[27471] in Perl-Users-Digest
Perl-Users Digest, Issue: 9084 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Fri Mar 24 09:10:14 2006
Date: Fri, 24 Mar 2006 06:10:07 -0800 (PST)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Fri, 24 Mar 2006 Volume: 10 Number: 9084
Today's topics:
Posting Guidelines for comp.lang.perl.misc ($Revision: tadmc@augustmail.com
Re: Posting Guidelines for comp.lang.perl.misc ($Revisi <Diana@hotmail.com>
Re: Security implications of taking a stylesheet URL fr <dorward@yahoo.com>
Re: Security implications of taking a stylesheet URL fr <bumens@dingens.org>
Re: Security implications of taking a stylesheet URL fr <cajunk@marenger.com>
Re: Security implications of taking a stylesheet URL fr <jasen@free.net.nz>
sockaddr_in() timeout or asynchone call ? <no@thanks.com>
Re: Would like to make a system call without displaying <jurgenex@hotmail.com>
Re: Would like to make a system call without displaying <tadmc@augustmail.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: 24 Mar 2006 08:22:04 GMT
From: tadmc@augustmail.com
Subject: Posting Guidelines for comp.lang.perl.misc ($Revision: 1.5 $)
Message-Id: <4423ac2c$0$56209$ae4e5890@news.nationwide.net>
Outline
Before posting to comp.lang.perl.misc
Must
- Check the Perl Frequently Asked Questions (FAQ)
- Check the other standard Perl docs (*.pod)
Really Really Should
- Lurk for a while before posting
- Search a Usenet archive
If You Like
- Check Other Resources
Posting to comp.lang.perl.misc
Is there a better place to ask your question?
- Question should be about Perl, not about the application area
How to participate (post) in the clpmisc community
- Carefully choose the contents of your Subject header
- Use an effective followup style
- Speak Perl rather than English, when possible
- Ask perl to help you
- Do not re-type Perl code
- Provide enough information
- Do not provide too much information
- Do not post binaries, HTML, or MIME
Social faux pas to avoid
- Asking a Frequently Asked Question
- Asking a question easily answered by a cursory doc search
- Asking for emailed answers
- Beware of saying "doesn't work"
- Sending a "stealth" Cc copy
Be extra cautious when you get upset
- Count to ten before composing a followup when you are upset
- Count to ten after composing and before posting when you are upset
-----------------------------------------------------------------
Posting Guidelines for comp.lang.perl.misc ($Revision: 1.5 $)
This newsgroup, commonly called clpmisc, is a technical newsgroup
intended to be used for discussion of Perl related issues (except job
postings), whether it be comments or questions.
As you would expect, clpmisc discussions are usually very technical in
nature and there are conventions for conduct in technical newsgroups
going somewhat beyond those in non-technical newsgroups.
The article at:
http://www.catb.org/~esr/faqs/smart-questions.html
describes how to get answers from technical people in general.
This article describes things that you should, and should not, do to
increase your chances of getting an answer to your Perl question. It is
available in POD, HTML and plain text formats at:
http://mail.augustmail.com/~tadmc/clpmisc.shtml
For more information about netiquette in general, see the "Netiquette
Guidelines" at:
http://andrew2.andrew.cmu.edu/rfc/rfc1855.html
A note to newsgroup "regulars":
Do not use these guidelines as a "license to flame" or other
meanness. It is possible that a poster is unaware of things
discussed here. Give them the benefit of the doubt, and just
help them learn how to post, rather than assume
A note about technical terms used here:
In this document, we use words like "must" and "should" as
they're used in technical conversation (such as you will
encounter in this newsgroup). When we say that you *must* do
something, we mean that if you don't do that something, then
it's unlikely that you will benefit much from this group.
We're not bossing you around; we're making the point without
lots of words.
Do *NOT* send email to the maintainer of these guidelines. It will be
discarded unread. The guidelines belong to the newsgroup so all
discussion should appear in the newsgroup. I am just the secretary that
writes down the consensus of the group.
Before posting to comp.lang.perl.misc
Must
This section describes things that you *must* do before posting to
clpmisc, in order to maximize your chances of getting meaningful replies
to your inquiry and to avoid getting flamed for being lazy and trying to
have others do your work.
The perl distribution includes documentation that is copied to your hard
drive when you install perl. Also installed is a program for looking
things up in that (and other) documentation named 'perldoc'.
You should either find out where the docs got installed on your system,
or use perldoc to find them for you. Type "perldoc perldoc" to learn how
to use perldoc itself. Type "perldoc perl" to start reading Perl's
standard documentation.
Check the Perl Frequently Asked Questions (FAQ)
Checking the FAQ before posting is required in Big 8 newsgroups in
general, there is nothing clpmisc-specific about this requirement.
You are expected to do this in nearly all newsgroups.
You can use the "-q" switch with perldoc to do a word search of the
questions in the Perl FAQs.
Check the other standard Perl docs (*.pod)
The perl distribution comes with much more documentation than is
available for most other newsgroups, so in clpmisc you should also
see if you can find an answer in the other (non-FAQ) standard docs
before posting.
It is *not* required, or even expected, that you actually *read* all of
Perl's standard docs, only that you spend a few minutes searching them
before posting.
Try doing a word-search in the standard docs for some words/phrases
taken from your problem statement or from your very carefully worded
"Subject:" header.
Really Really Should
This section describes things that you *really should* do before posting
to clpmisc.
Lurk for a while before posting
This is very important and expected in all newsgroups. Lurking means
to monitor a newsgroup for a period to become familiar with local
customs. Each newsgroup has specific customs and rituals. Knowing
these before you participate will help avoid embarrassing social
situations. Consider yourself to be a foreigner at first!
Search a Usenet archive
There are tens of thousands of Perl programmers. It is very likely
that your question has already been asked (and answered). See if you
can find where it has already been answered.
One such searchable archive is:
http://groups.google.com/advanced_group_search
If You Like
This section describes things that you *can* do before posting to
clpmisc.
Check Other Resources
You may want to check in books or on web sites to see if you can
find the answer to your question.
But you need to consider the source of such information: there are a
lot of very poor Perl books and web sites, and several good ones
too, of course.
Posting to comp.lang.perl.misc
There can be 200 messages in clpmisc in a single day. Nobody is going to
read every article. They must decide somehow which articles they are
going to read, and which they will skip.
Your post is in competition with 199 other posts. You need to "win"
before a person who can help you will even read your question.
These sections describe how you can help keep your article from being
one of the "skipped" ones.
Is there a better place to ask your question?
Question should be about Perl, not about the application area
It can be difficult to separate out where your problem really is,
but you should make a conscious effort to post to the most
applicable newsgroup. That is, after all, where you are the most
likely to find the people who know how to answer your question.
Being able to "partition" a problem is an essential skill for
effectively troubleshooting programming problems. If you don't get
that right, you end up looking for answers in the wrong places.
It should be understood that you may not know that the root of your
problem is not Perl-related (the two most frequent ones are CGI and
Operating System related), so off-topic postings will happen from
time to time. Be gracious when someone helps you find a better place
to ask your question by pointing you to a more applicable newsgroup.
How to participate (post) in the clpmisc community
Carefully choose the contents of your Subject header
You have 40 precious characters of Subject to win out and be one of
the posts that gets read. Don't waste them. Take care while
composing them, they are the key that opens the door to getting an
answer.
Spend them indicating what aspect of Perl others will find if they
should decide to read your article.
Do not spend them indicating "experience level" (guru, newbie...).
Do not spend them pleading (please read, urgent, help!...).
Do not spend them on non-Subjects (Perl question, one-word
Subject...)
For more information on choosing a Subject see "Choosing Good
Subject Lines":
http://www.cpan.org/authors/id/D/DM/DMR/subjects.post
Part of the beauty of newsgroup dynamics, is that you can contribute
to the community with your very first post! If your choice of
Subject leads a fellow Perler to find the thread you are starting,
then even asking a question helps us all.
Use an effective followup style
When composing a followup, quote only enough text to establish the
context for the comments that you will add. Always indicate who
wrote the quoted material. Never quote an entire article. Never
quote a .signature (unless that is what you are commenting on).
Intersperse your comments *following* each section of quoted text to
which they relate. Unappreciated followup styles are referred to as
"top-posting", "Jeopardy" (because the answer comes before the
question), or "TOFU" (Text Over, Fullquote Under).
Reversing the chronology of the dialog makes it much harder to
understand (some folks won't even read it if written in that style).
For more information on quoting style, see:
http://web.presby.edu/~nnqadmin/nnq/nquote.html
Speak Perl rather than English, when possible
Perl is much more precise than natural language. Saying it in Perl
instead will avoid misunderstanding your question or problem.
Do not say: I have variable with "foo\tbar" in it.
Instead say: I have $var = "foo\tbar", or I have $var = 'foo\tbar',
or I have $var = <DATA> (and show the data line).
Ask perl to help you
You can ask perl itself to help you find common programming mistakes
by doing two things: enable warnings (perldoc warnings) and enable
"strict"ures (perldoc strict).
You should not bother the hundreds/thousands of readers of the
newsgroup without first seeing if a machine can help you find your
problem. It is demeaning to be asked to do the work of a machine. It
will annoy the readers of your article.
You can look up any of the messages that perl might issue to find
out what the message means and how to resolve the potential mistake
(perldoc perldiag). If you would like perl to look them up for you,
you can put "use diagnostics;" near the top of your program.
Do not re-type Perl code
Use copy/paste or your editor's "import" function rather than
attempting to type in your code. If you make a typo you will get
followups about your typos instead of about the question you are
trying to get answered.
Provide enough information
If you do the things in this item, you will have an Extremely Good
chance of getting people to try and help you with your problem!
These features are a really big bonus toward your question winning
out over all of the other posts that you are competing with.
First make a short (less than 20-30 lines) and *complete* program
that illustrates the problem you are having. People should be able
to run your program by copy/pasting the code from your article. (You
will find that doing this step very often reveals your problem
directly. Leading to an answer much more quickly and reliably than
posting to Usenet.)
Describe *precisely* the input to your program. Also provide example
input data for your program. If you need to show file input, use the
__DATA__ token (perldata.pod) to provide the file contents inside of
your Perl program.
Show the output (including the verbatim text of any messages) of
your program.
Describe how you want the output to be different from what you are
getting.
If you have no idea at all of how to code up your situation, be sure
to at least describe the 2 things that you *do* know: input and
desired output.
Do not provide too much information
Do not just post your entire program for debugging. Most especially
do not post someone *else's* entire program.
Do not post binaries, HTML, or MIME
clpmisc is a text only newsgroup. If you have images or binaries
that explain your question, put them in a publically accessible
place (like a Web server) and provide a pointer to that location. If
you include code, cut and paste it directly in the message body.
Don't attach anything to the message. Don't post vcards or HTML.
Many people (and even some Usenet servers) will automatically filter
out such messages. Many people will not be able to easily read your
post. Plain text is something everyone can read.
Social faux pas to avoid
The first two below are symptoms of lots of FAQ asking here in clpmisc.
It happens so often that folks will assume that it is happening yet
again. If you have looked but not found, or found but didn't understand
the docs, say so in your article.
Asking a Frequently Asked Question
It should be understood that you may have missed the applicable FAQ
when you checked, which is not a big deal. But if the Frequently
Asked Question is worded similar to your question, folks will assume
that you did not look at all. Don't become indignant at pointers to
the FAQ, particularly if it solves your problem.
Asking a question easily answered by a cursory doc search
If folks think you have not even tried the obvious step of reading
the docs applicable to your problem, they are likely to become
annoyed.
If you are flamed for not checking when you *did* check, then just
shrug it off (and take the answer that you got).
Asking for emailed answers
Emailed answers benefit one person. Posted answers benefit the
entire community. If folks can take the time to answer your
question, then you can take the time to go get the answer in the
same place where you asked the question.
It is OK to ask for a *copy* of the answer to be emailed, but many
will ignore such requests anyway. If you munge your address, you
should never expect (or ask) to get email in response to a Usenet
post.
Ask the question here, get the answer here (maybe).
Beware of saying "doesn't work"
This is a "red flag" phrase. If you find yourself writing that,
pause and see if you can't describe what is not working without
saying "doesn't work". That is, describe how it is not what you
want.
Sending a "stealth" Cc copy
A "stealth Cc" is when you both email and post a reply without
indicating *in the body* that you are doing so.
Be extra cautious when you get upset
Count to ten before composing a followup when you are upset
This is recommended in all Usenet newsgroups. Here in clpmisc, most
flaming sub-threads are not about any feature of Perl at all! They
are most often for what was seen as a breach of netiquette. If you
have lurked for a bit, then you will know what is expected and won't
make such posts in the first place.
But if you get upset, wait a while before writing your followup. I
recommend waiting at least 30 minutes.
Count to ten after composing and before posting when you are upset
After you have written your followup, wait *another* 30 minutes
before committing yourself by posting it. You cannot take it back
once it has been said.
AUTHOR
Tad McClellan <tadmc@augustmail.com> and many others on the
comp.lang.perl.misc newsgroup.
------------------------------
Date: Fri, 24 Mar 2006 12:28:35 GMT
From: "Diana" <Diana@hotmail.com>
Subject: Re: Posting Guidelines for comp.lang.perl.misc ($Revision: 1.5 $)
Message-Id: <TBRUf.24845$Nb2.453434@news1.nokia.com>
tadmc@augustmail.com wrote:
> Outline
> Before posting to comp.lang.perl.misc
> Must
> - Check the Perl Frequently Asked Questions (FAQ)
> - Check the other standard Perl docs (*.pod)
> Really Really Should
> - Lurk for a while before posting
> - Search a Usenet archive
> If You Like
> - Check Other Resources
> Posting to comp.lang.perl.misc
> Is there a better place to ask your question?
> - Question should be about Perl, not about the application area
> How to participate (post) in the clpmisc community
> - Carefully choose the contents of your Subject header
> - Use an effective followup style
> - Speak Perl rather than English, when possible
> - Ask perl to help you
> - Do not re-type Perl code
> - Provide enough information
> - Do not provide too much information
> - Do not post binaries, HTML, or MIME
> Social faux pas to avoid
> - Asking a Frequently Asked Question
> - Asking a question easily answered by a cursory doc search
> - Asking for emailed answers
> - Beware of saying "doesn't work"
> - Sending a "stealth" Cc copy
> Be extra cautious when you get upset
> - Count to ten before composing a followup when you are upset
> - Count to ten after composing and before posting when you are
> upset
> -----------------------------------------------------------------
>
> Posting Guidelines for comp.lang.perl.misc ($Revision: 1.5 $)
> This newsgroup, commonly called clpmisc, is a technical newsgroup
> intended to be used for discussion of Perl related issues (except
> job postings), whether it be comments or questions.
>
> As you would expect, clpmisc discussions are usually very
> technical in nature and there are conventions for conduct in
> technical newsgroups going somewhat beyond those in non-technical
> newsgroups.
>
> The article at:
>
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> describes how to get answers from technical people in general.
>
> This article describes things that you should, and should not, do
> to increase your chances of getting an answer to your Perl
> question. It is available in POD, HTML and plain text formats at:
>
> http://mail.augustmail.com/~tadmc/clpmisc.shtml
>
> For more information about netiquette in general, see the
> "Netiquette Guidelines" at:
>
> http://andrew2.andrew.cmu.edu/rfc/rfc1855.html
>
> A note to newsgroup "regulars":
>
> Do not use these guidelines as a "license to flame" or other
> meanness. It is possible that a poster is unaware of things
> discussed here. Give them the benefit of the doubt, and just
> help them learn how to post, rather than assume
>
> A note about technical terms used here:
>
> In this document, we use words like "must" and "should" as
> they're used in technical conversation (such as you will
> encounter in this newsgroup). When we say that you must do
> something, we mean that if you don't do that something, then
> it's unlikely that you will benefit much from this group.
> We're not bossing you around; we're making the point without
> lots of words.
>
> Do NOT send email to the maintainer of these guidelines. It will
> be discarded unread. The guidelines belong to the newsgroup so all
> discussion should appear in the newsgroup. I am just the
> secretary that writes down the consensus of the group.
>
> Before posting to comp.lang.perl.misc
> Must
> This section describes things that you must do before posting to
> clpmisc, in order to maximize your chances of getting meaningful
> replies to your inquiry and to avoid getting flamed for being
> lazy and trying to have others do your work.
>
> The perl distribution includes documentation that is copied to
> your hard drive when you install perl. Also installed is a
> program for looking things up in that (and other) documentation
> named 'perldoc'.
>
> You should either find out where the docs got installed on your
> system, or use perldoc to find them for you. Type "perldoc
> perldoc" to learn how to use perldoc itself. Type "perldoc perl"
> to start reading Perl's standard documentation.
>
> Check the Perl Frequently Asked Questions (FAQ)
> Checking the FAQ before posting is required in Big 8
> newsgroups in general, there is nothing clpmisc-specific
> about this requirement. You are expected to do this in
> nearly all newsgroups.
>
> You can use the "-q" switch with perldoc to do a word search
> of the questions in the Perl FAQs.
>
> Check the other standard Perl docs (*.pod)
> The perl distribution comes with much more documentation than
> is available for most other newsgroups, so in clpmisc you
> should also see if you can find an answer in the other
> (non-FAQ) standard docs before posting.
>
> It is not required, or even expected, that you actually read all
> of Perl's standard docs, only that you spend a few minutes
> searching them before posting.
>
> Try doing a word-search in the standard docs for some
> words/phrases taken from your problem statement or from your very
> carefully worded "Subject:" header.
>
> Really Really Should
> This section describes things that you *really should* do before
> posting to clpmisc.
>
> Lurk for a while before posting
> This is very important and expected in all newsgroups.
> Lurking means to monitor a newsgroup for a period to become
> familiar with local customs. Each newsgroup has specific
> customs and rituals. Knowing these before you participate
> will help avoid embarrassing social situations. Consider
> yourself to be a foreigner at first!
>
> Search a Usenet archive
> There are tens of thousands of Perl programmers. It is very
> likely that your question has already been asked (and
> answered). See if you can find where it has already been
> answered.
>
> One such searchable archive is:
>
> http://groups.google.com/advanced_group_search
>
> If You Like
> This section describes things that you can do before posting to
> clpmisc.
>
> Check Other Resources
> You may want to check in books or on web sites to see if you
> can find the answer to your question.
>
> But you need to consider the source of such information:
> there are a lot of very poor Perl books and web sites, and
> several good ones too, of course.
>
> Posting to comp.lang.perl.misc
> There can be 200 messages in clpmisc in a single day. Nobody is
> going to read every article. They must decide somehow which
> articles they are going to read, and which they will skip.
>
> Your post is in competition with 199 other posts. You need to
> "win" before a person who can help you will even read your
> question.
>
> These sections describe how you can help keep your article from
> being one of the "skipped" ones.
>
> Is there a better place to ask your question?
> Question should be about Perl, not about the application area
> It can be difficult to separate out where your problem really
> is, but you should make a conscious effort to post to the most
> applicable newsgroup. That is, after all, where you are the
> most likely to find the people who know how to answer your
> question.
>
> Being able to "partition" a problem is an essential skill for
> effectively troubleshooting programming problems. If you
> don't get that right, you end up looking for answers in the
> wrong places.
>
> It should be understood that you may not know that the root
> of your problem is not Perl-related (the two most frequent
> ones are CGI and Operating System related), so off-topic
> postings will happen from time to time. Be gracious when
> someone helps you find a better place to ask your question by
> pointing you to a more applicable newsgroup.
>
> How to participate (post) in the clpmisc community
> Carefully choose the contents of your Subject header
> You have 40 precious characters of Subject to win out and be
> one of the posts that gets read. Don't waste them. Take care
> while composing them, they are the key that opens the door to
> getting an answer.
>
> Spend them indicating what aspect of Perl others will find if
> they should decide to read your article.
>
> Do not spend them indicating "experience level" (guru,
> newbie...).
>
> Do not spend them pleading (please read, urgent, help!...).
>
> Do not spend them on non-Subjects (Perl question, one-word
> Subject...)
>
> For more information on choosing a Subject see "Choosing Good
> Subject Lines":
>
> http://www.cpan.org/authors/id/D/DM/DMR/subjects.post
>
> Part of the beauty of newsgroup dynamics, is that you can
> contribute to the community with your very first post! If
> your choice of Subject leads a fellow Perler to find the
> thread you are starting, then even asking a question helps us
> all.
>
> Use an effective followup style
> When composing a followup, quote only enough text to
> establish the context for the comments that you will add.
> Always indicate who wrote the quoted material. Never quote an
> entire article. Never quote a .signature (unless that is what
> you are commenting on).
>
> Intersperse your comments following each section of quoted
> text to which they relate. Unappreciated followup styles are
> referred to as "top-posting", "Jeopardy" (because the answer
> comes before the question), or "TOFU" (Text Over, Fullquote
> Under).
>
> Reversing the chronology of the dialog makes it much harder to
> understand (some folks won't even read it if written in that
> style). For more information on quoting style, see:
>
> http://web.presby.edu/~nnqadmin/nnq/nquote.html
>
> Speak Perl rather than English, when possible
> Perl is much more precise than natural language. Saying it in
> Perl instead will avoid misunderstanding your question or
> problem.
>
> Do not say: I have variable with "foo\tbar" in it.
>
> Instead say: I have $var = "foo\tbar", or I have $var =
> 'foo\tbar', or I have $var = <DATA> (and show the data line).
>
> Ask perl to help you
> You can ask perl itself to help you find common programming
> mistakes by doing two things: enable warnings (perldoc
> warnings) and enable "strict"ures (perldoc strict).
>
> You should not bother the hundreds/thousands of readers of the
> newsgroup without first seeing if a machine can help you find
> your problem. It is demeaning to be asked to do the work of a
> machine. It will annoy the readers of your article.
>
> You can look up any of the messages that perl might issue to
> find out what the message means and how to resolve the
> potential mistake (perldoc perldiag). If you would like perl
> to look them up for you, you can put "use diagnostics;" near
> the top of your program.
>
> Do not re-type Perl code
> Use copy/paste or your editor's "import" function rather than
> attempting to type in your code. If you make a typo you will
> get followups about your typos instead of about the question
> you are trying to get answered.
>
> Provide enough information
> If you do the things in this item, you will have an Extremely
> Good chance of getting people to try and help you with your
> problem! These features are a really big bonus toward your
> question winning out over all of the other posts that you are
> competing with.
>
> First make a short (less than 20-30 lines) and complete
> program that illustrates the problem you are having. People
> should be able to run your program by copy/pasting the code
> from your article. (You will find that doing this step very
> often reveals your problem directly. Leading to an answer
> much more quickly and reliably than posting to Usenet.)
>
> Describe precisely the input to your program. Also provide
> example input data for your program. If you need to show file
> input, use the DATA token (perldata.pod) to provide the file
> contents inside of your Perl program.
>
> Show the output (including the verbatim text of any messages)
> of your program.
>
> Describe how you want the output to be different from what
> you are getting.
>
> If you have no idea at all of how to code up your situation,
> be sure to at least describe the 2 things that you do know:
> input and desired output.
>
> Do not provide too much information
> Do not just post your entire program for debugging. Most
> especially do not post someone else's entire program.
>
> Do not post binaries, HTML, or MIME
> clpmisc is a text only newsgroup. If you have images or
> binaries that explain your question, put them in a publically
> accessible place (like a Web server) and provide a pointer to
> that location. If you include code, cut and paste it directly
> in the message body. Don't attach anything to the message.
> Don't post vcards or HTML. Many people (and even some Usenet
> servers) will automatically filter out such messages. Many
> people will not be able to easily read your post. Plain text
> is something everyone can read.
>
> Social faux pas to avoid
> The first two below are symptoms of lots of FAQ asking here in
> clpmisc. It happens so often that folks will assume that it is
> happening yet again. If you have looked but not found, or found
> but didn't understand the docs, say so in your article.
>
> Asking a Frequently Asked Question
> It should be understood that you may have missed the
> applicable FAQ when you checked, which is not a big deal. But
> if the Frequently Asked Question is worded similar to your
> question, folks will assume that you did not look at all.
> Don't become indignant at pointers to the FAQ, particularly
> if it solves your problem.
>
> Asking a question easily answered by a cursory doc search
> If folks think you have not even tried the obvious step of
> reading the docs applicable to your problem, they are likely
> to become annoyed.
>
> If you are flamed for not checking when you did check, then
> just shrug it off (and take the answer that you got).
>
> Asking for emailed answers
> Emailed answers benefit one person. Posted answers benefit the
> entire community. If folks can take the time to answer your
> question, then you can take the time to go get the answer in
> the same place where you asked the question.
>
> It is OK to ask for a copy of the answer to be emailed, but
> many will ignore such requests anyway. If you munge your
> address, you should never expect (or ask) to get email in
> response to a Usenet post.
>
> Ask the question here, get the answer here (maybe).
>
> Beware of saying "doesn't work"
> This is a "red flag" phrase. If you find yourself writing
> that, pause and see if you can't describe what is not working
> without saying "doesn't work". That is, describe how it is
> not what you want.
>
> Sending a "stealth" Cc copy
> A "stealth Cc" is when you both email and post a reply without
> indicating *in the body* that you are doing so.
>
> Be extra cautious when you get upset
> Count to ten before composing a followup when you are upset
> This is recommended in all Usenet newsgroups. Here in
> clpmisc, most flaming sub-threads are not about any feature
> of Perl at all! They are most often for what was seen as a
> breach of netiquette. If you have lurked for a bit, then you
> will know what is expected and won't make such posts in the
> first place.
>
> But if you get upset, wait a while before writing your
> followup. I recommend waiting at least 30 minutes.
>
> Count to ten after composing and before posting when you are upset
> After you have written your followup, wait another 30 minutes
> before committing yourself by posting it. You cannot take it
> back once it has been said.
>
> AUTHOR
> Tad McClellan <tadmc@augustmail.com> and many others on the
> comp.lang.perl.misc newsgroup.
--
------------------------------
Date: Fri, 24 Mar 2006 08:09:38 +0000
From: David Dorward <dorward@yahoo.com>
Subject: Re: Security implications of taking a stylesheet URL from a CGI parameter
Message-Id: <e009je$h4i$1$8300dec7@news.demon.co.uk>
Scott W Gifford wrote:
> I only have a rough knowledge of the full power of cascading
> stylesheets. Are there any other security concerns I should be
> thinking about? In particular, is there any way to embed
> client-executed code (like JavaScript) into a stylesheet, implement
> some other kind of cross-site scripting attack, or otherwise cause the
> stylesheet to do anything besides alter the display of the page?
In standards conformant CSS? No
In a file served with a text/css media type? Yes.
http://archivist.incutio.com/viewlist/css-discuss/44263 has a simple
example, but expression lets any JavaScript be executed in Internet
Explorer (and can call ActiveX controls etc).
(Follow up set)
--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is
------------------------------
Date: 24 Mar 2006 09:33:46 +0100
From: Volker Birk <bumens@dingens.org>
Subject: Re: Security implications of taking a stylesheet URL from a CGI parameter
Message-Id: <4423aeea@news.uni-ulm.de>
In comp.security.misc Scott W Gifford <gifford@umich.edu> wrote:
> We will escape $stylesheet so it can only contain letters, numbers,
> underscore, dash, slashes, colons, and dots (to avoid cross-site
> scripting), ensure it starts with "http://" or "https://" and contains
> no port specification after the host
The latter is a drawback.
> and
> require the filename to end with ".css" (to make it more difficult to
> cause a script to run).
This is unneccessary.
> Something like this:
> /^https?:\/\/[\w.-]+\/[\w\/:.-]+\.css$/
Why not implementing RFC1738, 3.3 exactly?
> I only have a rough knowledge of the full power of cascading
> stylesheets. Are there any other security concerns I should be
> thinking about?
With :before and :after there may be risks by inserting local scripting
code.
Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain
------------------------------
Date: Fri, 24 Mar 2006 06:21:28 -0500
From: Carolyn Marenger <cajunk@marenger.com>
Subject: Re: Security implications of taking a stylesheet URL from a CGI parameter
Message-Id: <55a76$4423d638$cf701c97$6263@PRIMUS.CA>
Scott W Gifford wrote:
> Hello,
>
> We've got a Web-based application written in Perl that is designed to
> integrate as a frame into many different Web sites. We currently have
> several stylesheets available to allow the user to match the look and
> feel to their existing Web site. We're considering allowing our users
> to host their own stylesheet, and just pass in its URL as a CGI
> parameter. Something like this:
<snip>
> Of course, we have no control over what gets passed in to the
> stylesheet parameter, so we have to be prepared for the possibility
> that a malicious person sets it to something nasty.
<snip>
I may be missing something here, but from the way you describe it, I as a
webmaster, can load your application in a frame within my site. The users
that come and browse my site, can access your application through the
frame.
To make it nice and pretty, you are allowing me to create a stylesheet for
your application so that it will fit with the look and feel of my site.
You are worried that I might insert malicious code into my user's computer
via the style sheet for your application's frame within my site.
If that understanding is correct, then here are my thoughts on the matter.
As a webmaster, my concern is that I get lots of traffic on my site. If I
introduce malicious code on my site that harms a user in any way, then I am
shooting myself in the foot. I will not get many return customers, and I
will probably not get many customers at all. I would in fact be concerned
that by offering your application, I am not introducing something harmful
to my customers.
The only feasible way that I can see to do extensive damage with your
application in a frame on my site, would be to heavily market my site, have
a nice, clean and SAFE presentation. When I have thousands of regular
users coming on a daily basis, then I could insert something malicious into
the site to attack them all. At that point, what I introduce does not even
have to be in your application, or in the css related to your application.
If it can go there, it can go in the css for my own site. Anyway, at that
point, I will very quickly lose my customers, my revenue, and probably
start collecting lawsuits.
From your point of view - are you being more concerned with a possibly
unrealistic security threat, than you need to? In my mind security boils
down to making it more expensive to 'steal' something than they get in
reward for having done it. Are you going beyond this?
Just my thoughts,
Carolyn
--
Carolyn Marenger
------------------------------
Date: Fri, 24 Mar 2006 11:35:54 -0000
From: Jasen Betts <jasen@free.net.nz>
Subject: Re: Security implications of taking a stylesheet URL from a CGI parameter
Message-Id: <2b7a.4423d99a.3d8ce@clunker.homenet>
> In particular, is there any way to embed client-executed code (like
> JavaScript) into a stylesheet,
yes.
Bye.
Jasen
------------------------------
Date: Fri, 24 Mar 2006 14:55:27 +0100
From: Asterbing <no@thanks.com>
Subject: sockaddr_in() timeout or asynchone call ?
Message-Id: <MPG.1e8e18b63959a2469897a0@news.tiscali.fr>
Hello,
Is it possible to do that a code like the one described on the chapter
42.6.2 called "WebGet Client" on the Perl manual, be not a locking point
for the rest of the script ?
Effectively, the sockaddr_in() freeze the script if the remote host is
not available.
Is there a way to reduce the timeout or, better, to do that this call be
asynchroneous (don't taliking about waiting of the response since in the
first case I've to treat, this GET response isn't necessary for the rest
of the script - the matter is just to launch a remote cgi which will
live its life by itself).
------------------------------
Date: Fri, 24 Mar 2006 12:38:35 GMT
From: "Jürgen Exner" <jurgenex@hotmail.com>
Subject: Re: Would like to make a system call without displaying msg to STD OUT
Message-Id: <fLRUf.12753$wD1.5834@trnddc02>
desert.fox11@yahoo.com wrote:
> I'll try to say this succinctly. I make a call using system "unzip
> -o", "$filename" which calls a utility unzip that has 'status'
> messages display to std out. This is fine, however, can I re-direct
On most command shells that I know about you can use the ">" to redirect
stdout into a file. Just redirect it to /dev/null
> (or at the very least suppress ) these messages.
Typically that question would be answered in the documentation of the tool
that you are using.
Many applications have an option like "-s" for silent or similar.
Now, what's your Perl question?
jue
------------------------------
Date: Fri, 24 Mar 2006 06:58:13 -0600
From: Tad McClellan <tadmc@augustmail.com>
Subject: Re: Would like to make a system call without displaying msg to STD OUT
Message-Id: <slrne27r75.3rd.tadmc@magna.augustmail.com>
desert.fox11@yahoo.com <u55389404@spawnkill.ip-mobilphone.net> wrote:
> Hi,
> I'll try to say this succinctly. I make a call using system "unzip -o",
> "$filename"
perldoc -q vars
> which calls a utility unzip that has 'status' messages
> display to std out.
Is that really what your system() call looks like?
It is a strange hybrid of the one arg form:
system "unzip -o $filename"
and the LIST form
system "unzip -o", $filename
where the list form attempts to run a command whose name is
eight characters long.
The proper LIST form would be something like:
system 'unzip', '-o', $filename
> This is fine, however, can I re-direct ( or at the
> very least suppress ) these messages.
You can use shell redirection with the one arg form:
system "unzip -o $filename >/dev/null"
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 9084
***************************************