need help with security

[Robin]

Someone posted an unathorized post to my blog, if someone has time...could
you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
point out the security problems??

Thanks in advance.

 

[gnari]

Someone posted an unathorized post to my blog, if someone has time...could
you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
point out the security problems??

of course, it is your auth.pl that is the weakest link.

gnari

 

[Mark Clements]

Someone posted an unathorized post to my blog, if someone has time...could
you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
point out the security problems??

quick read (can't be arsed to consider the security problems):

my $rootfile =
$rootfile =~ s/.+\///;

what is this supposed to be doing?

my @blogposts;
@blogposts = getposts ();

why is this two lines?

perltidy is still your friend. Please use it.

$mon++;
$year +=1900;

why are you doing this? There are many fine CPAN modules that handles
dates without such jiggery-pokery.

open (BLOG, $blogfile) or push (@errors, "An error occured:
couldn't open blog file.");

why are you using files when your needs would be much better served with
a proper database?


open (COUNT, ">$countfile") or push (@errors, "An error occured during
posting: couldn't open count file.");
flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
posting: couldn't lock count file.");

your open fails and you save the error (but not $!, which would tell you
what the error is), yet you still continue to the flock. why?


why are you printing html directly from perl? *please* look at (and
understand, and use) templating solutions.

Mark

 

[Sam Holden]

quick read (can't be arsed to consider the security problems):

my $rootfile =
$rootfile =~ s/.+\///;

what is this supposed to be doing?

Delete everything other than the filename (ie. getting the basename
of a path). Of course it doesn't work for paths containing newlines.

It also should use something other than /, such as s!.+/!!... or
even better File::Basename.

why are you using files when your needs would be much better served with
a proper database?

How are files not a "proper" database?

 

[Robin]

of course, it is your auth.pl that is the weakest link.

gnari

agreed, thanks... I'll set it up to use cookies...
-robin

 

[Robin]

quick read (can't be arsed to consider the security problems):

my $rootfile =
$rootfile =~ s/.+\///;

what is this supposed to be doing?

I posted the new one. Look again.

my @blogposts;
@blogposts = getposts ();

why is this two lines?

heheh...I dunno. Sorry.

perltidy is still your friend. Please use it.

Ok. I'll check it out.

$mon++;
$year +=1900;

why are you doing this? There are many fine CPAN modules that handles
dates without such jiggery-pokery.

well, I tend to use as few modules as possible so that someone can install
the script on their server without having to download a lot of modules.

open (BLOG, $blogfile) or push (@errors, "An error occured:
couldn't open blog file.");

why are you using files when your needs would be much better served with
a proper database?


open (COUNT, ">$countfile") or push (@errors, "An error occured during
posting: couldn't open count file.");
flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
posting: couldn't lock count file.");

your open fails and you save the error (but not $!, which would tell you
what the error is), yet you still continue to the flock. why?

If the open fails, the flock will fail so why not try it and then the error
output will come into play. With the new one it does include $!.

why are you printing html directly from perl? *please* look at (and
understand, and use) templating solutions.

Like I said b4 I'd rather not use too many modules that aren't installed on
everyone's server.

-Robin

 

[Robin]

sorry to post a script that wouldn't compile, I actually posted the one in
progress without checking if it would work,that was completely my mistake.
now it runs - www.infusedlight.net/robin/temp/blog.txt - and the auth script
source code is www.infusedlight.net/robin/temp/auth.txt
Sorry about my formatting, I use an editor that screws it all up. I'll use
perltidy next time.

Gnari, thanks. Was that you who hacked it? I don't care really, but how
would you be able to get the auth.pl password from my old search script? see
the previous post, "free source search engine...etc"

-Robin

 

[Anno Siegel]

sorry to post a script that wouldn't compile, I actually posted the one in
progress without checking if it would work,that was completely my mistake.

Yes, it is, and you're making too many of them. Dumping one sloppy
post after the other to the group is just rude. Stop it!

Anno

 

[Joe Smith]

well, I tend to use as few modules as possible so that someone can install
the script on their server without having to download a lot of modules.

With that design, your script will not have much in terms of functionality.
The end result will be more of a toy than a production-quality program.

It probably doesn't matter much; I doubt that more than a handful of
people will ever be using it.
-Joe

 

[Mark Clements]

Delete everything other than the filename (ie. getting the basename
of a path). Of course it doesn't work for paths containing newlines.

s/// returns the number of substitutions, though in this case since /g
isn't specified it will only ever return 0 or 1, so $rootfile is set to
0 or 1.

How are files not a "proper" database?

OK - you can do it that way but using an RDBMS of some description has
many advantages over reading and writing files directly.

Mark

 

[Gunnar Hjalmarsson]

Huh?!?

'=~' ne '=';

Never snip code that is needed for context.

 

[Michele Dondi]

s/// returns the number of substitutions, though in this case since /g
isn't specified it will only ever return 0 or 1, so $rootfile is set to
0 or 1.

Huh?!?

'=~' ne '=';


Michele

 

[Paul Lalli]

Huh?!?

'=~' ne '=';

You clipped the important part. The original was:

He's assigning the result of the substitution back to the original
variable.

Paul Lalli

 

[Juha Laiho]

If the open fails, the flock will fail so why not try it and then the error
output will come into play. With the new one it does include $!.

(didn't bother to read the original code, so just commenting on the above,
and speculating beyond it)

If the open fails, how much anything useful will your script do beyond
the point quoted above? If this file is some kind of counter telling
how many entries there are in your blog, then you cannot allow the
actual article to be written either, if writing the count fails -- so
apparently there's not much useful the script can do if the count fails -
more or less all it can do is generate several error messages instead of
one.

 

[Juha Laiho]

Sorry about my formatting, I use an editor that screws it all up.

I think suggested already, but wouldn't it be time to switch to some
other editor then? User-unfriendliness and proper indentation are not
contradictory features in an editor - you can apparently have both in
one editor (though the editor I tend to use isn't famed for its user-
friendliness, so I'm not going to recommend it here).

 

[Robin]

it looked like $rootfile = $0; $rootfile =~ s/.+\///;
-Robin

 

[Tore Aursand]

Sorry about my formatting, I use an editor that screws it all up. I'll
use perltidy next time.

Maybe it's just me, but didn't you promise to do that _days_ ago?! You
never learn, do you? You know why? You don't _want_ to learn.

 

[Matt Garrish]

agreed, thanks... I'll set it up to use cookies...

Please enlighten me as to how the use of cookies will make your scripts any
more secure? If you really understood what they are how they work, you'd
know that they provide *no security* in and of themselves.

Matt

 

[Michele Dondi]

On Mon, 03 May 2004 15:51:38 +0200, Gunnar Hjalmarsson

[important missing line here - my fault!]

$rootfile =~ s/.+\///;

[snip]
'=~' ne '=';

Never snip code that is needed for context.

Sorry, my mistake!


Michele

 

[Michele Dondi]

[important missing line here - my fault!]

$rootfile =~ s/.+\///; [snip]
'=~' ne '=';

Never snip code that is needed for context.

To be fair, what the OP was actually doing was so utterly nonsensical
that I misread his two lines of code myself thus:

OP:
| my $rootfile =
| $rootfile =~ s/.+\///;

I read:
| my $rootfile;
| $rootfile =~ s/.+\///;

and somebody using one of those ESP::* modules my have well written
this to me:

'=' ne ';'


Michele