[18805] in Perl-Users-Digest
Perl-Users Digest, Issue: 973 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Wed May 23 21:10:31 2001
Date: Wed, 23 May 2001 18:10:15 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <990666615-v10-i973@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Wed, 23 May 2001 Volume: 10 Number: 973
Today's topics:
Re: How to match the password created in Linux shadow s (Joseph Chen)
Re: How to match the password created in Linux shadow s <joelh@juniper.net>
Re: How to match the password created in Linux shadow s <mischief@velma.motion.net>
Re: HTML::Entities and the Mac :-( <bart.lateur@skynet.be>
Re: library Files in Perl <mischief@velma.motion.net>
Limiting Characters - CGI Form (Jacob)
Re: perl tattoo <soszko@gmu.edu>
Re: perl tattoo <todd@designsouth.net>
realpath(), abs_path() <postmaster@god.edu>
Re: unlinking files under -T (William Herrera)
Re: url parsing <todd@designsouth.net>
Re: what does this mean? <buggs@geekmail.de>
Who's Going to the Perl Conference in San Diego this ye <djm@spamfree.mcoe.k12.ca.us>
Re: Who's Going to the Perl Conference in San Diego thi <uri@sysarch.com>
Re: wwwboard.pl - Taint and Use Strict <AgitatorsBand@yahoo.com>
Re: wwwboard.pl - Taint and Use Strict <flavell@mail.cern.ch>
Re: wwwboard.pl - Taint and Use Strict <mischief@velma.motion.net>
Re: XML::Simple more than one root tag?? (Eric Bohlman)
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: 23 May 2001 15:38:44 -0700
From: yen_hung@yahoo.com (Joseph Chen)
Subject: Re: How to match the password created in Linux shadow suite?
Message-Id: <bf927196.0105231438.31a7dc96@posting.google.com>
Thanks for the useful reply. I feel I am pretty close after using the
hint but I still do not get a match. Here are part of my codes.
print "$passwd," . crypt($p,$passwd) . "\n";
if (crypt($p,$passwd) eq $passwd) {
print "match\n";
} else {
print "no match\n";
}
Variable $p is my login password and $passwd is my encripted password
in /etc/shadow, after I run the script, I got ...
% shadow_match.pl
$1$QR/J8Kwx$l8A4IHdLZylsCALdmhy30.,$1p327sCxfpMs
no match
Am I doing it correctly?
Joseph
"Kevin Hancock" <khan@arcom.com.au> wrote in message news:<3b0bbe8d@kastagir.senet.com.au>...
> sub VerifyPass{
> my($passwd, $user)=@_;
> open(SHAD, $MYshad) or dienice (" Failed to open $MYshad\n\n");
> while( <SHAD> ){
> @data=split(/:/, $_);
> if ( $data[0] eq $user ){
> if ($data[1] eq crypt($passwd , $data[1])){
> close(SHAD);
> return 1;
> }
> }
> }
> close(SHAD);
> return 0;
> }
>
> This is what I do. I do not like it as it traverses the entire length of
> /etc/shadow each time especially if a miss.
>
> I am new so if my code sucks pls feel free to pick it to pieces. It does
> work though copied direct from my code.
>
>
> Joseph Chen wrote in message ...
> >The reply has a misunderstanding about the statement of the problem.
> >Whithout the Linux shadow suite, a common practice allows the password
> >a user types in to be encryped and compared against the system password
> >of the user in order to verify the access of the user. For a password
> >read from the user, e.g., $passwd_read, we can do the following in
> >perl to verify his/her access to the system.
> >
> >$salt = substr($passwd_read,0,2);
> >$passwd_read_and_encrypted = crypt($passwd_read,$salt);
> >if ($passwd_read_and_encrypted eq $user_passwd_encrypted_from_system) {
> > the user has access
> >} else {
> the usr has no access
> >}
> >
> >Without using the shadow suite, we can get
> $user_passwd_encrypted_from_system
> >from /etc/passwd file. It does not require a 'root' access privilege to
> >read this file and the above codes work!
> >
> >With the shadow suite, all user passwords in /etc/passwd are moved
> >to /etc/shadow and the passwords in /ect/password are replaced by '*'.
> >
> >To solve this password moving issue, I can read the user password
> >$user_passwd_encrypted_from_system from /etc/shadow instead of
> >/ect/passwd. But, the major problem I could not solve is that
> >the encrpyted password in /ect/shadow is longer than the password
> >encrypted in /etc/passwd. They have different lengths. This is
> >why my comparion if-statement in the above codes fails, even if
> >the $passwd_read is the same as the password of the user before
> >the password is encrypted by the shadow suite.
> >
> >Is it because the shadow suite uses a different encrypton method?
> >And, how do I fix this problem using perl? Any help is appreciated.
> >
> >
> >Joseph Chen
------------------------------
Date: 23 May 2001 15:53:42 -0700
From: Joel Ray Holveck <joelh@juniper.net>
Subject: Re: How to match the password created in Linux shadow suite?
Message-Id: <y7clmnn65jd.fsf@sindri.juniper.net>
> Thanks for the useful reply. I feel I am pretty close after using the
> hint but I still do not get a match. Here are part of my codes.
> print "$passwd," . crypt($p,$passwd) . "\n";
> if (crypt($p,$passwd) eq $passwd) {
> print "match\n";
> } else {
> print "no match\n";
> }
> Variable $p is my login password and $passwd is my encripted password
> in /etc/shadow, after I run the script, I got ...
> % shadow_match.pl
> $1$QR/J8Kwx$l8A4IHdLZylsCALdmhy30.,$1p327sCxfpMs
> no match
Very interesting. It appears that your shadow password is MD5-based,
but your Perl crypt doesn't recognize that, and creates a DES-based
crypted password. Your code seems correct; it's now down to the Linux
passwd gurus to work out why your Perl doesn't support MD5 crypt
(since, IIRC, it pulls it out of libc).
------------------------------
Date: Wed, 23 May 2001 23:49:30 -0000
From: Chris Stith <mischief@velma.motion.net>
Subject: Re: How to match the password created in Linux shadow suite?
Message-Id: <tgoj4a5o2ojebe@corp.supernews.com>
Joseph Chen <yen_hung@yahoo.com> wrote:
> Thanks for the useful reply. I feel I am pretty close after using the
> hint but I still do not get a match. Here are part of my codes.
> print "$passwd," . crypt($p,$passwd) . "\n";
> if (crypt($p,$passwd) eq $passwd) {
> print "match\n";
> } else {
> print "no match\n";
> }
> Variable $p is my login password and $passwd is my encripted password
> in /etc/shadow, after I run the script, I got ...
> % shadow_match.pl
> $1$QR/J8Kwx$l8A4IHdLZylsCALdmhy30.,$1p327sCxfpMs
> no match
> Am I doing it correctly?
Sorta.
You're using a DES crypt routine to match an MD5 password.
Use Crypt::PasswordMD5 or something similar from the CPAN.
Chris
--
People understand instinctively that the best way for computer programs to
communicate with each other is for each of the them to be strict in what they
emit, and liberal in what they accept. The odd thing is that people themselves
are not willing to be strict in how they speak, and liberal in how they listen.
-- Larry Wall, 2nd State of the Onion Address, August 1998
------------------------------
Date: Wed, 23 May 2001 22:33:38 GMT
From: Bart Lateur <bart.lateur@skynet.be>
Subject: Re: HTML::Entities and the Mac :-(
Message-Id: <84eogts5ndjkm43iigr774f0i1uc1vm9ua@4ax.com>
Malte Ubl wrote:
>however as you copy/paste something from a different Macintosh application
>you get something like this:
>šŠŸ§üŠšŸŠšŸ
>for this input:
>öäüßüäöüäöü
>
>This doesnt even display correct on a Mac Browser.
Of course it doesn't. In HTML, numerical entities are supposed to
represent Unicode character codes, which is the same as ISO-Latin-1 for
numbers that aren't higher than 255.
You want a conversion from Mac to ISO-Latin-1, or Unicode? Here ya go, a
neat table.
<ftp://www.unicode.org/Public/MAPPINGS/VENDORS/APPLE/ROMAN.TXT>
Here's one entry from that table:
0x9F 0x00FC # LATIN SMALL LETTER U WITH DIAERESIS
So parsing it can be done using:
while(<TABLE>) {
/^\s*(\w+)\s+(\w+)/ or next;
(my $char = hex $1) >= 128 or next;
my $unicode = hex $2;
$entity{chr $char} = "&#$unicode;";
}
--
Bart.
------------------------------
Date: Thu, 24 May 2001 00:12:01 -0000
From: Chris Stith <mischief@velma.motion.net>
Subject: Re: library Files in Perl
Message-Id: <tgokehirj3mfda@corp.supernews.com>
Todd Smith <todd@designsouth.net> wrote:
>>
>> I would dispute the sweeping assertion that "people usually" use old
>> Perl4-style libraries rather than Perl5-style libraries (aka Exporter
>> modules).
> I wouldn't. Think about it- out of all the perl programmers in the world,
> I'll bet most of them don't know how to write modules. But I'm sure all of
> them can put a few subroutines in a file and 'require' it. So I still think
> that most people use .pl files instead of modules.
Of course you wouldn't dispute it -- you said it. ;-)
You really don't have to use Exporter to make something act as a
module would act.
$ cat > Foo.pm
package Foo;
sub main::MySub {
print "Foo!\n";
}
1;
$ perl -w -Mstrict -MFoo -e 'MySub'
Foo!
$
It's not nice to force things into main's namespace, but it can
be done. This doesn't necessarily make it a module, and I imagine
most people will say it's not a module. It sure isn't a Perl 4
library, though, because it has namespace control using q{package}.
What would this be called? "Evil and rude" perhaps?
Chris
--
If they can get you asking the wrong questions, they don't
have to worry about the answers.
-- Thomas Pynchon, Gravity's Rainbow
------------------------------
Date: 23 May 2001 15:26:37 -0700
From: jpetrie@kitsapcu.org (Jacob)
Subject: Limiting Characters - CGI Form
Message-Id: <cedf7c1b.0105231426.172142a2@posting.google.com>
I am creating a form that accepts data to be e-mailed and/or submited
to a SQL database using DBI. I would like to check the input data,
and escape any characters that could cause problems. I have been
trying to use:
$var =~ s/([;<>\*\|`\$!#\(\)\[\]\{\}:'"]@)/\\$1/g;
This is not working. How should I go about escaping these characters?
Thanks,
Jacob
------------------------------
Date: Wed, 23 May 2001 18:45:47 -0400
From: Szilvia Oszko <soszko@gmu.edu>
Subject: Re: perl tattoo
Message-Id: <3B0C3D9B.A3292036@gmu.edu>
John Hall wrote:
> If I got the 7 line perl DECSS code tattoo'ed on my chest, if I went to the
> beach, would I be arrested by the feds?
Probably not, but you risk the embarrasment of someone pointing out, in public,
that you are using neither strict nor -w.
------------------------------
Date: Wed, 23 May 2001 23:31:31 GMT
From: "Todd Smith" <todd@designsouth.net>
Subject: Re: perl tattoo
Message-Id: <nLXO6.63191$I5.13481940@news1.rdc1.tn.home.com>
"John Hall" <jhall@ifxonline.com> wrote in message
news:0xSO6.27782$vf6.2760109@news1.rdc1.sdca.home.com...
> If I got the 7 line perl DECSS code tattoo'ed on my chest, if I went to
the
> beach, would I be arrested by the feds?
>
What if you do, then later there's a shorter way to do it using Perl6?
------------------------------
Date: Wed, 23 May 2001 17:19:22 -0700
From: /dev/null <postmaster@god.edu>
Subject: realpath(), abs_path()
Message-Id: <3B0C538A.685FAFD1@god.edu>
Greetings!
Last year I wrote a realpath() function in Perl. Recently I discovered
Cwd::abs_path(). When I tried to use it, I discovered that abs_path()
barfs if its argument is not a directory. This is more than mildly
annoying. Did the author(s) of abs_path() not see value in
being able to feed the function something like "/var/mail/extasia"
and get back "/var/spool/mail/extasia"? Am I missing something?
Does there exist in Perl a function to do an absolute (or "real")
path on a given path representing *any* type of file?
If not, should I submit my realpath() function?
Thanks!
David
--
David Alban
extasia "@" mindspring "." com
Live in a world of your own, but always welcome visitors.
------------------------------
Date: Wed, 23 May 2001 23:23:53 GMT
From: posting.account@lynxview.com (William Herrera)
Subject: Re: unlinking files under -T
Message-Id: <3b0c45ba.33605873@news.rmi.net>
On 23 May 2001 20:29:50 GMT, "Scott R. Godin" <webmaster@webdragon.unmunge.net>
wrote:
> | > unlink "$output_path$oldfile"; #older than 24 hours
> | >
> | >I get an "Insecure dependency" warning about the unlink. Now, none of
> | >this information is user-generated, so I don't quite understand why I
> | >get a warning of this nature unless it's because ANY unlink operation is
> | >considered unsecure (which seems to be the case, from my perusal of
> | >perlsec.pod).
> |
> | I'd claim that filenames read off from directory are the reason for that
> | insecure dependency. As your program doesn't actually know what generated
> | the filenames it's reading off the directory, perl throws the "insecure
> | dependency" at you.
>
>So is this something I can then clean up with the simple sort of regex
>solution proposed in the depths of perlsec.pod ?
Yes, you can. I suggest a regex that gets rid of pipes and such so as to
exclude bizarre side effects.
The problem I have had in the past is in using File::Path::rmtree. Is there
_any_ way to use that function with taint checking enabled?
---
The above from: address is spamblocked. Use wherrera (at) lynxview (dot) com for the reply address.
------------------------------
Date: Wed, 23 May 2001 22:45:19 GMT
From: "Todd Smith" <todd@designsouth.net>
Subject: Re: url parsing
Message-Id: <34XO6.62782$I5.13442433@news1.rdc1.tn.home.com>
> I don't think you understood what I was complaining about. When I run
> this one-liner, using your regex, I get "/foo.com". Wouldn't you want
> "foo.com"? Using m|//(.+?)/| instead fixes that.
> -- Gary Ansok
Oh yeah, ok. It was off-the-top-off-my-head code. You're right, though.
-todd
------------------------------
Date: Thu, 24 May 2001 02:23:25 +0200
From: buggs <buggs@geekmail.de>
Subject: Re: what does this mean?
Message-Id: <9ehkai$63v$06$1@news.t-online.com>
John Watson wrote:
> I ran into this in an if expression and was wondering what !~ means?
>
> Thanks.
>
Depending where you live it means
"Warning Snakes"
or
"Warning curves"
or in indian reservates it often means
"Good Place to dig for water"
So usually you should *not* run and only walk or drive carefully.
And if you ran into one of these you really should inform
police, so they can have it repaired.
Buggs
------------------------------
Date: Wed, 23 May 2001 22:07:26 GMT
From: "Dave" <djm@spamfree.mcoe.k12.ca.us>
Subject: Who's Going to the Perl Conference in San Diego this year?
Message-Id: <ywWO6.4580$r61.35931@typhoon.sonic.net>
hmm?
http://conferences.oreilly.com/perl/
I'm going and perhaps might wanna hook up with some of you guys, provided
you arnt mental...
------------------------------
Date: Wed, 23 May 2001 22:31:29 GMT
From: Uri Guttman <uri@sysarch.com>
Subject: Re: Who's Going to the Perl Conference in San Diego this year?
Message-Id: <x7n1834rzx.fsf@home.sysarch.com>
>>>>> "D" == Dave <djm@spamfree.mcoe.k12.ca.us> writes:
D> http://conferences.oreilly.com/perl/
D> I'm going and perhaps might wanna hook up with some of you guys,
D> provided you arnt mental...
i think the converse is a more likely thing. how do we know you aren't
mental?
uri
--
Uri Guttman --------- uri@sysarch.com ---------- http://www.sysarch.com
SYStems ARCHitecture and Stem Development ------ http://www.stemsystems.com
Learn Advanced Object Oriented Perl from Damian Conway - Boston, July 10-11
Class and Registration info: http://www.sysarch.com/perl/OOP_class.html
------------------------------
Date: Wed, 23 May 2001 22:11:01 GMT
From: Scratchie <AgitatorsBand@yahoo.com>
Subject: Re: wwwboard.pl - Taint and Use Strict
Message-Id: <VzWO6.109$aG6.8728@news.shore.net>
Tintin <somewhere@in.paradise.net> wrote:
: All I can say is that you have one hell of a lot of work ahead of you. In
: fact, you would be better off writing one from scratch.
Not at all. I re-wrote Matt's wwwboard to run under -T and use strict in
less than a day. Fixed the bug that nailed the Alaskan Electrcian, too.
I've still got my version at home somewhere and could post it if there's
demand for it.
--Art
------------------------------
Date: Thu, 24 May 2001 00:18:29 +0200
From: "Alan J. Flavell" <flavell@mail.cern.ch>
Subject: Re: wwwboard.pl - Taint and Use Strict
Message-Id: <Pine.LNX.4.30.0105240015330.23090-100000@lxplus003.cern.ch>
On Wed, 23 May 2001, Scratchie wrote:
> Not at all. I re-wrote Matt's wwwboard to run under -T and use strict in
> less than a day.
You're not a beginner at this game, though, are you?
> Fixed the bug that nailed the Alaskan Electrcian, too.
But you give the impression that you could write this sort of thing
from scratch too: so that's not a fair comparison with a naive newbie
who's just discovered a hoard (or do I mean a dumpster?) of scripts
written by someone called Matt.
------------------------------
Date: Thu, 24 May 2001 00:17:04 -0000
From: Chris Stith <mischief@velma.motion.net>
Subject: Re: wwwboard.pl - Taint and Use Strict
Message-Id: <tgoko0stft7j3b@corp.supernews.com>
Scratchie <AgitatorsBand@yahoo.com> wrote:
> Tintin <somewhere@in.paradise.net> wrote:
> : All I can say is that you have one hell of a lot of work ahead of you. In
> : fact, you would be better off writing one from scratch.
> Not at all. I re-wrote Matt's wwwboard to run under -T and use strict in
> less than a day. Fixed the bug that nailed the Alaskan Electrcian, too.
> I've still got my version at home somewhere and could post it if there's
> demand for it.
From the overall quality of Matt Wright's Perl work, I'd say you've
either done some major gutting and reworking to make it secure, or
you're overestimating the quality of your final product.
From what I've heard about Matt Wright, it seems he wrote all his
Perl code as a hobby in high school, and freely admitted it wasn't
of professional quality. These could be merely rumors. Most of
his code, though, isn't of much higher than hobbyist quality and
has a tendency towards being insecure.
Chris
--
Product shown enlarged to make you think you're getting more.
------------------------------
Date: 23 May 2001 23:02:46 GMT
From: ebohlman@omsdev.com (Eric Bohlman)
Subject: Re: XML::Simple more than one root tag??
Message-Id: <9ehfim$rju$1@bob.news.rcn.net>
Thorbjørn Ravn Andersen <thunderbear@bigfoot.com> wrote:
> An XML-document may only have one root-element. The standard allows
> parsers to crash and die if errors in the format is found. This is what
> XML::Simple do.
More specifically, the standard *forbids* parsers from doing anything
other than checking for further errors after they detect an error. In
practice, most parsers give up on the first error because the grammar of
XML documents is such that one error (particularly if it involves tag
nesting) will usually throw things off badly enough that the parser would
just detect a bunch of spurious errors afterwards.
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 973
**************************************
