[25172] in Perl-Users-Digest
Perl-Users Digest, Issue: 7421 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Thu Nov 18 18:10:30 2004
Date: Thu, 18 Nov 2004 15:10:10 -0800 (PST)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Thu, 18 Nov 2004 Volume: 10 Number: 7421
Today's topics:
Re: problems using taint to check an array be created b <phill@mywebstuff.com>
Re: problems using taint to check an array be created b <phill@mywebstuff.com>
Re: problems using taint to check an array be created b <phill@mywebstuff.com>
Really? <wh@tever.tld>
Re: Really? <perl@my-header.org>
Simple (!) HTML/PERL code fpr uploading files through w (Gerd Pohlmann)
Re: Simple (!) HTML/PERL code fpr uploading files throu <1usa@llenroc.ude.invalid>
Re: SSI Question <richard@zync.co.uk>
Re: SSI Question <nospam@nospam.com>
Re: the antichomp <segraves_f13@mindspring.com>
Re: the antichomp (wana)
Re: the antichomp <uri@stemsystems.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Thu, 18 Nov 2004 22:37:07 +0100
From: phill hw <phill@mywebstuff.com>
Subject: Re: problems using taint to check an array be created by cgi
Message-Id: <pan.2004.11.18.21.37.05.48250@mywebstuff.com>
Am Wed, 17 Nov 2004 03:30:53 +0100 schrieb Gunnar Hjalmarsson:
> phill hw wrote:
>> If I use the following script, I cannot use the data contained in the @sports array
>> as it is still considered tainted.
>>
>> #!/usr/bin/perl -Tw
>>
>> use strict;
>> use CGI qw/:standard :html3/;
>> use CGI::Carp 'fatalsToBrowser';
>>
>> if (param())
>> {
>> my ($query) = new CGI;
>> my ($s) = $query->param('s') =~ /^([\w]+)$/ if $query->param('s');
>> my (@sports) = $query->param('sports')=~ /^([\d]+)$/ if $query->param('sports');
>
> The m// operator shall be applied to a string, not a list or array.
>
>> How can I correctly parse the @sports array to allow for numbers only without
>> having to construct a second array?
>
> You need to untaint each element separately. The map() function comes to
> mind:
>
> my @sports = map { /^(\d+)$/ } $q->param('sport');
Thats the answer I was looking for :-)
Thankyou
Phill
------------------------------
Date: Thu, 18 Nov 2004 22:39:42 +0100
From: phill hw <phill@mywebstuff.com>
Subject: Re: problems using taint to check an array be created by cgi
Message-Id: <pan.2004.11.18.21.39.42.670746@mywebstuff.com>
>
>> My code:
>> my ($s) = $query->param('s') =~ /^([\w]+)$/ if $query->param('s');
>>
>> is from the perl cookbook
>> (link) so I consider it safe
>> as I am very restrictive on params.
>
> On the other hand, using that page is tantamount to stealing from the
> authors. Please don't use those pages, and complain loudly when you
> encounter them. The authors of these books need to eat too.
>
Yes you are probably right about the link - Blam Google. Luckily the
"security chapter" is available from oreilly as the sample chapter for the
second edition.
http://www.oreilly.com/catalog/cgi2/chapter/ch08.html
The first edition of this book is completely available as an openbook
http://www.oreilly.com/openbook/cgi/ because its out of print.
I know the authors need to eat thats why I always buy and have purchased
plus many others from oreilly. I just wanted to demonstrate that it is common
method of writing a line of code for checking tainted data. I was
not complaining loudly as I use the method whether is visually appealing
is not of the upmost concern to me for my own scripts. You link to
http://tinyurl.com/4vr53 which my newsserver did not display until
today well after your second post is a super example about problems
finding things in documentation.
I could not find in any of the Perl books "I have purchased" an
example of untainting an array. Maybe I need to read them again.
Thats why I asked this newsgroup. If anyone knows one with its
ISBN number I will buy a copy of it . My original question was if
there is a similar way to untaint the data in an
array without having to use another array.
Thanks
Phill
------------------------------
Date: Thu, 18 Nov 2004 22:47:10 +0100
From: phill hw <phill@mywebstuff.com>
Subject: Re: problems using taint to check an array be created by cgi
Message-Id: <pan.2004.11.18.21.47.04.609054@mywebstuff.com>
> Again, \d is a character class of its own. And, by the way, is
> 987327332882727273774746655222411313232638482929399949872873498238971232838
> 123847328723984792837482374982374621347326473624723648723648732648726423444
> 23424 a valid value for sports?
>
> Sinan.
Theoretically it is, as long as its unsigned :-)
Phill
------------------------------
Date: Thu, 18 Nov 2004 22:15:10 GMT
From: Octo Mancer <wh@tever.tld>
Subject: Really?
Message-Id: <pan.2004.11.18.22.14.28.889658@tever.tld>
"Perl is a script programming language that is similar in syntax to the C
language and that includes a number of popular Unix facilities such as
SED, awk, and tr. Perl is an interpreted language that can optionally be
compiled just before execution into either C code or cross-platform
bytecode."
It seems that talking bollocks about Perl is not confined to graduate
students ...
http://searchenterpriselinux.techtarget.com/sDefinition/0,,sid39_gci214291,00.html
------------------------------
Date: Thu, 18 Nov 2004 23:41:09 +0100
From: Matija Papec <perl@my-header.org>
Subject: Re: Really?
Message-Id: <509qp0tl73nkajjhqdfbkfpbrdqlmfq87v@4ax.com>
X-Ftn-To: Octo Mancer
Octo Mancer <wh@tever.tld> wrote:
>"Perl is a script programming language that is similar in syntax to the C
>language and that includes a number of popular Unix facilities such as
>SED, awk, and tr. Perl is an interpreted language that can optionally be
>compiled just before execution into either C code or cross-platform
>bytecode."
>
>It seems that talking bollocks about Perl is not confined to graduate
>students ...
>
>http://searchenterpriselinux.techtarget.com/sDefinition/0,,sid39_gci214291,00.html
So you actually have something to say or just want to populate killfile?
--
Matija
------------------------------
Date: Thu, 18 Nov 2004 22:12:43 +0100
From: gpohl@email.com (Gerd Pohlmann)
Subject: Simple (!) HTML/PERL code fpr uploading files through web pages entyr field ??
Message-Id: <cnj38a$h93$00$1@news.t-online.com>
I want to offer a possibility to upload a file on a certain (password protected) web page.
Ok, I have seen a lot of hugo perl libraries which offer such a functionality.
But I am not the administrator of the server. I cannot install a perl library.
So I am searching for a simpler way to achieve this.
I can install simple perl scripts and HTML pages - that's all.
Does someone know such a simple perl script ?
Gerd
------------------------------
Date: 18 Nov 2004 21:40:11 GMT
From: "A. Sinan Unur" <1usa@llenroc.ude.invalid>
Subject: Re: Simple (!) HTML/PERL code fpr uploading files through web pages entyr field ??
Message-Id: <Xns95A5A9932E5A8asu1cornelledu@132.236.56.8>
gpohl@email.com (Gerd Pohlmann) wrote in
news:cnj38a$h93$00$1@news.t-online.com:
> But I am not the administrator of the server. I cannot
> install a perl library.
See perldoc -q lib
Sinan
------------------------------
Date: Thu, 18 Nov 2004 19:16:01 +0000
From: Richard Gration <richard@zync.co.uk>
Subject: Re: SSI Question
Message-Id: <pan.2004.11.18.19.16.00.864211@zync.co.uk>
On Thu, 18 Nov 2004 13:44:49 -0500, daniel kaplan wrote:
> hey all,
>
> someone told me to read and act on cookies by using javascrpt within the
> webpage. now in my Perl reading i came across SSI statements.
>
> i.e.<!--#exec cgi="/cgi-bin/whattimeisit.cgi"-->
>
> and i was curious why not use statements like that to read a users cookies
> and do a redirect if i have to. now granted, i don't know if this works,
> and when i get back to my programming machine i will test it. (otherwise i
> would have done that first)
What you will find is that you can't do a redirect from a script called
via SSI.
>
> but the point is, even if it does, that's doesn't make it the right way. so
> i was curious...would this be considered bad? kloodge? cheesy? band-aid?
> etc.
Personally my feeling is that if you are going to the trouble of writing a
perl script, you would be better off having the script deliver the entire
page and doing away with the SSI, because both incur the overhead of
starting a perl interpreter and the former is much more powerful in the
same way that a nuclear explosion is much more powerful than a mouse fart
(for instance you can do redirects).
SSI is rarely (never?) the best solution these days.
Rich
------------------------------
Date: Thu, 18 Nov 2004 15:16:36 -0500
From: "daniel kaplan" <nospam@nospam.com>
Subject: Re: SSI Question
Message-Id: <1100809102.550420@nntp.acecape.com>
"Richard Gration" <richard@zync.co.uk> wrote in message
news:pan.2004.11.18.19.16.00.864211@zync.co.uk...
> What you will find is that you can't do a redirect from a script called
> via SSI.
many thanks, JUST sat at my machine (with all my code) and was about to try
it...was hoping i could, but hey, that's obviosuly NOT the way to do it.
> Personally my feeling is that if you are going to the trouble of writing a
> perl script......
> SSI is rarely (never?) the best solution these days.
many thanks for your all input
daniel
------------------------------
Date: Thu, 18 Nov 2004 22:22:20 GMT
From: "Bill Segraves" <segraves_f13@mindspring.com>
Subject: Re: the antichomp
Message-Id: <wg9nd.3096$Qh3.2677@newsread3.news.atl.earthlink.net>
"Tad McClellan" <tadmc@augustmail.com> wrote in message
news:slrncppcip.4ca.tadmc@magna.augustmail.com...
<snip>
> Neither of which is an "unchomp" though, since they do not
> take the value of $/ into account, so this is probably better:
>
> $_ .= $/ for @ARGV;
ISTM the OP did not state his objective clearly. If his intent was to alter
the contents of @ARGV, then the above statement does what he intended. The
OP might consult the last paragraph in Chapter 4 (pp. 64-65) of LP2ed (Camel
Book) for an explanation.
OTOH, if the OP's intent was to *not* alter @ARGV, but rather, was to simply
add newlines when (later) printing the elements of @ARGV, perhaps the
following would suffice (Thanks to Damian Conway):
use Perl6::Say;
say $_ for @ARGV;
Cheers.
--
Bill Segraves
------------------------------
Date: 18 Nov 2004 14:42:53 -0800
From: ioneabu@yahoo.com (wana)
Subject: Re: the antichomp
Message-Id: <bf0b47ca.0411181442.56a260ea@posting.google.com>
Uri Guttman <uguttman@athenahealth.com> wrote in message news:<m3d5yc71q8.fsf@lap.athenahealth.com>...
> >>>>> "ASU" == A Sinan Unur <1usa@llenroc.ude.invalid> writes:
>
> ASU> Uri Guttman <uri@stemsystems.com> wrote in
> ASU> news:x765445uy1.fsf@mail.sysarch.com:
>
> >>>>>>> "ASU" == A Sinan Unur <1usa@llenroc.ude.invalid> writes:
>
> >> >> $_ .= "\n" for @ARGV;
> ASU> Of course. Read perldoc -f chomp.
> >>
> >> and how would chomp append newlines?
>
> ASU> It would not. But it would explain what one needs to do to write an
> ASU> 'antichomp'.
>
> ASU> So, "the antichomp" would have to do the opposite of what chomp does,
> ASU> wouldn't it?
>
> but that isn't an antichomp. it is appending a newline it over and over
> to a single string. and writing an antichomp for such a simple op makes
> little sense. see my other post for a better solution.
>
> uri
The question relates to my use of my own function SaveToFile which I
realize is a poor choice of sub names in Perl but I copied it from
Borland C++ which is where I used it all the time. The old Borland
version will save an array of strings to a file with each string on a
separate line. I used my version and found that the strings where all
stuck together on a single line. I then tried out File::Slurp which
did the same. I was not sure if I wanted to change my function's
default action without further thought, so I did it in my program
before the function call: $_ .= "\n" for @ARGV;
By the way, I am going to start using File::Slurp. I was under the
mistaken impression that it was hard to use. It is actually pretty
easy. To install, I had to copy the File directory from lib to use it
because I am on a shared server where I don't have root access, so
make install won't work for me. This has been true for all modules I
have installed. Fortunately, my provider has pre-installed many many
modules already.
wana
------------------------------
Date: Thu, 18 Nov 2004 22:54:50 GMT
From: Uri Guttman <uri@stemsystems.com>
Subject: Re: the antichomp
Message-Id: <x7u0rmbwee.fsf@mail.sysarch.com>
>>>>> "w" == wana <ioneabu@yahoo.com> writes:
w> The question relates to my use of my own function SaveToFile which I
w> realize is a poor choice of sub names in Perl but I copied it from
w> Borland C++ which is where I used it all the time. The old Borland
w> version will save an array of strings to a file with each string on a
w> separate line. I used my version and found that the strings where all
w> stuck together on a single line. I then tried out File::Slurp which
w> did the same. I was not sure if I wanted to change my function's
w> default action without further thought, so I did it in my program
w> before the function call: $_ .= "\n" for @ARGV;
but you said the lines are in an array. @ARGV is not a normal array so
you shouldn't be modifying it in place in general. map would be a better
choice for this as you would want to assign the results to another
array.
w> By the way, I am going to start using File::Slurp. I was under the
w> mistaken impression that it was hard to use. It is actually pretty
w> easy. To install, I had to copy the File directory from lib to use
w> it because I am on a shared server where I don't have root access,
w> so make install won't work for me. This has been true for all
w> modules I have installed. Fortunately, my provider has
w> pre-installed many many modules already.
where did you get the impression that it was hard to use? how would
making a hard to use module be useful? one thing i strive for in all my
work is making stuff easy to use without sacrificing speed and
flexibility and file::slurp does all that.
and if you have your lines in an array then this is how you would do it:
use File::Slurp ;
write_file( 'my_file_with_newlines', map "$_\n", @array );
really hard to use!! :)
uri
--
Uri Guttman ------ uri@stemsystems.com -------- http://www.stemsystems.com
--Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
Search or Offer Perl Jobs ---------------------------- http://jobs.perl.org
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 7421
***************************************
