[22179] in Perl-Users-Digest
Perl-Users Digest, Issue: 4400 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Tue Jan 14 09:10:39 2003
Date: Tue, 14 Jan 2003 06:10:13 -0800 (PST)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Tue, 14 Jan 2003 Volume: 10 Number: 4400
Today's topics:
security of open(TAR, "tar -cvf - $filelist|") <mzawadzk@man.poznan.pl>
Re: security of open(TAR, "tar -cvf - $filelist|") (Anno Siegel)
Re: security of open(TAR, "tar -cvf - $filelist|") (Helgi Briem)
Re: security of open(TAR, "tar -cvf - $filelist|") <nobull@mail.com>
Re: The "default thing" <goldbb2@earthlink.net>
Re: The "default thing" (Bruce McKenzie)
Re: The "default thing" <tassilo.parseval@post.rwth-aachen.de>
Re: undef of large Hashes/Arrays took a very long time <Jan.Schubert@GMX.li>
Using Mail::MAiler to send attachment (nikko)
what's the similar functionality to the '#include' in C <ie_qjzhu@yahoo.ie>
Re: what's the similar functionality to the '#include' <bernard.el-hagin@DODGE_THISlido-tech.net>
Re: what's the similar functionality to the '#include' <ie_qjzhu@yahoo.ie>
Re: what's the similar functionality to the '#include' (Sam Holden)
Re: what's the similar functionality to the '#include' (Tad McClellan)
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Tue, 14 Jan 2003 11:47:28 +0100
From: Marek Zawadzki <mzawadzk@man.poznan.pl>
Subject: security of open(TAR, "tar -cvf - $filelist|")
Message-Id: <Pine.GSO.4.44.0301141138520.21297-100000@rose.man.poznan.pl>
Hello,
I'm writing backup script for a local system and I'm using:
open(TAR, "tar -cvf - $filelist|");
where $filelist is a list of files obtained with `ls` mechanism.
Now the problem is when somebody creates a file with `, ;, " and other
evil characters in its name.
What would be the best approach to prevent a malicious user from executing
commands within my script just by crafting some files with special names?
-marek
------------------------------
Date: 14 Jan 2003 11:31:56 GMT
From: anno4000@lublin.zrz.tu-berlin.de (Anno Siegel)
Subject: Re: security of open(TAR, "tar -cvf - $filelist|")
Message-Id: <b00sfc$kml$1@mamenchi.zrz.TU-Berlin.DE>
Marek Zawadzki <mzawadzk@man.poznan.pl> wrote in comp.lang.perl.misc:
> Hello,
>
> I'm writing backup script for a local system and I'm using:
> open(TAR, "tar -cvf - $filelist|");
> where $filelist is a list of files obtained with `ls` mechanism.
>
> Now the problem is when somebody creates a file with `, ;, " and other
> evil characters in its name.
> What would be the best approach to prevent a malicious user from executing
> commands within my script just by crafting some files with special names?
With a sufficiently new Perl, you can specify the command in list form.
This guarantees that no shell is invoked:
open( TAR, '-|', 'tar', '-cvf', @filelist);
Anno
------------------------------
Date: Tue, 14 Jan 2003 12:21:04 GMT
From: helgi@decode.is (Helgi Briem)
Subject: Re: security of open(TAR, "tar -cvf - $filelist|")
Message-Id: <3e23ffb8.897257047@news.cis.dfn.de>
On Tue, 14 Jan 2003 11:47:28 +0100, Marek Zawadzki
<mzawadzk@man.poznan.pl> wrote:
>I'm writing backup script for a local system and I'm using:
> open(TAR, "tar -cvf - $filelist|");
>where $filelist is a list of files obtained with `ls` mechanism.
That is the wrong way to get the filelist.
Here is one way to do it without spawning a child
process:
my $dir = '/path/to/whatever/';
opendir DIR, $dir or die "Cannot opendir $dir:$!\n";
my @filelist = grep !/^\.{1,2}$/,readdir DIR;
If recursion is needed, use the File::Find module.
>Now the problem is when somebody creates a file with `, ;, " and other
>evil characters in its name.
>What would be the best approach to prevent a malicious user from executing
>commands within my script just by crafting some files with special names?
Anno Siegel has answered this part satisfactorily.
--
Regards, Helgi Briem
helgi AT decode DOT is
------------------------------
Date: 14 Jan 2003 12:57:19 +0000
From: Brian McCauley <nobull@mail.com>
Subject: Re: security of open(TAR, "tar -cvf - $filelist|")
Message-Id: <u9vg0rj1vc.fsf@wcl-l.bham.ac.uk>
Marek Zawadzki <mzawadzk@man.poznan.pl> writes:
> I'm writing backup script for a local system and I'm using:
> open(TAR, "tar -cvf - $filelist|");
> where $filelist is a list of files obtained with `ls` mechanism.
>
> Now the problem is when somebody creates a file with `, ;, " and other
> evil characters in its name.
> What would be the best approach to prevent a malicious user from executing
> commands within my script just by crafting some files with special names?
Don't us `ls`, use readdir() and keep the filesnames in an array so
you don't need to split a scalar.
Avoid /bin/sh involvement by using the LIST form of pipe open() (new
in 5.8):
open(my $tar, '-|', 'tar', '-cvf', '-', '--', @filelist) or die $!;
--
\\ ( )
. _\\__[oo
.__/ \\ /\@
. l___\\
# ll l\\
###LL LL\\
------------------------------
Date: Tue, 14 Jan 2003 00:18:51 -0500
From: Benjamin Goldberg <goldbb2@earthlink.net>
Subject: Re: The "default thing"
Message-Id: <3E239DBB.961F838D@earthlink.net>
Bruce McKenzie wrote:
>
> In the Chapter 14.1 of Programming Perl, there is an example of how to
> create a package for tying a scalar:
>
> #!/usr/bin/perl
> package Centsible;
> sub TIESCALAR { bless \my $self, shift }
> sub STORE { ${ $_[0] } = $_[1] } # do the default thing
> sub FETCH { sprintf "%.02f", ${ my $self = shift } } # round value
>
> This package is "used" as follows:
>
> package main;
> tie $bucks, "Centsible";
> $bucks = 45.00;
> $bucks *= 1.0715; # tax
> $bucks *= 1.0715; # and double tax!
> print "That will be $bucks, please.\n";
>
> I don't understand the shorthand in "the default thing." I guess it
> means that the value referenced by the tied object is now the new
> value. But I don't see where the $_[1] comes from. It's second element
> of an array ??
It's the second element of the @_ array.
Tieing is rather advanced stuff. Subroutine arguments (that is, the @_
array) is fairly basic stuff. You should learn about basic stuff before
going on to advanced stuff.
> I couldn't find examples like it elsewhere in the book or the
> manpages. Could someone point me to where this is explained for
> slower individuals like me.
perldoc perlsub
--
$..='(?:(?{local$^C=$^C|'.(1<<$_).'})|)'for+a..4;
$..='(?{print+substr"\n !,$^C,1 if $^C<26})(?!)';
$.=~s'!'haktrsreltanPJ,r coeueh"';BEGIN{${"\cH"}
|=(1<<21)}""=~$.;qw(Just another Perl hacker,\n);
------------------------------
Date: 14 Jan 2003 05:42:58 -0800
From: mckenzie@bigmultimedia.com (Bruce McKenzie)
Subject: Re: The "default thing"
Message-Id: <bd848f76.0301140542.51922b1d@posting.google.com>
Benjamin Goldberg <goldbb2@earthlink.net> wrote in message news:<3E239DBB.961F838D@earthlink.net>...
> Bruce McKenzie wrote:
> >
> > In the Chapter 14.1 of Programming Perl, there is an example of how to
> > create a package for tying a scalar:
> >
> > #!/usr/bin/perl
> > package Centsible;
> > sub TIESCALAR { bless \my $self, shift }
> > sub STORE { ${ $_[0] } = $_[1] } # do the default thing
> > sub FETCH { sprintf "%.02f", ${ my $self = shift } } # round value
> >
> > This package is "used" as follows:
> >
> > package main;
> > tie $bucks, "Centsible";
> > $bucks = 45.00;
> > $bucks *= 1.0715; # tax
> > $bucks *= 1.0715; # and double tax!
> > print "That will be $bucks, please.\n";
> >
> > I don't understand the shorthand in "the default thing." I guess it
> > means that the value referenced by the tied object is now the new
> > value. But I don't see where the $_[1] comes from. It's second element
> > of an array ??
>
> It's the second element of the @_ array.
>
> Tieing is rather advanced stuff. Subroutine arguments (that is, the @_
> array) is fairly basic stuff. You should learn about basic stuff before
> going on to advanced stuff.
>
> > I couldn't find examples like it elsewhere in the book or the
> > manpages. Could someone point me to where this is explained for
> > slower individuals like me.
>
> perldoc perlsub
I know this is risky, but let me try asking another way (I have been
using tied hashes and whatnot, but I don't handle the @_ array with
such concision).
Is this sort of how it goes?
$bucks is tied, so when we say
$bucks = 45.00,
we're saying something like "(using the methods defined in Centsible
class),
STORE($bucks, 45.00)"
And, written less tersely, STORE becomes
sub STORE {
# don't do confusing default thing ${ $_[0] } = $_[1] -- instead do
my ($self, $value) = @_; # $self is a ref to a scalar (self thinks
:-)
$self = \$value; # $self now refs $value;
}
Thx
Bruce
------------------------------
Date: 14 Jan 2003 13:58:39 GMT
From: "Tassilo v. Parseval" <tassilo.parseval@post.rwth-aachen.de>
Subject: Re: The "default thing"
Message-Id: <b0152f$o8i$1@nets3.rz.RWTH-Aachen.DE>
Also sprach Bruce McKenzie:
> I know this is risky, but let me try asking another way (I have been
> using tied hashes and whatnot, but I don't handle the @_ array with
> such concision).
>
> Is this sort of how it goes?
> $bucks is tied, so when we say
> $bucks = 45.00,
>
> we're saying something like "(using the methods defined in Centsible
> class),
> STORE($bucks, 45.00)"
STORE is invoked, but with a different first argument:
my $ret = tie $scalar, "Class";
# scalar is now tied but behaves like an ordiany scalar
$scalar = 45.00;
# this invokes $ret->STORE(45.00);
# which equals
# Class::STORE($ret, 45.00)
So the method used to implement an operation is not called with the tied
variable itself but rather with the return value of tie(). This is in
fact the variable holding an instance of 'Class'. Now you also see how
tieing relates to object-orientedness.
> And, written less tersely, STORE becomes
>
> sub STORE {
> # don't do confusing default thing ${ $_[0] } = $_[1] -- instead do
> my ($self, $value) = @_; # $self is a ref to a scalar (self thinks
>:-)
> $self = \$value; # $self now refs $value;
> }
Here $self is a copy of $ret from the above code. $self is not $scalar!
If you do
print $scalar;
the following method is invoked:
sub FETCH {
my $self = shift;
return $$self; # return what $self refers to
}
which would make the print-line equivalent to:
print $ret->FETCH;
# or
print Class::FETCH($ret)
Have you read 'perldoc perltie' already?
Tassilo
--
$_=q!",}])(tsuJ[{@"tnirp}3..0}_$;//::niam/s~=)]3[))_$-3(rellac(=_$({
pam{rekcahbus;})(rekcah{lrePbus;})(lreP{rehtonabus;})(rehtona{tsuJbus!;
$_=reverse;s/sub/(reverse"bus").chr(32)/xge;tr~\n~~d;eval;
------------------------------
Date: Tue, 14 Jan 2003 10:39:08 +0100
From: Jan Schubert <Jan.Schubert@GMX.li>
Subject: Re: undef of large Hashes/Arrays took a very long time
Message-Id: <b00lsb$k684h$1@ID-2265.news.dfncis.de>
Pierre Asselin wrote:
> If your work is all done, you can code {kill 9, $$;} to exit in a hurry.
> It returns an error to the OS, but I assume that doesn't matter.
Sure, i considerd this, but i isn't there a more elegant, clean way!?
Actualy the problem isn't the time to exit the programm, but the time
for freeing the memory, which i need afterwards again for some other
work in the same script. So i have to wait some additional hours or
split this in 2 scripts (and write the results to a temporary file).
Unfortunately there might also be an problem in expanding the memory to
- lets say - 16 GB because the userspace-memory is restricted to
something like 3,5GB in Linux.
Thx a lot,
Jan
------------------------------
Date: 14 Jan 2003 00:00:42 -0800
From: nodiseos@yahoo.com (nikko)
Subject: Using Mail::MAiler to send attachment
Message-Id: <f5912a4f.0301140000.3bdda1e@posting.google.com>
I need to send an attachment using Mail::Mailer.
Currently my code looks like this:
my $mailserver = "smtp.domain.com";
my $mailer = new Mail::Mailer('smtp', Server => $mailserver);
my(%headers) = ('To' => "$param{'email'}",
'Bcc' => "nikko\@domain.com",
'From' => "ts-systems\@domain.com",
'Subject' => "My subject",
'Date' => $date,
);
$mailer->open(\%headers);
open(MAIL, ">$TEMPFILE") || &baderror('Cannot write to email file');
$message =<<EOT;-
text of message
EOT
print $mailer $message;
$TEMPFILE =~ s/\//\\/g;
unlink $TEMPFILE;
$mailer->close;
=====================
How would I add a text file to this with the words "test" as content?
Thanks!
------------------------------
Date: Tue, 14 Jan 2003 04:44:14 -0800
From: "qjzhu" <ie_qjzhu@yahoo.ie>
Subject: what's the similar functionality to the '#include' in C?
Message-Id: <b00il2$2ca9$1@mail.cn99.com>
Hi folks,
In C, a #include directive insert the content of a file
into current source file, now I need the similar functionality
in perl, what's it? No packages, no import, no export, etc,
just insert another file into current file, and then compile,
is it possible? Thanks
------------------------------
Date: Tue, 14 Jan 2003 08:55:10 +0000 (UTC)
From: Bernard El-Hagin <bernard.el-hagin@DODGE_THISlido-tech.net>
Subject: Re: what's the similar functionality to the '#include' in C?
Message-Id: <b00j9e$136$1@korweta.task.gda.pl>
In article <b00il2$2ca9$1@mail.cn99.com>, qjzhu wrote:
> Hi folks,
>
> In C, a #include directive insert the content of a file
> into current source file, now I need the similar functionality
> in perl, what's it? No packages, no import, no export, etc,
> just insert another file into current file, and then compile,
> is it possible? Thanks
perldoc -f require
Cheers,
Bernard
--
echo 42|perl -pe '$#="Just another Perl hacker,"'
------------------------------
Date: Tue, 14 Jan 2003 05:11:22 -0800
From: "qjzhu" <ie_qjzhu@yahoo.ie>
Subject: Re: what's the similar functionality to the '#include' in C?
Message-Id: <b00k84$2e0s$1@mail.cn99.com>
'require' requires the file to be inserted made into a package, doesn't it?
That's not what I want.
I just want a plain text file to be included(inserted) into another source
file.
"Bernard El-Hagin" <bernard.el-hagin@DODGE_THISlido-tech.net> wrote in
message news:b00j9e$136$1@korweta.task.gda.pl...
> In article <b00il2$2ca9$1@mail.cn99.com>, qjzhu wrote:
> > Hi folks,
> >
> > In C, a #include directive insert the content of a file
> > into current source file, now I need the similar functionality
> > in perl, what's it? No packages, no import, no export, etc,
> > just insert another file into current file, and then compile,
> > is it possible? Thanks
>
>
> perldoc -f require
>
>
> Cheers,
> Bernard
> --
> echo 42|perl -pe '$#="Just another Perl hacker,"'
------------------------------
Date: 14 Jan 2003 10:05:24 GMT
From: sholden@flexal.cs.usyd.edu.au (Sam Holden)
Subject: Re: what's the similar functionality to the '#include' in C?
Message-Id: <slrnb27o74.c42.sholden@flexal.cs.usyd.edu.au>
On Tue, 14 Jan 2003 05:11:22 -0800, qjzhu <ie_qjzhu@yahoo.ie> wrote:
> 'require' requires the file to be inserted made into a package, doesn't it?
> That's not what I want.
require has nothing to do with packages.
> I just want a plain text file to be included(inserted) into another source
> file.
Read the documentation you were pointed to.
[snip quote of entire article, including sig]
Only quote the bits you need, and put your replies after the relevant bits,
not at the top. It makes it *far* easier for people to work out what it
going on.
--
Sam Holden
------------------------------
Date: Tue, 14 Jan 2003 07:49:55 -0600
From: tadmc@augustmail.com (Tad McClellan)
Subject: Re: what's the similar functionality to the '#include' in C?
Message-Id: <slrnb285c3.6ar.tadmc@magna.augustmail.com>
qjzhu <ie_qjzhu@yahoo.ie> wrote:
> 'require' requires the file to be inserted made into a package, doesn't it?
What happened when you tried it?
[snip TOFU]
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 4400
***************************************
