need help with security

Discussion in 'Perl Misc' started by Robin, May 2, 2004.

  1. Robin

    Robin Guest

    Robin, May 2, 2004
    #1
    1. Advertising

  2. Robin

    gnari Guest

    "Robin" <webmaster @ infusedlight . net> wrote in message
    news:c73lo9$a08$...
    > Someone posted an unathorized post to my blog, if someone has time...could
    > you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
    > point out the security problems??
    >


    of course, it is your auth.pl that is the weakest link.

    gnari
     
    gnari, May 3, 2004
    #2
    1. Advertising

  3. Robin wrote:
    > Someone posted an unathorized post to my blog, if someone has time...could
    > you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
    > point out the security problems??

    quick read (can't be arsed to consider the security problems):

    my $rootfile =
    $rootfile =~ s/.+\///;

    what is this supposed to be doing?

    my @blogposts;
    @blogposts = getposts ();

    why is this two lines?

    perltidy is still your friend. Please use it.

    $mon++;
    $year +=1900;

    why are you doing this? There are many fine CPAN modules that handles
    dates without such jiggery-pokery.

    open (BLOG, $blogfile) or push (@errors, "An error occured:
    couldn't open blog file.");

    why are you using files when your needs would be much better served with
    a proper database?


    open (COUNT, ">$countfile") or push (@errors, "An error occured during
    posting: couldn't open count file.");
    flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
    posting: couldn't lock count file.");

    your open fails and you save the error (but not $!, which would tell you
    what the error is), yet you still continue to the flock. why?


    why are you printing html directly from perl? *please* look at (and
    understand, and use) templating solutions.

    Mark
     
    Mark Clements, May 3, 2004
    #3
  4. Robin

    Sam Holden Guest

    On Mon, 03 May 2004 02:04:07 +0100,
    Mark Clements <> wrote:
    > Robin wrote:
    >> Someone posted an unathorized post to my blog, if someone has time...could
    >> you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
    >> point out the security problems??

    > quick read (can't be arsed to consider the security problems):
    >
    > my $rootfile =
    > $rootfile =~ s/.+\///;
    >
    > what is this supposed to be doing?


    Delete everything other than the filename (ie. getting the basename
    of a path). Of course it doesn't work for paths containing newlines.

    It also should use something other than /, such as s!.+/!!... or
    even better File::Basename.

    > why are you using files when your needs would be much better served with
    > a proper database?


    How are files not a "proper" database?

    --
    Sam Holden
     
    Sam Holden, May 3, 2004
    #4
  5. Robin

    Robin Guest

    "gnari" <> wrote in message
    news:c742sf$6gh$...
    > "Robin" <webmaster @ infusedlight . net> wrote in message
    > news:c73lo9$a08$...
    > > Someone posted an unathorized post to my blog, if someone has

    time...could
    > > you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
    > > point out the security problems??
    > >

    >
    > of course, it is your auth.pl that is the weakest link.
    >
    > gnari


    agreed, thanks... I'll set it up to use cookies...
    -robin
     
    Robin, May 3, 2004
    #5
  6. Robin

    Robin Guest

    "Mark Clements" <> wrote in message
    news:40959a87$...
    > Robin wrote:
    > > Someone posted an unathorized post to my blog, if someone has

    time...could
    > > you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
    > > point out the security problems??

    > quick read (can't be arsed to consider the security problems):
    >
    > my $rootfile =
    > $rootfile =~ s/.+\///;
    >
    > what is this supposed to be doing?


    I posted the new one. Look again.

    > my @blogposts;
    > @blogposts = getposts ();
    >
    > why is this two lines?


    heheh...I dunno. Sorry.

    > perltidy is still your friend. Please use it.


    Ok. I'll check it out.

    > $mon++;
    > $year +=1900;
    >
    > why are you doing this? There are many fine CPAN modules that handles
    > dates without such jiggery-pokery.


    well, I tend to use as few modules as possible so that someone can install
    the script on their server without having to download a lot of modules.

    > open (BLOG, $blogfile) or push (@errors, "An error occured:
    > couldn't open blog file.");
    >
    > why are you using files when your needs would be much better served with
    > a proper database?
    >
    >
    > open (COUNT, ">$countfile") or push (@errors, "An error occured during
    > posting: couldn't open count file.");
    > flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
    > posting: couldn't lock count file.");
    >
    > your open fails and you save the error (but not $!, which would tell you
    > what the error is), yet you still continue to the flock. why?


    If the open fails, the flock will fail so why not try it and then the error
    output will come into play. With the new one it does include $!.

    > why are you printing html directly from perl? *please* look at (and
    > understand, and use) templating solutions.


    Like I said b4 I'd rather not use too many modules that aren't installed on
    everyone's server.

    -Robin
     
    Robin, May 3, 2004
    #6
  7. Robin

    Robin Guest

    sorry to post a script that wouldn't compile, I actually posted the one in
    progress without checking if it would work,that was completely my mistake.
    now it runs - www.infusedlight.net/robin/temp/blog.txt - and the auth script
    source code is www.infusedlight.net/robin/temp/auth.txt
    Sorry about my formatting, I use an editor that screws it all up. I'll use
    perltidy next time.

    Gnari, thanks. Was that you who hacked it? I don't care really, but how
    would you be able to get the auth.pl password from my old search script? see
    the previous post, "free source search engine...etc"

    -Robin
     
    Robin, May 3, 2004
    #7
  8. Robin

    Anno Siegel Guest

    Robin <robin @ infusedlight.net> wrote in comp.lang.perl.misc:
    > sorry to post a script that wouldn't compile, I actually posted the one in
    > progress without checking if it would work,that was completely my mistake.


    Yes, it is, and you're making too many of them. Dumping one sloppy
    post after the other to the group is just rude. Stop it!

    Anno
     
    Anno Siegel, May 3, 2004
    #8
  9. Robin

    Joe Smith Guest

    Robin wrote:

    > well, I tend to use as few modules as possible so that someone can install
    > the script on their server without having to download a lot of modules.


    With that design, your script will not have much in terms of functionality.
    The end result will be more of a toy than a production-quality program.

    It probably doesn't matter much; I doubt that more than a handful of
    people will ever be using it.
    -Joe
     
    Joe Smith, May 3, 2004
    #9
  10. Sam Holden wrote:

    >>my $rootfile =
    >>$rootfile =~ s/.+\///;
    >>
    >>what is this supposed to be doing?

    > Delete everything other than the filename (ie. getting the basename
    > of a path). Of course it doesn't work for paths containing newlines.

    s/// returns the number of substitutions, though in this case since /g
    isn't specified it will only ever return 0 or 1, so $rootfile is set to
    0 or 1.

    >>why are you using files when your needs would be much better served with
    >>a proper database?

    > How are files not a "proper" database?

    OK - you can do it that way but using an RDBMS of some description has
    many advantages over reading and writing files directly.

    Mark
     
    Mark Clements, May 3, 2004
    #10
  11. Michele Dondi wrote:
    > On Mon, 03 May 2004 11:43:39 +0100, Mark Clements
    > <> wrote:
    >
    >>>> $rootfile =~ s/.+\///;
    >>>>
    >>>> what is this supposed to be doing?
    >>>
    >>> Delete everything other than the filename (ie. getting the
    >>> basename of a path). Of course it doesn't work for paths
    >>> containing newlines.

    >>
    >> s/// returns the number of substitutions, though in this case
    >> since /g isn't specified it will only ever return 0 or 1, so
    >> $rootfile is set to 0 or 1.

    >
    > Huh?!?
    >
    > '=~' ne '=';


    Never snip code that is needed for context. :)

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
     
    Gunnar Hjalmarsson, May 3, 2004
    #11
  12. On Mon, 03 May 2004 11:43:39 +0100, Mark Clements
    <> wrote:

    >>>$rootfile =~ s/.+\///;
    >>>
    >>>what is this supposed to be doing?

    >> Delete everything other than the filename (ie. getting the basename
    >> of a path). Of course it doesn't work for paths containing newlines.

    >s/// returns the number of substitutions, though in this case since /g
    >isn't specified it will only ever return 0 or 1, so $rootfile is set to
    >0 or 1.


    Huh?!?

    '=~' ne '=';


    Michele
    --
    you'll see that it shouldn't be so. AND, the writting as usuall is
    fantastic incompetent. To illustrate, i quote:
    - Xah Lee trolling on clpmisc,
    "perl bug File::Basename and Perl's nature"
     
    Michele Dondi, May 3, 2004
    #12
  13. Robin

    Paul Lalli Guest

    On Mon, 3 May 2004, Michele Dondi wrote:

    > On Mon, 03 May 2004 11:43:39 +0100, Mark Clements
    > <> wrote:
    >
    > >>>$rootfile =~ s/.+\///;
    > >>>
    > >>>what is this supposed to be doing?
    > >> Delete everything other than the filename (ie. getting the basename
    > >> of a path). Of course it doesn't work for paths containing newlines.

    > >s/// returns the number of substitutions, though in this case since /g
    > >isn't specified it will only ever return 0 or 1, so $rootfile is set to
    > >0 or 1.

    >
    > Huh?!?
    >
    > '=~' ne '=';


    You clipped the important part. The original was:

    > >>>my $rootfile =
    > >>>$rootfile =~ s/.+\///;


    He's assigning the result of the substitution back to the original
    variable.

    Paul Lalli
     
    Paul Lalli, May 3, 2004
    #13
  14. Robin

    Juha Laiho Guest

    "Robin" <robin @ infusedlight.net> said:
    >"Mark Clements" <> wrote in message
    >news:40959a87$...
    >> open (COUNT, ">$countfile") or push (@errors, "An error occured during
    >> posting: couldn't open count file.");
    >> flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
    >> posting: couldn't lock count file.");
    >>
    >> your open fails and you save the error (but not $!, which would tell you
    >> what the error is), yet you still continue to the flock. why?

    >
    >If the open fails, the flock will fail so why not try it and then the error
    >output will come into play. With the new one it does include $!.


    (didn't bother to read the original code, so just commenting on the above,
    and speculating beyond it)

    If the open fails, how much anything useful will your script do beyond
    the point quoted above? If this file is some kind of counter telling
    how many entries there are in your blog, then you cannot allow the
    actual article to be written either, if writing the count fails -- so
    apparently there's not much useful the script can do if the count fails -
    more or less all it can do is generate several error messages instead of
    one.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)
     
    Juha Laiho, May 3, 2004
    #14
  15. Robin

    Juha Laiho Guest

    "Robin" <robin @ infusedlight.net> said:
    >Sorry about my formatting, I use an editor that screws it all up.


    I think suggested already, but wouldn't it be time to switch to some
    other editor then? User-unfriendliness and proper indentation are not
    contradictory features in an editor - you can apparently have both in
    one editor (though the editor I tend to use isn't famed for its user-
    friendliness, so I'm not going to recommend it here).
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)
     
    Juha Laiho, May 3, 2004
    #15
  16. Robin

    Robin Guest

    "Sam Holden" <> wrote in message
    news:...
    > On Mon, 03 May 2004 02:04:07 +0100,
    > Mark Clements <> wrote:
    > > Robin wrote:
    > >> Someone posted an unathorized post to my blog, if someone has

    time...could
    > >> you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
    > >> point out the security problems??

    > > quick read (can't be arsed to consider the security problems):
    > >
    > > my $rootfile =
    > > $rootfile =~ s/.+\///;
    > >
    > > what is this supposed to be doing?


    it looked like $rootfile = $0; $rootfile =~ s/.+\///;
    -Robin
     
    Robin, May 3, 2004
    #16
  17. Robin

    Tore Aursand Guest

    On Sun, 02 May 2004 19:37:48 -0800, Robin wrote:
    > Sorry about my formatting, I use an editor that screws it all up. I'll
    > use perltidy next time.


    Maybe it's just me, but didn't you promise to do that _days_ ago?! You
    never learn, do you? You know why? You don't _want_ to learn.


    --
    Tore Aursand <>
    "When you love someone, all your saved-up wishes start coming out."
    (Elizabeth Bowen)
     
    Tore Aursand, May 4, 2004
    #17
  18. Robin

    Matt Garrish Guest

    "Robin" <robin @ infusedlight.net> wrote in message
    news:c74eqt$opc$...
    > "gnari" <> wrote in message
    > news:c742sf$6gh$...
    >
    > > of course, it is your auth.pl that is the weakest link.
    > >

    >
    > agreed, thanks... I'll set it up to use cookies...
    >


    Please enlighten me as to how the use of cookies will make your scripts any
    more secure? If you really understood what they are how they work, you'd
    know that they provide *no security* in and of themselves.

    Matt
     
    Matt Garrish, May 4, 2004
    #18
  19. On Mon, 03 May 2004 15:51:38 +0200, Gunnar Hjalmarsson
    <> wrote:

    [important missing line here - my fault!]
    >>>>> $rootfile =~ s/.+\///;

    [snip]
    >> '=~' ne '=';

    >
    >Never snip code that is needed for context. :)


    Sorry, my mistake!


    Michele
    --
    you'll see that it shouldn't be so. AND, the writting as usuall is
    fantastic incompetent. To illustrate, i quote:
    - Xah Lee trolling on clpmisc,
    "perl bug File::Basename and Perl's nature"
     
    Michele Dondi, May 4, 2004
    #19
  20. On Tue, 04 May 2004 09:08:30 +0200, Michele Dondi
    <> wrote:

    >[important missing line here - my fault!]
    >>>>>> $rootfile =~ s/.+\///;

    >[snip]
    >>> '=~' ne '=';

    >>
    >>Never snip code that is needed for context. :)


    To be fair, what the OP was actually doing was so utterly nonsensical
    that I misread his two lines of code myself thus:

    OP:
    | my $rootfile =
    | $rootfile =~ s/.+\///;

    I read:
    | my $rootfile;
    | $rootfile =~ s/.+\///;

    and somebody using one of those ESP::* modules my have well written
    this to me:

    '=' ne ';'


    Michele
    --
    you'll see that it shouldn't be so. AND, the writting as usuall is
    fantastic incompetent. To illustrate, i quote:
    - Xah Lee trolling on clpmisc,
    "perl bug File::Basename and Perl's nature"
     
    Michele Dondi, May 4, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    387
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,458
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    355
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    175
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    346
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page