------------------------------
Run this with the csv file in /temp and with the environment variable
lastname=Bush
and run it with and without the -T option.
---
The above from: address is spamblocked. Use wherrera (at) lynxview (dot) com for the reply address.
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 811
**************************************
