[27815] in Perl-Users-Digest
Perl-Users Digest, Issue: 9179 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Thu Apr 20 09:05:45 2006
Date: Thu, 20 Apr 2006 06:05:05 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Thu, 20 Apr 2006 Volume: 10 Number: 9179
Today's topics:
Re: How to find uploaded data size from content-length <no@thanks.com>
Re: How to find uploaded data size from content-length <no@thanks.com>
Re: How to find uploaded data size from content-length <no@thanks.com>
Re: How to find uploaded data size from content-length <no@thanks.com>
Re: How to find uploaded data size from content-length <no@thanks.com>
Re: How to find uploaded data size from content-length <no@thanks.com>
Re: How to find uploaded data size from content-length <××DBraughler××@××bwcc·com>
Re: show hidden value in variable.. with mysql (Anno Siegel)
Re: show hidden value in variable.. with mysql (Anno Siegel)
Re: show hidden value in variable.. with mysql (Anno Siegel)
Re: show hidden value in variable.. with mysql <rvtol+news@isolution.nl>
Re: show hidden value in variable.. with mysql <1usa@llenroc.ude.invalid>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Thu, 20 Apr 2006 12:41:49 +0200
From: Asterbing <no@thanks.com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <MPG.1eb183d7392a09a9989807@news.tiscali.fr>
In article <20060419163418.712$cu@newsreader.com>, xhoster@gmail.com
says...
> I thought the whole point was to avoid extracting the
> data in the first place.
Right :-) Effectively, I've taken an example of 1MB limit, but it could
be 10MB (or 10KB but it's another discussion). So, if it's 10MB and
client send CONTENT_LENGTH in its request (which is not always the
case), I would like to check it, then deduct the file size and stop
everything in case of limitation overflow.
> You have enough memory to load a 1 MB of non-file-upload form-data into
> memory, but not enough disk to temporarily save 1 MB of file-upload data?
> That just doesn't make sense.
See what I say just above ;)
> Having said that, you could hack/subclass the read_multipart method
> of CGI.pm to have it, at a certain size, stop copying the data into the
> file, something like:
So, here, I understand CGI.pm stop the things during file server
copying, not about STDIN fill-in
------------------------------
Date: Thu, 20 Apr 2006 12:42:49 +0200
From: Asterbing <no@thanks.com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <MPG.1eb18416e6fa9276989808@news.tiscali.fr>
In article <m21wvt5mxl.fsf@Sherm-Pendleys-Computer.local>, sherm@dot-
app.org says...
> Don't read from stdin. Read from the filehandle you get from CGI.pm.
>
I don't use CGI.pm
------------------------------
Date: Thu, 20 Apr 2006 12:48:39 +0200
From: Asterbing <no@thanks.com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <MPG.1eb18575606952f989809@news.tiscali.fr>
In article <m2wtdl486i.fsf@Sherm-Pendleys-Computer.local>, sherm@dot-
app.org says...
> > When CONTENT_LENGTH not given during request, server has to compute it
> > from real data received in STDIN
>
> The server isn't receiving data from stdin, it's receiving it from a net-
> work connection.
I didn't write "from", but "to".
> It doesn't make the client stop sending data, it just ignores anything
> beyond POST_MAX.
However, when CONTENT_LENGTH is not sent by client, server has to
compute it from real data found in STDIN, then in this case, it doesn't
stop anything but just avoid to write on server disk.
> It can and does stop receiving data. Your confusion is the result of
> thinking that it *also* causes the client to stop *sending* data.
If CONTENT_LENGTH comes from client, yes. But, when computed by server
from STDIN content, no.
------------------------------
Date: Thu, 20 Apr 2006 13:03:34 +0200
From: Asterbing <no@thanks.com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <MPG.1eb188f19a8aa53398980a@news.tiscali.fr>
In article <124d4lpmil2vd65@corp.supernews.com>, ××DBraughler××@××bwcc·
com says...
> Asterbing wrote:
> > [quoted text muted]
> >>
> >> That should probaby be changed. It does not immediately exit with
> >> an error message. It first reads (and discards) the entire contents
> >> of the POST, which apparently the OP doesn't want to happen
>
> It would make sense to me to send an error message, close the connection, and exit.
> Otherwise, a DoS attack indeed keeps streaming bits to the server.
>
I didn't write this. You quote 'Asterbing' but it wasn't written by
Asterbing in the referenced post.
------------------------------
Date: Thu, 20 Apr 2006 13:13:11 +0200
From: Asterbing <no@thanks.com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <MPG.1eb18b30c64798cd98980b@news.tiscali.fr>
In article <Xns97AA94E646CAcastleamber@130.133.1.4>,
john@castleamber.com says...
> Asterbing <no@thanks.com> wrote:
>
> > In article <Xns97AA8023D74CDcastleamber@130.133.1.4>,
> > john@castleamber.com says...
> >> $CGI::POST_MAX
> >>
> >> If set to a non-negative integer, this variable puts a ceiling on
> >> the
> >> size of POSTings, in bytes. If CGI.pm detects a POST that is greater
> >> than the ceiling, it will immediately exit with an error message.
> >> This value will affect both ordinary POSTs and multipart POSTs,
> >> meaning that it limits the maximum size of file uploads as well. You
> >> should set this to a reasonably high value, such as 1 megabyte.
> >>
> >
> > Without CGI.pm !
>
> Why? Look how "they" do it, and copy it.
I've seen and rewritten my own. A matter of courtesy to not 'copy' : in
my mind, two ways only : I use a module or I just take a look of their
algorithm (idea), but never copy (steal)
>
> > However, reading what you posted from CGI.pm help, it seems that
> > CGI.pm doesn't really limit the file size precisely but rather the
> > entire POSTed data. So, how if I want to be free to choose the file
> > limit not as 1MB but as 5KB ?
>
> Good question, set it to 50KB, and check the actual filesize.
>
Good idea : quite empirical, but not seen better around :)
------------------------------
Date: Thu, 20 Apr 2006 13:15:41 +0200
From: Asterbing <no@thanks.com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <MPG.1eb18bc756c6558598980c@news.tiscali.fr>
In article <20060419161342.039$bv@newsreader.com>, xhoster@gmail.com
says...
> Do you really consider 5KB to be a denial of service attack?
>
> Set one limit on the whole post of, say, 10MB, to prevent DoS attacks.
> If the size is over 10MB, send a nasty message about DoS not being welcome.
> If it is under 10MB, process it, save the upload to a temp file, and
> check its size. If the size is more than 5KB, send a polite message
> saying the file was a tad too big, and delete the temp file. Otherwise,
> do whatever it is you want to do.
>
Well, since I've parsed STDIN at this I'm ready to write in a tmp server
file, I've the file size before to even write to disk. I think it's the
way I'll do it.
Thanks for all your opinions
------------------------------
Date: Thu, 20 Apr 2006 07:55:24 -0400
From: Denver <××DBraughler××@××bwcc·com>
Subject: Re: How to find uploaded data size from content-length
Message-Id: <124etlfl74k487@corp.supernews.com>
Asterbing wrote:
> In article <124d4lpmil2vd65@corp.supernews.com>, ××DBraughler××@××bwcc·
> com says...
>> > xhoster wrote:
>> >> That should probaby be changed. It does not immediately exit with
>> >> an error message. It first reads (and discards) the entire contents
>> >> of the POST, which apparently the OP doesn't want to happen
>>
>> It would make sense to me to send an error message, close the connection, and exit.
>> Otherwise, a DoS attack indeed keeps streaming bits to the server.
>>
>
> I didn't write this. You quote 'Asterbing' but it wasn't written by
> Asterbing in the referenced post.
Then your Gravity news agent is messed up or you miscounted the nesting wakas.
The attributions and text are correctly nested in what I posted.
------------------------------
Date: 20 Apr 2006 08:31:39 GMT
From: anno4000@lublin.zrz.tu-berlin.de (Anno Siegel)
Subject: Re: show hidden value in variable.. with mysql
Message-Id: <4aov7bFtteb8U1@news.dfncis.de>
Dr.Ruud <rvtol+news@isolution.nl> wrote in comp.lang.perl.misc:
> joe.henderson1@ schreef:
>
> > $item =~ s/^\s+//; #remove Leading whitespace
> > $item =~ s/\s+$//; #remove trailing whitespace
> > $item =~ s/\r/ /g; #remove those Damn ^M
> > $item =~ s/\f/ /g; #remove those Damn ^M
> > $item =~ s/\t/ /g; #remove those Damn ^M
> > $item =~ s/\n/ /g; #remove those Damn ^M
> > $item =~ s/\s+/ /g; #replace multiple spaces with one
> > chomp($item); #remove newline character
>
> After some weeding, this remains:
>
> s/^\s+//, s/\s+$//, s/\s+/ /g for $item;
...or even
s/\s+/ /g, s/^\s//, s/\s$// for $item;
Anno
--
If you want to post a followup via groups.google.com, don't use
the broken "Reply" link at the bottom of the article. Click on
"show options" at the top of the article, then click on the
"Reply" at the bottom of the article headers.
------------------------------
Date: 20 Apr 2006 08:38:20 GMT
From: anno4000@lublin.zrz.tu-berlin.de (Anno Siegel)
Subject: Re: show hidden value in variable.. with mysql
Message-Id: <4aovjsFtteb8U2@news.dfncis.de>
Uri Guttman <uri@stemsystems.com> wrote in comp.lang.perl.misc:
> >>>>> "jh" == joe henderson1 <joe.henderson1@> writes:
> jh> All the subs i write have a "magic" debug variable.. I spend more time
> jh> on debugging than writting code.. :(
>
> that is a bad sign. learn to analyze your problems better, improve your
> coding skills, etc. debugging should be maybe 20-40% maximum of your
> development time.
Coding is debugging an empty source file :)
Anno
--
If you want to post a followup via groups.google.com, don't use
the broken "Reply" link at the bottom of the article. Click on
"show options" at the top of the article, then click on the
"Reply" at the bottom of the article headers.
------------------------------
Date: 20 Apr 2006 08:43:06 GMT
From: anno4000@lublin.zrz.tu-berlin.de (Anno Siegel)
Subject: Re: show hidden value in variable.. with mysql
Message-Id: <4aovsqFtteb8U3@news.dfncis.de>
A. Sinan Unur <1usa@llenroc.ude.invalid> wrote in comp.lang.perl.misc:
> joe.henderson1@ wrote in news:gfcd429kaaot9ibb06l6ma1od1j5tf1q17@
> 4ax.com:
[...]
> > my $item = $_[0];
>
> my ($item) = @_;
>
> would enable you to pass literal strings to this routine as well as
> variables.
What difference would it make?
Anno
--
If you want to post a followup via groups.google.com, don't use
the broken "Reply" link at the bottom of the article. Click on
"show options" at the top of the article, then click on the
"Reply" at the bottom of the article headers.
------------------------------
Date: Thu, 20 Apr 2006 10:41:05 +0200
From: "Dr.Ruud" <rvtol+news@isolution.nl>
Subject: Re: show hidden value in variable.. with mysql
Message-Id: <e27op5.17s.1@news.isolution.nl>
Dr.Ruud schreef:
> Test:
>
> perl -e '$i="\t\rabc \n def\t\r\n";
> s/^\s+//, s/\s+$//, s/\s+/ /g for $i;
> print(length $i, ":$i\n")'
>
> 7:abc def
A less platform dependent version:
perl -e '$i = qq[\t\r123 \f\x{2028}\n 567\t\r\n];
s/\s+/ /g, s/^ //, s/ $//, for $i;
print (length $i, qq[:$i\n])'
(for Windows: put on a single line and change the outer ' to ")
--
Affijn, Ruud
"Gewoon is een tijger."
------------------------------
Date: Thu, 20 Apr 2006 12:57:13 GMT
From: "A. Sinan Unur" <1usa@llenroc.ude.invalid>
Subject: Re: show hidden value in variable.. with mysql
Message-Id: <Xns97AB5B15B5633asu1cornelledu@127.0.0.1>
anno4000@lublin.zrz.tu-berlin.de (Anno Siegel) wrote in
news:4aovsqFtteb8U3@news.dfncis.de:
> A. Sinan Unur <1usa@llenroc.ude.invalid> wrote in comp.lang.perl.misc:
>> joe.henderson1@ wrote in news:gfcd429kaaot9ibb06l6ma1od1j5tf1q17@
>> 4ax.com:
>
> [...]
>
>> > my $item = $_[0];
>>
>> my ($item) = @_;
>>
>> would enable you to pass literal strings to this routine as well as
>> variables.
>
> What difference would it make?
Admittedly, not much in the OP's case.
D:\Home\asu1\UseNet\clpmisc> cat test1.pl
#!/usr/bin/perl
use strict;
use warnings;
print s2t1('nos much'), "\n";
print s2t2('nos much'), "\n";
sub s2t1 {
my (@args) = @_;
s/s/t/ for @args;
return @args;
}
sub s2t2 {
s/s/t/ for @_;
return @_;
}
D:\Home\asu1\UseNet\clpmisc> test1
not much
Modification of a read-only value attempted at D:\Home\asu1\UseNet
\clpmisc\test1.pl line 17.
Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(remove .invalid and reverse each component for email address)
comp.lang.perl.misc guidelines on the WWW:
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 9179
***************************************