[26976] in Perl-Users-Digest
Perl-Users Digest, Issue: 8924 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Mon Feb 6 06:05:49 2006
Date: Mon, 6 Feb 2006 03:05:07 -0800 (PST)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Mon, 6 Feb 2006 Volume: 10 Number: 8924
Today's topics:
Re: $lineNumber +=1 does not increment <joe@inwap.com>
implicit split to @_ is deprecated ? but, but, <groleau+news@freeshell.org>
Re: implicit split to @_ is deprecated ? but, but, <someone@example.com>
Re: implicit split to @_ is deprecated ? but, but, <spam-collector@pense-online.de>
Re: implicit split to @_ is deprecated ? but, but, <kkeller-usenet@wombat.san-francisco.ca.us>
Re: Question about abuse of a CGI script <1usa@llenroc.ude.invalid>
Re: Question about abuse of a CGI script <noreply@gunnar.cc>
Re: Question about abuse of a CGI script <news@chaos-net.de>
Re: Question about abuse of a CGI script <news@chaos-net.de>
Re: Question about abuse of a CGI script <news@chaos-net.de>
Re: Question about abuse of a CGI script <noreply@gunnar.cc>
Re: Question about abuse of a CGI script <news@chaos-net.de>
Re: Question about abuse of a CGI script <1usa@llenroc.ude.invalid>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Sun, 05 Feb 2006 18:22:49 -0800
From: Joe Smith <joe@inwap.com>
Subject: Re: $lineNumber +=1 does not increment
Message-Id: <64ydnfvKX52cLnveRVn-qw@comcast.com>
William wrote:
> my $lineNumber = 1; # file starts with line 1
> foreach my $line ( @fileContent ) {
> if ( 1 == ($lineNumber % 2) ) {
> next;
> ...
> $lineNumber += 1;
> }
Your program would have worked if you started at zero and
did an unconditional pre-increment at the top of the if().
my $lineNumber;
foreach my $line (@fileContent) {
if (++$lineNumber % 2) {
print "$lineNumber is not a multiple of 2, skipping\n";
next;
} else {
print "$lineNumber is even\n"
split(...);
}
}
-Joe
------------------------------
Date: Mon, 06 Feb 2006 04:14:59 GMT
From: Wes Groleau <groleau+news@freeshell.org>
Subject: implicit split to @_ is deprecated ? but, but,
Message-Id: <73AFf.95907$7l4.9401@trnddc05>
"Use of implicit split to @_ is deprecated at
/Users/wgroleau/bin/INDENTREC.cgi line 95."
Huh ?
sub RecType
{
my $Key = shift;
my $GedRec = split (/\n/, $Params{$Key}, 1); # line 95
I am trying to split off the first line of the multi-line
record from the hash, into GedRec. I don't see how it is
going into @_
--
Wes Groleau
Even if you do learn to speak correct English,
whom are you going to speak it to?
-- Clarence Darrow
------------------------------
Date: Mon, 06 Feb 2006 05:10:57 GMT
From: "John W. Krahn" <someone@example.com>
Subject: Re: implicit split to @_ is deprecated ? but, but,
Message-Id: <BTAFf.181661$AP5.136472@edtnps84>
Wes Groleau wrote:
> "Use of implicit split to @_ is deprecated at
> /Users/wgroleau/bin/INDENTREC.cgi line 95."
>
> Huh ?
>
> sub RecType
> {
> my $Key = shift;
> my $GedRec = split (/\n/, $Params{$Key}, 1); # line 95
>
> I am trying to split off the first line of the multi-line
> record from the hash, into GedRec. I don't see how it is
> going into @_
When split() is used in void or scalar context the results are stored in the
@_ array. To do what you want you have to either put the scalar in a list:
my ( $GedRec ) = split /\n/, $Params{ $Key }; # line 95
Or use a list slice on split():
my $GedRec = ( split /\n/, $Params{ $Key } )[ 0 ]; # line 95
Also, using 1 as the third argument does not do what you appear to think it does:
$ perl -le' @x = split /X/, "oneXtwoXthreeXfourX"; print for @x '
one
two
three
four
$ perl -le' @x = split /X/, "oneXtwoXthreeXfourX", 1; print for @x '
oneXtwoXthreeXfourX
So your original statement is the same as writing:
my $GedRec = $Params{$Key};
John
--
use Perl;
program
fulfillment
------------------------------
Date: Mon, 6 Feb 2006 06:02:15 +0100
From: Joachim Pense <spam-collector@pense-online.de>
Subject: Re: implicit split to @_ is deprecated ? but, but,
Message-Id: <l5t34zkyqlm8$.3dwty55ejvpp.dlg@40tude.net>
Am Mon, 06 Feb 2006 04:14:59 GMT schrieb Wes Groleau:
> "Use of implicit split to @_ is deprecated at
> /Users/wgroleau/bin/INDENTREC.cgi line 95."
>
> Huh ?
>
> sub RecType
> {
> my $Key = shift;
> my $GedRec = split (/\n/, $Params{$Key}, 1); # line 95
>
> I am trying to split off the first line of the multi-line
> record from the hash, into GedRec. I don't see how it is
> going into @_
The result of a split is an array, not a scalar. You call split in a scalar
context (as $GedRec is a scalar), so what happens is that the result of the
split will be put into @_ implicitly, and $GedRec will receive the element
count of @_.
Joachim
------------------------------
Date: Sun, 5 Feb 2006 21:41:03 -0800
From: Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us>
Subject: Re: implicit split to @_ is deprecated ? but, but,
Message-Id: <g44jb3x6ib.ln2@goaway.wombat.san-francisco.ca.us>
On 2006-02-06, Joachim Pense <spam-collector@pense-online.de> wrote:
>
> The result of a split is an array, not a scalar.
This has already been posted correctly elsewhere, but I thought it
worthwhile to followup to be explicit: the result of a split is not an
array, but a list. You can of course store the result in an array, but
you don't have to; the other solutions have it being stored in a list of
scalars, for example.
Yes, that's pedantic, but the list/array distinction is confusing
enough to beginners. :)
--keith
--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information
------------------------------
Date: Mon, 06 Feb 2006 02:06:22 GMT
From: "A. Sinan Unur" <1usa@llenroc.ude.invalid>
Subject: Re: Question about abuse of a CGI script
Message-Id: <Xns9761D6C987D36asu1cornelledu@127.0.0.1>
Martin Kissner <news@chaos-net.de> wrote in
news:slrndud5h4.s8a.news@maki.homeunix.net:
> A. Sinan Unur wrote :
>> Martin Kissner <news@chaos-net.de> wrote in
>> news:slrnducuop.s8a.news@maki.homeunix.net:
>>
...
>>> foreach my $data (@pairs) {
>>> $data =~ s/\+/ /go;
>>
>> Why the 'o' switch?
>
> I have taken this from a book. The book says it saves cpu time because
> the pattern is only compiled once. It suggests to always use it in
> loops unless the pattern changes.
Read the docs, and throw that book out.
Also, involving the Regex engine is completely unnecessary here.
#!/usr/bin/perl
use strict;
use warnings;
my $s = q{This+is+a+test};
$s =~ tr/+/ /;
print "$s\n";
__END__
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)
comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html
------------------------------
Date: Mon, 06 Feb 2006 03:08:22 +0100
From: Gunnar Hjalmarsson <noreply@gunnar.cc>
Subject: Re: Question about abuse of a CGI script
Message-Id: <44np96F2s3vhU1@individual.net>
Martin Kissner wrote:
> Gunnar Hjalmarsson wrote :
>>Either they used an own, modified form, or - more likely - a script that
>>emulates a form submission. With Perl you can write such a script using
>>e.g. the LWP family of modules.
>
> Okay.
> Am I right if I suppose that such a script contacts the form on my
> website, fills in some values into my fields and then submits the form?
No. Such a script doesn't care about your form. It passes the values
directly to your script.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
------------------------------
Date: Mon, 6 Feb 2006 03:08:02 +0100
From: Martin Kissner <news@chaos-net.de>
Subject: Re: Question about abuse of a CGI script
Message-Id: <slrndudbs2.s8a.news@maki.homeunix.net>
A. Sinan Unur wrote :
> Martin Kissner <news@chaos-net.de> wrote in
> news:slrndud7if.s8a.news@maki.homeunix.net:
>
>> Gunnar Hjalmarsson wrote :
>>> What would happen if $userinput{name} consists of the string that
>>> this expression results in:
>>>
>>> qq|faked\@example.com\nCc: victim1\@example.com,
>>> victim2\@example.com,|
>>
>> Then some more people will get mail than intented.
>
> You are missing the point. The spammer does not type these things in by
> hand.
Next time I will use some irony tags ;)
>
>> My question is: How did they do it?
>> I tryed on my local webserver evereything I can think of, but the only
>> result I get is a few additional senders.
>
> Submit the form using WWW::Mechanize.
>
> At this point, I would recommend that you give up. Don't put a mail form
> on the web. Just put your mom's email address there, and tell your mom
> to use a spam filter[1].
No, I won't (sorry);
> You do not realize the harm you are doing to hundreds of thousands of
> people being targetted by the spammer. In fact, I sense from you an
> attitude of "who cares" regarding the victims.
Not at all, but if I give up I will not be able to learn how to do it
right.
Maybe you missed the fact that I have changed my script so the actual
spammer is not able to use it any more.
Also I am here mainly to get an idea how people can abuse scripts which
are so - I admit - poorly written as mine in order to avoid this in the
future.
As I mentioned before, I am an autodidact and sometimes I will some
time to understand how things go but I have decided to master this.
Best regards
Martin
--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
------------------------------
Date: Mon, 6 Feb 2006 03:14:45 +0100
From: Martin Kissner <news@chaos-net.de>
Subject: Re: Question about abuse of a CGI script
Message-Id: <slrndudc8l.s8a.news@maki.homeunix.net>
Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>> Gunnar Hjalmarsson wrote :
>>>Either they used an own, modified form, or - more likely - a script that
>>>emulates a form submission. With Perl you can write such a script using
>>>e.g. the LWP family of modules.
>>
>> Okay.
>> Am I right if I suppose that such a script contacts the form on my
>> website, fills in some values into my fields and then submits the form?
>
> No. Such a script doesn't care about your form. It passes the values
> directly to your script.
In this case it must be different.
I renamed the form but not the script.
Then I duplicated the form, changed the action in the <form> tag and
saved it under the original name.
The new action script only counts the hits by saving the IP addresses used by
the spammer but doesn't send any mails. It doesn#T even look at the
fields.
--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
------------------------------
Date: Mon, 6 Feb 2006 03:16:14 +0100
From: Martin Kissner <news@chaos-net.de>
Subject: Re: Question about abuse of a CGI script
Message-Id: <slrndudcbe.s8a.news@maki.homeunix.net>
A. Sinan Unur wrote :
> Martin Kissner <news@chaos-net.de> wrote in
> news:slrndud5h4.s8a.news@maki.homeunix.net:
>
>> A. Sinan Unur wrote :
>>> Martin Kissner <news@chaos-net.de> wrote in
>>> news:slrnducuop.s8a.news@maki.homeunix.net:
>>>
> ...
>>>> foreach my $data (@pairs) {
>>>> $data =~ s/\+/ /go;
>>>
>>> Why the 'o' switch?
>>
>> I have taken this from a book. The book says it saves cpu time because
>> the pattern is only compiled once. It suggests to always use it in
>> loops unless the pattern changes.
>
> Read the docs, and throw that book out.
Guess what! I already did.
>
> Also, involving the Regex engine is completely unnecessary here.
>
> #!/usr/bin/perl
>
> use strict;
> use warnings;
>
> my $s = q{This+is+a+test};
> $s =~ tr/+/ /;
Thank you for this hint.
--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
------------------------------
Date: Mon, 06 Feb 2006 03:51:38 +0100
From: Gunnar Hjalmarsson <noreply@gunnar.cc>
Subject: Re: Question about abuse of a CGI script
Message-Id: <44nrq4F32qddU1@individual.net>
Martin Kissner wrote:
> Gunnar Hjalmarsson wrote :
>>Martin Kissner wrote:
>>>Am I right if I suppose that such a script contacts the form on my
>>>website, fills in some values into my fields and then submits the form?
>>
>>No. Such a script doesn't care about your form. It passes the values
>>directly to your script.
>
> In this case it must be different.
> I renamed the form but not the script.
> Then I duplicated the form, changed the action in the <form> tag and
> saved it under the original name.
> The new action script only counts the hits by saving the IP addresses used by
> the spammer but doesn't send any mails. It doesn#T even look at the
> fields.
The spammer needs to know what to submit and whereto, and that info he
reasonably grabs from your form. Then, when actually abusing your
script, he most likely bypasses your form.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
------------------------------
Date: Mon, 6 Feb 2006 04:33:01 +0100
From: Martin Kissner <news@chaos-net.de>
Subject: Re: Question about abuse of a CGI script
Message-Id: <slrndudgrd.s8a.news@maki.homeunix.net>
Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>> Gunnar Hjalmarsson wrote :
>>>Martin Kissner wrote:
>>>>Am I right if I suppose that such a script contacts the form on my
>>>>website, fills in some values into my fields and then submits the form?
>>>
>>>No. Such a script doesn't care about your form. It passes the values
>>>directly to your script.
>>
>> In this case it must be different.
>> I renamed the form but not the script.
>> Then I duplicated the form, changed the action in the <form> tag and
>> saved it under the original name.
>> The new action script only counts the hits by saving the IP addresses used by
>> the spammer but doesn't send any mails. It doesn#T even look at the
>> fields.
>
> The spammer needs to know what to submit and whereto, and that info he
> reasonably grabs from your form. Then, when actually abusing your
> script, he most likely bypasses your form.
>
Okay; wherto would be the script, right?
but how can he find out about the script's name? The script lies in
/cgi-bin/ and the scripts name does not appear in the form or any other
file which is accessible directly via HTTP. The action in the html form
is a html filename which is redirected via .htaccess/mod_rewrite to the
cgi script. This filename I have changed.
Is there a chance somone could find out where to submit the data?
I don't think the spammer can use my script right now.
I have added some additional code to inform me but up to know I have not
noticed him back on the main script (based on some pattern matching and
content length restrictions). Additionally I removed the variables in the header
part of the script.
Also I have added another script which gets executed when the server is
accessed via the original html filename. This script gets executed
several times an hour, but it does not process the input.
Did I miss anything? Can someone unnoticedly get arround this setup?
--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
------------------------------
Date: Mon, 06 Feb 2006 08:24:13 GMT
From: "A. Sinan Unur" <1usa@llenroc.ude.invalid>
Subject: Re: Question about abuse of a CGI script
Message-Id: <Xns976222B527C49asu1cornelledu@127.0.0.1>
Martin Kissner <news@chaos-net.de> wrote in
news:slrndudgrd.s8a.news@maki.homeunix.net:
> Gunnar Hjalmarsson wrote :
>> Martin Kissner wrote:
>>> Gunnar Hjalmarsson wrote :
>>>>Martin Kissner wrote:
>>>>>Am I right if I suppose that such a script contacts the form on my
>>>>>website, fills in some values into my fields and then submits the
>>>>>form?
>>>>
>>>>No. Such a script doesn't care about your form. It passes the values
>>>>directly to your script.
>>>
>>> In this case it must be different.
>>> I renamed the form but not the script.
>>> Then I duplicated the form, changed the action in the <form> tag and
>>> saved it under the original name.
>>> The new action script only counts the hits by saving the IP
>>> addresses used by the spammer but doesn't send any mails. It doesn#T
>>> even look at the fields.
>>
>> The spammer needs to know what to submit and whereto, and that info
>> he reasonably grabs from your form. Then, when actually abusing your
>> script, he most likely bypasses your form.
>>
> Okay; wherto would be the script, right?
"Where to" is whatever is in the action attribute of the form you are
using.
> but how can he find out about the script's name? The script lies in
> /cgi-bin/ and the scripts name does not appear in the form or any
> other file which is accessible directly via HTTP. The action in the
> html form is a html filename which is redirected via
> .htaccess/mod_rewrite to the cgi script. This filename I have
> changed.
>
> Is there a chance somone could find out where to submit the data?
I don't know what you are talking about, but that's irrelevant. Web
server configuration is off-topic here (well, so was CGI. Forgive me for
I have sinned).
Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)
comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 8924
***************************************