[28038] in Perl-Users-Digest
Perl-Users Digest, Issue: 9402 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Wed Jun 28 18:10:22 2006
Date: Wed, 28 Jun 2006 15:10:09 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Wed, 28 Jun 2006 Volume: 10 Number: 9402
Today's topics:
Re: Scalable method for searching in relatively big fil <tadmc@augustmail.com>
short-hand for same regex for multiple scalars? <alhuber@gmx.net>
Re: short-hand for same regex for multiple scalars? <mritty@gmail.com>
Re: short-hand for same regex for multiple scalars? <alhuber@gmx.net>
Re: short-hand for same regex for multiple scalars? <someone@example.com>
Re: Single-liner for one-line substitute? <someone@example.com>
Re: Single-liner for one-line substitute? <hawk007@flight.us>
Re: substr extracting <benmorrow@tiscali.co.uk>
validating data before trusting to use in a system call guser@packetstorm.org
Re: validating data before trusting to use in a system <tzz@lifelogs.com>
Re: validating data before trusting to use in a system <benmorrow@tiscali.co.uk>
Re: What is Expressiveness in a Computer Language [corr <eval.apply@gmail.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Wed, 28 Jun 2006 15:42:22 -0500
From: Tad McClellan <tadmc@augustmail.com>
Subject: Re: Scalable method for searching in relatively big files
Message-Id: <slrnea5qde.udh.tadmc@magna.augustmail.com>
it_says_BALLS_on_your forehead <simon.chao@fmr.com> wrote:
> Tad McClellan wrote:
>> it_says_BALLS_on_your forehead <simon.chao@fmr.com> wrote:
>> > From the Programming Perl 3rd ed. book
>> > pg. 63...
>> Please don't cite a resource with limited distribution when there
>> is a widely available resource that says the same thing (perlop.pod).
> I see nothing wrong with citing one of the definitive Perl reference
> books when I provide the quote.
I see at least 2 reasons.
The primary reason is that everybody has the docs that come with perl
and not everybody has bought the Camel book, so more people can
participate freely, which seems desirable and open-sourcey.
The 2nd reason is that those who haven't paid O'Reilly cannot go
see the context of the quote. There is nothing in the quote that
indicates that is is talking about m// delimiters, it might be
talking about qq// delimiters for all we can tell.
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: Wed, 28 Jun 2006 19:22:04 +0100
From: Alexander Huber <alhuber@gmx.net>
Subject: short-hand for same regex for multiple scalars?
Message-Id: <e7uhcf$9mi$1@news.ox.ac.uk>
Hi,
Is there a shorter way of writing the following (regex only once on
right-hand side?), basically I want to apply the same regular expression
consecutively to multiple scalars:
$a =~ s/a/b/gs;
$b =~ s/a/b/gs;
$c =~ s/a/b/gs;
Thanks,
Alexander.
--
Alexander Huber
mailto:alhuber@gmx.net
------------------------------
Date: 28 Jun 2006 11:28:20 -0700
From: "Paul Lalli" <mritty@gmail.com>
Subject: Re: short-hand for same regex for multiple scalars?
Message-Id: <1151519300.369711.293400@m73g2000cwd.googlegroups.com>
Alexander Huber wrote:
> Is there a shorter way of writing the following (regex only once on
> right-hand side?), basically I want to apply the same regular expression
> consecutively to multiple scalars:
>
> $a =~ s/a/b/gs;
> $b =~ s/a/b/gs;
> $c =~ s/a/b/gs;
>
Why not just use a loop?
for my $var ($a, $b, $c) {
$var =~ s/a/b/gs;
}
Paul Lalli
------------------------------
Date: Wed, 28 Jun 2006 19:58:17 +0100
From: Alexander Huber <alhuber@gmx.net>
Subject: Re: short-hand for same regex for multiple scalars?
Message-Id: <e7ujg9$a8d$1@news.ox.ac.uk>
Many thanks!
Alexander.
Paul Lalli wrote:
> Alexander Huber wrote:
>> Is there a shorter way of writing the following (regex only once on
>> right-hand side?), basically I want to apply the same regular expression
>> consecutively to multiple scalars:
>>
>> $a =~ s/a/b/gs;
>> $b =~ s/a/b/gs;
>> $c =~ s/a/b/gs;
>>
>
> Why not just use a loop?
>
> for my $var ($a, $b, $c) {
> $var =~ s/a/b/gs;
> }
>
> Paul Lalli
>
--
Alexander Huber
mailto:alhuber@gmx.net
------------------------------
Date: Wed, 28 Jun 2006 19:14:00 GMT
From: "John W. Krahn" <someone@example.com>
Subject: Re: short-hand for same regex for multiple scalars?
Message-Id: <YxAog.111702$771.20633@edtnps89>
Paul Lalli wrote:
> Alexander Huber wrote:
>>Is there a shorter way of writing the following (regex only once on
>>right-hand side?), basically I want to apply the same regular expression
>>consecutively to multiple scalars:
>>
>>$a =~ s/a/b/gs;
>>$b =~ s/a/b/gs;
>>$c =~ s/a/b/gs;
>>
>
> Why not just use a loop?
>
> for my $var ($a, $b, $c) {
> $var =~ s/a/b/gs;
> }
Since the OP wants a shorter way:
s/a/b/g for $a, $b, $c;
:-)
John
--
use Perl;
program
fulfillment
------------------------------
Date: Wed, 28 Jun 2006 18:07:34 GMT
From: "John W. Krahn" <someone@example.com>
Subject: Re: Single-liner for one-line substitute?
Message-Id: <Gzzog.103434$S61.13223@edtnps90>
anno4000@zrz.tu-berlin.de wrote:
> Mike Pearson <mwp@nospam.com> wrote in comp.lang.perl.misc:
>>
>>I know almost no Perl at all, but I occasionally use
>>
>>perl -pi -e 's/old/new/g' file
>>
>>for a global search/replace in a file. I've tried to modify this to
>>change only a string on the first line of a file, leaving the string
>>unchanged elsewhere in the file, but I haven't been able to find a way
>>to do this. Simply removing the 'g' has no effect - it still does a
>>global replace.
>
> The match operator is applied to every line in the file. The /g
> modifier changes the behavior of each application. It does not
> work across applications.
>
> Here is one way:
>
> perl -pi -e '$. == 1 && s/old/new/g' file
Also for that to work on multiple files you need to close the filehandle:
perl -pi -e'close ARGV if eof; $. == 1 && s/old/new/g' file*
John
--
use Perl;
program
fulfillment
------------------------------
Date: 28 Jun 2006 14:33:58 -0700
From: "Andrew" <hawk007@flight.us>
Subject: Re: Single-liner for one-line substitute?
Message-Id: <1151530438.491170.34570@p79g2000cwp.googlegroups.com>
John W. Krahn wrote:
> anno4000@zrz.tu-berlin.de wrote:
> > Mike Pearson <mwp@nospam.com> wrote in comp.lang.perl.misc:
> >>
> >>I know almost no Perl at all, but I occasionally use
> >>
> >>perl -pi -e 's/old/new/g' file
> >>
> >>for a global search/replace in a file. I've tried to modify this to
> >>change only a string on the first line of a file, leaving the string
> >>unchanged elsewhere in the file, but I haven't been able to find a way
> >>to do this. Simply removing the 'g' has no effect - it still does a
> >>global replace.
> >
> > The match operator is applied to every line in the file. The /g
> > modifier changes the behavior of each application. It does not
> > work across applications.
> >
> > Here is one way:
> >
> > perl -pi -e '$. == 1 && s/old/new/g' file
>
> Also for that to work on multiple files you need to close the filehandle:
>
> perl -pi -e'close ARGV if eof; $. == 1 && s/old/new/g' file*
>
Well, heck -- same goes for my version; thanks for catching this:
perl -pi -e '$done=0 if eof; next if $done; s/old/new/g &&
$done++;' file
Also, an afterthought I had earlier: One can, of course, generalize
things further, to alter not just the first matching line, but, say,
the first 3 matching lines (and nothing else):
perl -pi -e '$count=0 if eof; next if ($count>2); s/old/new/g &&
$count++;' file1 file2 ...
(or, obviously, one can shift the subset down with something like "...
next unless ( (($count>4) && ($count<10))" , and so on, and so forth,
with any numeric comparison ("unless ($count==15)", to change only the
16th matching line) )
And, of course, reverting back to the original OP's task of replacing a
particular line, regardless of whether it matches, one can similarly
replace or try to replace any specific line or lines other than the
first one. (Separate "s/old/new/g && $count++;" into two independent
commands, in the above);
andrew
------------------------------
Date: Wed, 28 Jun 2006 20:24:13 +0100
From: Ben Morrow <benmorrow@tiscali.co.uk>
Subject: Re: substr extracting
Message-Id: <tj1bn3-5kj.ln1@osiris.mauzo.dyndns.org>
Quoth Sharif Islam <mislam@spam.uiuc.edu>:
> I want to extract 'ny' part from the string. 'n' being any number.
>
> #!/usr/bin/perl
> use strict;
> my $string = "$obj->time('<=','1y')";
> if ($string =~ /time/) {
> extract($string); }
>
> sub extract {
> my $string = shift;
> $diff = substr ($string, -4,2);
> print $diff; }
>
>
> Two problems:
>
> 1. I get this error when using strict:
> Global symbol "$obj" requires explicit package name at a.pl line 3.
You want a single-quoted string instead; otherwise you are trying to
interpolate $obj into your string.
my $string = q/$obj->time('<=','1y')/;
Read about q// in perldoc perlop.
> 2. Sometime the string can contain two digit for the year:
> $obj->time('<=','11y'). Then the substr will only get part of it. should
> I use split? or regex?
I would always use a regex; viz
if ($string =~ /time/) {
print $string =~ /(\d+y)/;
}
Ben
--
And if you wanna make sense / Whatcha looking at me for? (Fiona Apple)
* benmorrow@tiscali.co.uk *
------------------------------
Date: 28 Jun 2006 11:20:58 -0700
From: guser@packetstorm.org
Subject: validating data before trusting to use in a system call
Message-Id: <1151518858.271517.306320@y41g2000cwy.googlegroups.com>
I have a scheduler program that calls a poller program. I want to be
sure that the data passed does not contain stuff that can harm the
system. This is what I have, does anyone see a security problem with
it?
thanks
the poller will accept two commands currently. Either
disco.pl --node=1.1.1.1 or
disco.pl --node=1.1.1.1 --force
if ($task =~ /^\/home\/disco\/disco.pl --node=\d+\.\d+\.\d+\.\d+$/) {
$valid = 1; }
if ($task =~ /^\/home\/disco\/disco.pl --node=\d+\.\d+\.\d+\.\d+
--force$/) { $valid = 1; }
if the above is not matched then I assume bad data was passed such as a
worst case (even though it does not run as root. But someone logged
into the system as root could invoke "Murphys Law" so I need to be sure
only the command strings I want are accepted.)
disco.pl --node=1.1.1.;rm -f /
Also the $task variable can be tainted from an outside source as it
gets the data from a mysql table for the node ip address. So I also
check that after getting it from the table before sending it on to be
tasked.
sub isIP
{
my $target = shift;
print OUT " SUB:isIP: Starting\n" if $debug_arg;
if ($target =~ /^\b\d+\.\d+\.\d+\.\d+$/) {
print OUT " SUB:isIP: Ending : $target : Return true\n"
if $debug_arg;
return 1;
} else {
print OUT " SUB:isIP: Ending : $target : Return
false\n" if $debug_arg;
return 0;
}
}
------------------------------
Date: Wed, 28 Jun 2006 16:43:06 -0400
From: Ted Zlatanov <tzz@lifelogs.com>
Subject: Re: validating data before trusting to use in a system call
Message-Id: <g69u065f1ut.fsf@CN1374059D0130.kendall.corp.akamai.com>
On 28 Jun 2006, guser@packetstorm.org wrote:
> I have a scheduler program that calls a poller program. I want to be
> sure that the data passed does not contain stuff that can harm the
> system. This is what I have, does anyone see a security problem with
> it?
>
> the poller will accept two commands currently. Either
> disco.pl --node=1.1.1.1 or
> disco.pl --node=1.1.1.1 --force
>
> if ($task =~ /^\/home\/disco\/disco.pl --node=\d+\.\d+\.\d+\.\d+$/) {
>> valid = 1; }
> if ($task =~ /^\/home\/disco\/disco.pl --node=\d+\.\d+\.\d+\.\d+
> --force$/) { $valid = 1; }
1) use Regexp::Common to match IP addresses (and anything else you
think you can do yourself, like numbers :)
2) always use the multi-argument version of system() if possible
3) it's better to extract data (if possible) than to verify the passed
data, as you discovered. Also, you should simplify the interaction
language. So the commands should be:
1.1.1.1
1.1.1.1 force
Do you see how much easier it is to parse and verify the above?
Now you just do
my $ip;
... match IP address into $ip ...
my @args = ("--node=$ip");
if (m/force/)
{
push @args, "--force";
}
system "disco.pl", @args;
If you need to allow multiple things to execute, add a parameter at
the beginning to specify the command SYMBOLICALLY. So "disco" would
mean disco.pl. That way, only when you add that command's nickname on
the server side will it be available on the client side.
Ted
------------------------------
Date: Wed, 28 Jun 2006 21:46:17 +0100
From: Ben Morrow <benmorrow@tiscali.co.uk>
Subject: Re: validating data before trusting to use in a system call
Message-Id: <pd6bn3-n9k.ln1@osiris.mauzo.dyndns.org>
Quoth guser@packetstorm.org:
> I have a scheduler program that calls a poller program. I want to be
> sure that the data passed does not contain stuff that can harm the
> system. This is what I have, does anyone see a security problem with
> it?
>
> thanks
>
> the poller will accept two commands currently. Either
> disco.pl --node=1.1.1.1 or
> disco.pl --node=1.1.1.1 --force
>
> if ($task =~ /^\/home\/disco\/disco.pl --node=\d+\.\d+\.\d+\.\d+$/) {
> $valid = 1; }
> if ($task =~ /^\/home\/disco\/disco.pl --node=\d+\.\d+\.\d+\.\d+
> --force$/) { $valid = 1; }
use Regexp::Common qw/net/;
$task =~ m#^/home/disco/disco.pl --node=$RE{net}{IPv4}(?: --force)?#
and $valid = 1;
This will match only your specified commands, so no, there's no security
problem there. Of course, if your spec is wrong (e.g. if there are some
IP addrs you should not be able to specify) that's another matter...
> Also the $task variable can be tainted from an outside source as it
> gets the data from a mysql table for the node ip address. So I also
> check that after getting it from the table before sending it on to be
> tasked.
>
> sub isIP
> {
> my $target = shift;
> print OUT " SUB:isIP: Starting\n" if $debug_arg;
> if ($target =~ /^\b\d+\.\d+\.\d+\.\d+$/) {
What's the \b for? It's completely redundant with ^.
Use Regexp::Common::net, again.
You don't seem to be untainting your data: are you running perl in taint
mode? If not, you *really* should be.
Ben
--
It will be seen that the Erwhonians are a meek and long-suffering people,
easily led by the nose, and quick to offer up common sense at the shrine of
logic, when a philosopher convinces them that their institutions are not based
on the strictest morality. [Samuel Butler, paraphrased] benmorrow@tiscali.co.uk
------------------------------
Date: 28 Jun 2006 12:08:09 -0700
From: "Joe Marshall" <eval.apply@gmail.com>
Subject: Re: What is Expressiveness in a Computer Language [correction]
Message-Id: <1151521689.654605.261320@p79g2000cwp.googlegroups.com>
Andreas Rossberg wrote:
>
> ~/> ocaml -rectypes
> Objective Caml version 3.08.3
>
> # let rec blackhole x = blackhole;;
> val blackhole : 'b -> 'a as 'a = <fun>
>
> The problem is, though, that almost everything can be typed once you
> have unrestricted recursive types (e.g. missing arguments etc), and
> consequently many actual errors remain unflagged (which clearly shows
> that typing is not only about potential value class mismatches).
> Moreover, there are very few practical uses of such a feature, and they
> can always be coded easily with recursive datatypes.
>
> It is a pragmatic decision born from experience that you simply do *not
> want* to have this, even though you easily could. E.g. for OCaml,
> unrestricted recursive typing was removed as default because of frequent
> user complaints.
>
> Which is why this actually is a very bad example to chose for dynamic
> typing advocacy... ;-)
Actually, this seems a *good* example. The problem seems to be that
you end up throwing the baby out with the bathwater: your static type
system stops catching the errors you want once you make it powerful
enough to express certain programs.
So now it seems to come down to a matter of taste: use a restricted
language and catch certain errors early or use an unrestricted language
and miss certain errors. It is interesting that the PLT people have
made this tradeoff as well. In the DrScheme system, there are
different `language levels' that provide a restricted subset of Scheme.
At the beginner level, first-class procedures are not allowed. This
is obviously restrictive, but it has the advantage that extraneous
parenthesis (a common beginner mistake) cannot be misinterpreted as the
intent to invoke a first-class procedure.
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 9402
***************************************
