[23529] in Perl-Users-Digest
Perl-Users Digest, Issue: 5738 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Sat Nov 1 03:05:51 2003
Date: Sat, 1 Nov 2003 00:05:09 -0800 (PST)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Sat, 1 Nov 2003 Volume: 10 Number: 5738
Today's topics:
Re: Can't do setuid and file permision denied errors (MegaZone)
Re: Checkbox - database checkbox, if checked gives val (Tad McClellan)
Re: How to tell what modules are installed? (Kevin Shay)
Re: Human verifiable image of numbers, for CGI (James Willmore)
Re: Human verifiable image of numbers, for CGI <nospam@bigpond.com>
Re: Newbie: Difference between $array[0] and @array[0] <davido@pacifier.com>
Re: Newbie: Difference between $array[0] and @array[0] (Tad McClellan)
Uploading multiple files <m-m@lcc.net>
Re: Uploading multiple files (William Herrera)
User Security <ducott_99@yahoo.com>
Re: User Security <me@privacy.net>
Re: User Security <noreply@gunnar.cc>
Re: User Security <kuujinbo@hotmail.com>
Re: Watching The ... <kuujinbo@hotmail.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: 1 Nov 2003 04:15:16 GMT
From: newsREMOVE@THISmegazone.org (MegaZone)
Subject: Re: Can't do setuid and file permision denied errors
Message-Id: <megazone.1067660116@sidehack.sat.gweep.net>
abigail@abigail.nl shaped the electrons to say:
>Changing passwords via a web interface is a dumb thing to do.
I think that's a bad generalization. I'd certainly want SSL, with
strong certs, involved, but no one who is realistic can expect users
to always appear in person, or even have shell access, for many
servers. I regularly use machines quite a distance from me,
physically. There is no practical way to show up in person. I've
also adminned machines used by people spread across the globe.
Most of them use shell anyway, and can change their passwords with
ssh. But for a lot of today's users you're talking about remote POP3
users, web front ends, etc. And it is natural to be able to change
passwords that way. If I suspect someone might have cracked a
password, I want to be able to change it immediately. There is no
such thing as a perfect password.
>Changing the passwords by directly opening /etc/shadow is dangerous.
Yeah, I think it'd be better to call one of the standard applications
for this, like passwd.
>Doing that with a program written in a language you just started
>to use sounds like a bloody stupid idea to me.
Messing with security by blindly thrashing around is never a good
plan.
>On the boxes I've adminned, there has only be one way for a user
>to set a new password: appear in person, and if needed with an ID.
That's a luxury many admins don't have.
-MZ, RHCE #806199299900541, ex-CISSP #3762
--
<URL:mailto:megazoneatmegazone.org> Gweep, Discordian, Author, Engineer, me.
"A little nonsense now and then, is relished by the wisest men" 508-755-4098
<URL:http://www.megazone.org/> <URL:http://www.eyrie-productions.com/> Eris
------------------------------
Date: Fri, 31 Oct 2003 23:39:18 -0600
From: tadmc@augustmail.com (Tad McClellan)
Subject: Re: Checkbox - database checkbox, if checked gives value of 1 .. how to sum ?
Message-Id: <slrnbq6ho6.kkh.tadmc@magna.augustmail.com>
randy <searsdvdtech@yahoo.com> wrote:
> If I want to
> top post. This is my choice.
So long then.
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: 31 Oct 2003 21:07:41 -0800
From: kevin_shay@yahoo.com (Kevin Shay)
Subject: Re: How to tell what modules are installed?
Message-Id: <5550ef1e.0310312107.6846a86b@posting.google.com>
james.h.anderson@ssmb.com (Jim Anderson) wrote in message
news:<2cfb060a.0310301240.5d570a03@posting.google.com>...
> Our SysAdmins have created a Solaris package of perl5.8.0 and
> installed a number
> of packages from CPAN. What's the best way to get a list of all the
> installed modules?
Perl Diver is handy (free registration apparently required):
http://www.scriptsolutions.com/programs/free/perldiver/
Kevin
--
perl -MLWP::UserAgent -e '$u=new LWP::UserAgent;$u->agent("japh");
print join(" ",(split(/\s+/,(split/\n/,$u->request(HTTP::Request->
new(GET=>join("",split(/\n/,"http://groups.google.com/groups?selm=
4365%40omepd.UUCP&output=gplain"))))->content)[60]))[0..3]),",\n"'
------------------------------
Date: 31 Oct 2003 19:08:29 -0800
From: jwillmore@myrealbox.com (James Willmore)
Subject: Re: Human verifiable image of numbers, for CGI
Message-Id: <d61170e5.0310311908.26bdaa7c@posting.google.com>
brendan@symonty.org (brendan) wrote in message news:<282ee219.0310311507.5f2d0b3b@posting.google.com>...
> hi all,
>
> I want to make sure it's a human posting to my webpage, by doing what
> PayPal (and lots of other websites) now do: displaying a bitmap of
> some numbers and asking the user to enter these numbers.
>
> Are there any Perl scripts and/or tutorials explaining how to do this?
Have a look at the GD module. This will help in creating an image.
HTH
Jim
------------------------------
Date: Sat, 01 Nov 2003 13:27:35 +1000
From: Gregory Toomey <nospam@bigpond.com>
Subject: Re: Human verifiable image of numbers, for CGI
Message-Id: <3435833.yPbfEUdRbz@gregs-web-hosting-and-pickle-farming>
It was a dark and stormy night, and James Willmore managed to scribble:
> brendan@symonty.org (brendan) wrote in message
> news:<282ee219.0310311507.5f2d0b3b@posting.google.com>...
>> hi all,
>>
>> I want to make sure it's a human posting to my webpage, by doing what
>> PayPal (and lots of other websites) now do: displaying a bitmap of
>> some numbers and asking the user to enter these numbers.
>>
>> Are there any Perl scripts and/or tutorials explaining how to do this?
>
> Have a look at the GD module. This will help in creating an image.
>
> HTH
>
> Jim
Itsa simple. You could probably use
1. Set up a background image eg $im = newFromGif GD::Image()
(assuming you use a gif)
2. write your chars eg $im->string()
gtoomey
------------------------------
Date: Sat, 01 Nov 2003 03:13:12 GMT
From: "Dave Oswald" <davido@pacifier.com>
Subject: Re: Newbie: Difference between $array[0] and @array[0]
Message-Id: <cxFob.18062$YO5.9028686@news3.news.adelphia.net>
"darren_uk" <none@hotmail.com> wrote:
> Is there any difference between:
>
> $array[0]
> and
> @array[0]
The first equates to the single scalar element whos value is stored in
$array[0]. The second equates to a list that holds the single value
contained in $array[0].
Consider the following examples:
use strict;
sub context {
if ( wantarray ) {
print "List context.\n";
return 1;
} else {
print "Scalar context.\n";
return 0;
}
}
my @array = qw/Bart Homer Marge Maggy Lisa/;
@array[context()];
$array[context()];
@array[0] = context();
$array[0] = context();
The output will be:
List context.
Scalar context.
List context.
Scalar context.
I leave it to future lessons for you to see the significance and
ramifications of the distinction between list and scalar context.
The idea is that @array[......] is an array slice. An array slice is a list
of values, even if that list is only one value long. $array[i] is an array
element, which is a scalar that contains some value (or no value). Always,
you should use array slices when you need a slice, and array indexing when
you need a scalar.
------------------------------
Date: Sat, 1 Nov 2003 00:04:32 -0600
From: tadmc@augustmail.com (Tad McClellan)
Subject: Re: Newbie: Difference between $array[0] and @array[0]
Message-Id: <slrnbq6j7g.kle.tadmc@magna.augustmail.com>
darren_uk <none@hotmail.com> wrote:
> I've just read an introduction to arrays (in man perlintro).
See also the "Context" section in
perldoc perldata
> It explains that to get a single value from an array, use the scalar prefix
> "$"
> $array[0]
Right.
Dollar sign means: "one thing". (ie. a scalar)
If you use that on the LHS of an assignment, the RHS will
get _scalar_ context.
> Later it explains that to get multiple values, use the array prefix "@"
> @array[0,1]
Right.
At sign means: "(potentially) many things". (ie. a list)
If you use that on the LHS of an assignment, the RHS will
get _list_ context.
> Is there any difference between:
>
> $array[0]
> and
> @array[0]
Yes sometimes.
No sometimes.
The question cannot be answered without seeing how they are
used in the surrounding code.
If they are used in a place where context matters, then
yes, they are different.
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: Fri, 31 Oct 2003 22:59:33 -0600
From: "Melissa McGehee" <m-m@lcc.net>
Subject: Uploading multiple files
Message-Id: <3fa33a11@katy-news.txucom.net>
Hi there! Been a while...3 years... but I'm back!
I have a script that uploads ONE user file. But I want to upload two. This
seems like a simple question...but in the newsgroup messages downloaded, I
cannot find anything that matches.
Please advise what I can do to upload multiple files. I have a section
commented out below that was SUPPOSED to allow the second file to
upload...but never worked. ALL SUGGESTIONS WELCOMED!
Many thanks! (and it's great to be back...)
~Melissa
---------------------------------
use CGI qw(:standard);
$query = new CGI;
########################################################################
# Breaks down the name-value pairs.
########################################################################
foreach $key (sort {$a <=> $b} $query->param()) {
$CAT =$query->param('CAT');
$SKU =$query->param('SKU');
$MF =$query->param('MF');
$ITEM =$query->param('ITEM');
$L =$query->param('L');
$W =$query->param('W');
$H =$query->param('H');
$PRICE =$query->param('PRICE');
$DES =$query->param('DES');
$RSKU1 =$query->param('RSKU1');
$RSKU2 =$query->param('RSKU2');
$RSKU3 =$query->param('RSKU3');
$RSKU4 =$query->param('RSKU4');
$RSKU5 =$query->param('RSKU5');
$RSKU6 =$query->param('RSKU6');
$RSKU7 =$query->param('RSKU7');
$RSKU8 =$query->param('RSKU8');
$RSKU9 =$query->param('RSKU9');
$RSKU10 =$query->param('RSKU10');
$SUBITEM1 =$query->param('SUBITEM1');
$SUBDIMS1 =$query->param('SUBDIMS1');
$SUBPRICE1 =$query->param('SUBPRICE1');
$SUBITEM2 =$query->param('SUBITEM2');
$SUBDIMS2 =$query->param('SUBDIMS2');
$SUBPRICE2 =$query->param('SUBPRICE2');
$SUBITEM3 =$query->param('SUBITEM3');
$SUBDIMS3 =$query->param('SUBDIMS3');
$SUBPRICE3 =$query->param('SUBPRICE3');
next if ($key =~ /^\s*$/);
next if ($query->param($key) =~ /^\s*$/);
next if ($key !~ /^IMG$/);
# foreach $key {
# $Number = $1;
if ($query->param($key) =~ /([^\/\\]+)$/) {
$Filename = $1;
$Filename =~ s/^\.+//;
$File_Handle = $query->param($key);
}
open(LOG, ">../$CAT/$Filename") || &ErrorMessage;
undef $BytesRead;
undef $Buffer;
while ($Bytes = read($File_Handle,$Buffer,1024)) {
$BytesRead += $Bytes;
print LOG $Buffer;
}
push(@Files_Written, "../$CAT/$Filename");
$TOTAL_BYTES += $BytesRead;
$Confirmation{$File_Handle} = $BytesRead;
close($File_Handle);
close(LOG);
chmod (0777, "../$CAT/$Filename");
#########################################################
#
# next if ($key =~ /^\s*$/);
# next if ($query->param($key) =~ /^\s*$/);
# next if ($key !~ /^THUMB$/);
# $Number = $1;
#
# if ($query->param($key) =~ /([^\/\\]+)$/) {
# $Filename2 = $1;
# $Filename2 =~ s/^\.+//;
# $File_Handle2 = $query->param($key);
#
# }
#
#
# open(LOG, ">../../PDC/$CAT/$Filename2") || &ErrorMessage2;
#
# undef $BytesRead;
# undef $Buffer;
#
# while ($Bytes = read($File_Handle2,$Buffer,1024)) {
# $BytesRead += $Bytes;
# print LOG $Buffer;
# }
#
# push(@Files_Written2, "../../PDC/$CAT/$Filename2");
# $TOTAL_BYTES += $BytesRead;
# $Confirmation{$File_Handle2} = $BytesRead;
#
# close($File_Handle2);
# close(LOG);
#
# chmod (0777, "../../PDC/$CAT/$Filename2");
#
#
#########################################################
$file = $SKU . ".txt";
$IMG2 = $Filename;
# $TIMG2 = $Filename2;
open(LOG, ">../$CAT/$file") || &ErrorMessage;
chmod(0777, "../$CAT/$file");
print LOG "$CAT\n";
print LOG "$SKU\n";
print LOG "$MF\n";
print LOG "$ITEM\n";
print LOG "$L\n";
print LOG "$W\n";
print LOG "$H\n";
print LOG "$PRICE\n";
print LOG "$IMG2\n";
# print LOG "$TIMG2\n";
print LOG "$DES\n";
print LOG "$RSKU1\n";
print LOG "$RSKU2\n";
print LOG "$RSKU3\n";
print LOG "$RSKU4\n";
print LOG "$RSKU5\n";
print LOG "$RSKU6\n";
print LOG "$RSKU7\n";
print LOG "$RSKU8\n";
print LOG "$RSKU9\n";
print LOG "$RSKU10\n";
print LOG "$SUBITEM1\n";
print LOG "$SUBDIMS1\n";
print LOG "$SUBPRICE1\n";
print LOG "$SUBITEM2\n";
print LOG "$SUBDIMS2\n";
print LOG "$SUBPRICE2\n";
print LOG "$SUBITEM3\n";
print LOG "$SUBDIMS3\n";
print LOG "$SUBPRICE3\n";
close(LOG);
print <<HTML_CODE;
------------------------------
Date: Sat, 01 Nov 2003 06:58:24 GMT
From: wherrera@lynxview.com (William Herrera)
Subject: Re: Uploading multiple files
Message-Id: <3fa356ac.23261894@news2.news.adelphia.net>
On Fri, 31 Oct 2003 22:59:33 -0600, "Melissa McGehee" <m-m@lcc.net> wrote:
>Hi there! Been a while...3 years... but I'm back!
>
>I have a script that uploads ONE user file. But I want to upload two. This
>seems like a simple question...but in the newsgroup messages downloaded, I
>cannot find anything that matches.
>
>Please advise what I can do to upload multiple files. I have a section
>commented out below that was SUPPOSED to allow the second file to
>upload...but never worked. ALL SUGGESTIONS WELCOMED!
>
>Many thanks! (and it's great to be back...)
>
.............
> next if ($key =~ /^\s*$/);
> next if ($query->param($key) =~ /^\s*$/);
> next if ($key !~ /^IMG$/);
># foreach $key {
># $Number = $1;
>
> if ($query->param($key) =~ /([^\/\\]+)$/) {
> $Filename = $1;
> $Filename =~ s/^\.+//;
> $File_Handle = $query->param($key);
>
> }
>
>
>open(LOG, ">../$CAT/$Filename") || &ErrorMessage;
>
> undef $BytesRead;
> undef $Buffer;
>
> while ($Bytes = read($File_Handle,$Buffer,1024)) {
> $BytesRead += $Bytes;
> print LOG $Buffer;
> }
>
> push(@Files_Written, "../$CAT/$Filename");
> $TOTAL_BYTES += $BytesRead;
> $Confirmation{$File_Handle} = $BytesRead;
>
> close($File_Handle);
> close(LOG);
>
> chmod (0777, "../$CAT/$Filename");
>
>#########################################################
>#
># next if ($key =~ /^\s*$/);
># next if ($query->param($key) =~ /^\s*$/);
># next if ($key !~ /^THUMB$/);
># $Number = $1;
>#
># if ($query->param($key) =~ /([^\/\\]+)$/) {
># $Filename2 = $1;
># $Filename2 =~ s/^\.+//;
># $File_Handle2 = $query->param($key);
>#
># }
>#
>#
># open(LOG, ">../../PDC/$CAT/$Filename2") || &ErrorMessage2;
>#
># undef $BytesRead;
># undef $Buffer;
>#
># while ($Bytes = read($File_Handle2,$Buffer,1024)) {
># $BytesRead += $Bytes;
># print LOG $Buffer;
># }
>#
># push(@Files_Written2, "../../PDC/$CAT/$Filename2");
># $TOTAL_BYTES += $BytesRead;
># $Confirmation{$File_Handle2} = $BytesRead;
>#
># close($File_Handle2);
># close(LOG);
>#
># chmod (0777, "../../PDC/$CAT/$Filename2");
>#
>#
>#########################################################
>
............
The above has me confused. For three years I've had more of less nonstop daily
working code that does what you are asking about, but it looks very little like
yours.
I know that with CGI.pm you may use a filefield() in a mutilpart form (and you
may use several differently named filefilelds in a table with one submit button
for multiple file uploading) to upload a file or files that you then read via
those names with the upload() function of CGI, but I do not see those in your
code. Have you looked at the examples in the CGI.pm docs? Is your CGI a
multipart form?
BTW, 'use strict' may be incompatible with some file uploads via CGI due to the
passed handle syntax. I don't see stricture in your example though.
---
Use the domain skylightview (dot) com for the reply address instead.
------------------------------
Date: Sat, 01 Nov 2003 02:57:39 GMT
From: "Robert TV" <ducott_99@yahoo.com>
Subject: User Security
Message-Id: <DiFob.239793$9l5.30508@pd7tw2no>
Hello all,
I'm trying to build the best possible security for my perl script. The main
page of my web site has a login and password box. When submitted, the userid
and password are compared against valid accounts, and the programs runs if
successful. I forsee a potentail security hole in the, and it has to do with
someone accessing the perl script from their own web page or server using a
false login and password form that would have the same form names as my own.
I would like my script to check the refferrer of the login submission and
take action based on that result. EG:
#!/usr/bin/perl
if (refferring web page does not eq "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}
Can someone please help me out with the syntax I would need to correctly
accomplish this?
Thanx!
Randy
------------------------------
Date: Sat, 1 Nov 2003 16:17:21 +1300
From: "Tintin" <me@privacy.net>
Subject: Re: User Security
Message-Id: <bnv8pj$164lgo$1@ID-172104.news.uni-berlin.de>
"Robert TV" <ducott_99@yahoo.com> wrote in message
news:DiFob.239793$9l5.30508@pd7tw2no...
> Hello all,
>
> I'm trying to build the best possible security for my perl script. The
main
> page of my web site has a login and password box. When submitted, the
userid
> and password are compared against valid accounts, and the programs runs if
> successful. I forsee a potentail security hole in the, and it has to do
with
> someone accessing the perl script from their own web page or server using
a
> false login and password form that would have the same form names as my
own.
If they are using a false login, how would it be able to get in if you a
validating the userid/password?
> I would like my script to check the refferrer of the login submission and
> take action based on that result. EG:
>
> #!/usr/bin/perl
>
> if (refferring web page does not eq "myserver.com/login.pl") {
> print "Access Denied";
> exit;
> } else {
> allow access to my program, and verify username and password
> }
>
> Can someone please help me out with the syntax I would need to correctly
> accomplish this?
if
($CGI_variable_that_may_or_may_not_be_valid/available_and_would_be_the_same_
in_any_other_language != "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}
------------------------------
Date: Sat, 01 Nov 2003 04:39:33 +0100
From: Gunnar Hjalmarsson <noreply@gunnar.cc>
Subject: Re: User Security
Message-Id: <bnva02$169vva$1@ID-184292.news.uni-berlin.de>
Robert TV wrote:
> Hello all,
I just commented on your question in
comp.infosystems.www.authoring.cgi without knowing that you had
multi-posted and that others already had posted comments.
Do not multi-post!!
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.
HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.thinkspot.net/ciwac/howtopost.html
------------------------------
Date: Sat, 01 Nov 2003 12:54:28 +0900
From: ko <kuujinbo@hotmail.com>
Subject: Re: User Security
Message-Id: <bnvaup$t08$1@pin3.tky.plala.or.jp>
Robert TV wrote:
> Hello all,
>
> I'm trying to build the best possible security for my perl script. The main
> page of my web site has a login and password box. When submitted, the userid
> and password are compared against valid accounts, and the programs runs if
> successful. I forsee a potentail security hole in the, and it has to do with
> someone accessing the perl script from their own web page or server using a
> false login and password form that would have the same form names as my own.
> I would like my script to check the refferrer of the login submission and
> take action based on that result. EG:
>
> #!/usr/bin/perl
>
> if (refferring web page does not eq "myserver.com/login.pl") {
> print "Access Denied";
> exit;
> } else {
> allow access to my program, and verify username and password
> }
>
> Can someone please help me out with the syntax I would need to correctly
> accomplish this?
>
> Thanx!
> Randy
>
>
If you're really concerned about eliminating security holes, you should
*never* assume any data passed by the client is good/trustworthy. For
example, the LWP module allows someone to easily manipulate client
header (including the referer) values.
HTH - keith
------------------------------
Date: Sat, 01 Nov 2003 11:00:27 +0900
From: ko <kuujinbo@hotmail.com>
Subject: Re: Watching The ...
Message-Id: <bnv48v$m38$1@pin3.tky.plala.or.jp>
Desmond Coughlan wrote:
> I'm using FreeBSD, but as their ports system sucks bigtime, I generally
> install from source myself.
There's nothing wrong with the ports/package system, although there's
also nothing wrong with installing from source :)
I've had no problems with pkg_add PACKAGE. For Perl, its easy as FTP'ing
the Perl package and:
pkg_add PERL_PACKAGE_VERSION
If you use pkg_add with the -r option, dependencies are added too (for
instance when installing Perl modules). If you install Perl, a
'use.perl' script is also installed. So to let the system know you want
to use the port/package version of Perl by default:
use.perl port
perl -v
This is perl, v5.8.0 built for i386-freebsd
...
and to switch back to the default version (when making world, etc):
use.perl system
perl -v
This is perl, version 5.005_03 built for i386-freebsd
...
pkg_add also gives you the option of easily uninstalling packages you
don't like...
HTH - keith
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 5738
***************************************
