f



bbs problem

what I'm trying to do is get this bbs.cgi to work better. So when someone
types in spaces as their name it will work to reply to them and on the
"Reply to..." screen will actually stop showing the %A or whatever it is,
what is that btw? Any help would be great.

#!/usr/bin/perl

#bbs v.1.1.4

#Copyright Robin - robin@csf.edu

require ('lib.cgi');
&data_cgivars;
$" = "";
$, = "";

&begin;
if ($PARAMS{'action'} eq "reply" && $PARAMS{'name'} ne "" && $PARAMS{'name'}
ne "post")
 { &reply; exit; }
if ($PARAMS{'action'} eq "replied")
 { &reply; &post (1); }
&post;

sub begin
 {
 mkdir ("BBSFILES/", 0755) if (! -e "BBSFILES/");
 }

sub post
 {
 my ($action) = @_;
 if ($action)
  {
  &mainoutput ("Your reply has been posted");
  exit;
  }

 if ($FORM{'submit'})
  {
  if ($FORM{'name'} && $FORM{'email'} && $FORM{'post'} && $FORM{'name1'} !~
/\./ && $FORM{'name'} !~ /<.*>/ && $FORM{'email'} !~ /<.*>/ && $FORM{'post'}
!~ /<.*>/ && $FORM{'name'} !~ /^\s*$/ && $FORM{'email'} !~ /^\s*$/ &&
$FORM{'post'} !~ /^\s*$/)
   {
   if (-e "BBSFILES/$FORM{'name'}.post")
    {
    &mainoutput ("Name already in use.");
    exit;
    }
   open (DBASE, ">>dbase.txt");
   print DBASE ("$FORM{'name'}\n");
   close (DBASE);
   open (POSTFILE, ">>BBSFILES/$FORM{'name'}.post");
   print POSTFILE ("Name - $FORM{'name'}<br>Email - $FORM{'email'}<br>Post -
<br>$FORM{'post'}<br>[ <a
href=\"$0?action=reply&name=$FORM{'name'}\">Reply</a> ]<br><br>\n");
   close (POSTFILE);
   &mainoutput ("Your post has been posted");
   }
  else
   {
   &mainoutput  ("Error! You did not fill out all of the fields or you used
HTML tags which are invalid for this system or you used a period on your
name field which is also invalid. Please try again.");
   }
  }
 elsif (! $FORM{'submit'})
  {
  &mainoutput ("Welcome to the BBS");
  }

 }

sub reply
 {
 if ($FORM{'submit1'})
  {
  if ($FORM{'name1'} && $FORM{'email1'} && $FORM{'post1'} && $FORM{'name1'}
!~ /\./ && $FORM{'name1'} !~ /<.*>/ && $FORM{'email1'} !~ /<.*>/ &&
$FORM{'post1'} !~ /<.*>/ && $FORM{'name1'} !~ /^\s*$/ && $FORM{'email1'} !~
/^\s*$/ && $FORM{'post1'} !~ /^\s*$/)
   {
   if (-e "BBSFILES/$FORM{'name1'}.$PARAMS{'name'}")
    {
    print ("Content-type:text/html\n\n");
    print ("Name already in use.");
    exit;
    }
   open (POSTFILE, ">>BBSFILES/$FORM{'name1'}.$PARAMS{'name'}");
   print POSTFILE ("<BLOCKQUOTE>Name - $FORM{'name1'}<br>Email -
$FORM{'email1'}<br>Post - <br>$FORM{'post1'}<br></BLOCKQUOTE>\n");
   close (POSTFILE);
   }
  else
   {
   print ("Content-type:text/html\n\n");
   print ("Error! You did not fill out all of the fields or you used HTML
tags which are invalid for this system or you used a period on your name
field which is also invalid. Please try again.");
   exit;
   }
  }
 else
  {
  &replyoutput ("Reply to $PARAMS{'name'}");
  exit;
  }

 sub replyoutput
  {
   my ($replyoutput) = @_;
   print ("Content-type:text/html\n\n");
   print <<END;
 <html><body>
 <b>BBS</b> - $replyoutput
 <form name="form2" method="post"
action="$0?action=replied&name=$PARAMS{'name'}">
   <p>Name:
     <br>
     <input name="name1" type="text" id="name">
   </p>
   <p>Email:
      <br>
      <input name="email1" type="text" id="email">
 </p>
   <p>Your Post:</p>
   <p>
     <textarea name="post1" cols="30" rows="6" id="post"></textarea>
 </p>
     <input name="submit1" type="submit" id="submit" value="Submit">
     <input type="reset" name="Submit2" value="Reset">
 </form>
 <hr>
 </body></html>
END
  }
 }

sub mainoutput
{
my ($output) = @_;
print ("Content-type:text/html\n\n");
print <<END;
<html><body>
<b>BBS</b> - $output
<form name="form1" method="post" action="bbs.cgi">
  <p>Name:
    <br>
    <input name="name" type="text" id="name">
  </p>
  <p>Email:
     <br>
     <input name="email" type="text" id="email">
</p>
  <p>Your Post:</p>
  <p>
    <textarea name="post" cols="30" rows="6" id="post"></textarea>
</p>
  <p>
    <input name="submit" type="submit" id="submit" value="Submit">
    <input type="reset" name="Submit2" value="Reset">
</p>
</form>
<p><hr></p>
<b>Current Posts - Most recent are on bottom:</b><br><br>
END
opendir (BBSFILES, "BBSFILES/");
@files = readdir (BBSFILES);
closedir (BBSFILES);
chomp (@files);
foreach $tmp (@files)
 {
 if ($tmp ne "." && $tmp ne "..")
  {
  open (FILE, "BBSFILES/$tmp") || die "can't open file $!.";
  @file = <FILE>;
  close (FILE);
  @file2 = split (/\./, $tmp);
  #print @file2;
  if ($file2[1] eq "post")
   {
   opendir (BBSFILES, "BBSFILES/");
   @files1 = readdir (BBSFILES);
   closedir (BBSFILES);
   chomp (@files1);
   print (@file);
   print ("<b>Replies:</b><BR><br>");
   foreach $tmp2 (@files1)
    {
    open (FILE, "BBSFILES/$tmp2") || die "can't open file $!.";
    @secfile = <FILE>;
    close (FILE);
    @secfilesecs = split (/\./, $tmp2);
    #print @secfilesecs;
    if ($secfilesecs[1] eq $file2[0])
     {
     print (@secfile);
     }
    else
     {
     next;
     }
    }
   }
   else
    {
    next;
    }
  }
 }
print ("</body></html>");
}

--
Regards,
Robin
--
robin@csf.edu
--



0
robin68 (3)
1/20/2004 7:43:32 PM
comp.lang.perl.misc 33233 articles. 1 followers. brian (1246) is leader. Post Follow

58 Replies
1519 Views

Similar Articles

[PageSpeed] 7

%A's meaning the representation of spaces when it transferes through http -
I still dunno what those are. ASCII chars?

Peace,
RObin


0
Robin
1/20/2004 7:51:44 PM
"Robin" <robin@csf.edu> wrote in news:buk1a9$jin$1@reader2.nmix.net:

> what I'm trying to do is get this bbs.cgi to work better. So when
> someone types in spaces as their name it will work to reply to them
> and on the "Reply to..." screen will actually stop showing the %A or
> whatever it is, what is that btw? Any help would be great.
> 
> #!/usr/bin/perl
> 
> #bbs v.1.1.4
> 
> #Copyright Robin - robin@csf.edu

Copyright is a legal concept with which you are not familiar I am afraid.

> require ('lib.cgi');
> &data_cgivars;
> $" = "";
> $, = "";

This is obviously not your code. You have just started learning Perl, yet 
your code looks the same as a variety of other junk that has been out 
there for 10 years.

#! /usr/bin/perl -T

use warnings;
use strict;

use CGI;
my $q = CGI->new();

$CGI::POST_MAX=1024 * 100;  # max 100K posts
$CGI::DISABLE_UPLOADS = 1;  # no uploads

Take it from here ...

Sinan.
-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)
0
A
1/20/2004 8:05:39 PM
> > require ('lib.cgi');
> > &data_cgivars;
> > $" = "";
> > $, = "";
>
> This is obviously not your code. You have just started learning Perl, yet
> your code looks the same as a variety of other junk that has been out
> there for 10 years.

Actually it is my code...

> use warnings;
> use strict;
>
> use CGI;
> my $q = CGI->new();
>
> $CGI::POST_MAX=1024 * 100;  # max 100K posts
> $CGI::DISABLE_UPLOADS = 1;  # no uploads
>
> Take it from here ...

How would I do this without using cgi?

Thanks,
-Robin


0
Robin
1/20/2004 8:44:34 PM
Also, how would I do this w/ out using CGI.pm

Peace,
-Robin


0
Robin
1/20/2004 8:45:52 PM
>> On Tue, 20 Jan 2004 13:45:52 -0700,
>> "Robin" <robin@csf.edu> said:

> Also, how would I do this w/ out using CGI.pm

Why would you want to hamstring yourself like that?

It's the right solution.
0
Tony
1/20/2004 8:57:59 PM
A. Sinan Unur wrote:
> 
> use CGI;
> my $q = CGI->new();
> 
> $CGI::POST_MAX=1024 * 100;  # max 100K posts
> $CGI::DISABLE_UPLOADS = 1;  # no uploads

Aren't those variables supposed to be set before the CGI object is 
created?

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

0
Gunnar
1/20/2004 9:09:40 PM
On Tue, 20 Jan 2004 12:43:32 -0700, Robin <robin@csf.edu> wrote:
> what I'm trying to do is get this bbs.cgi to work better. So when someone
> types in spaces as their name it will work to reply to them and on the
> "Reply to..." screen will actually stop showing the %A or whatever it is,
> what is that btw? Any help would be great.
> 
> #!/usr/bin/perl

use strict;
use warnings;

0
John
1/20/2004 9:19:08 PM
Robin <robin@csf.edu> wrote:

>> use warnings;
>> use strict;
>>
>> use CGI;


> How would I do this without using cgi?


Why do you think that you want to do it without using CGI.pm?


-- 
    Tad McClellan                          SGML consulting
    tadmc@augustmail.com                   Perl programming
    Fort Worth, Texas
0
Tad
1/20/2004 9:54:17 PM
Robin wrote:

> How would I do this without using cgi?

You wouldn't, if you want your code to parse the input correctly.

0
Scott
1/20/2004 9:55:59 PM
Gunnar Hjalmarsson <noreply@gunnar.cc> wrote in news:buk5g7$igfhp$1@ID-
184292.news.uni-berlin.de:

> A. Sinan Unur wrote:
>> 
>> use CGI;
>> my $q = CGI->new();
>> 
>> $CGI::POST_MAX=1024 * 100;  # max 100K posts
>> $CGI::DISABLE_UPLOADS = 1;  # no uploads
> 
> Aren't those variables supposed to be set before the CGI object is 
> created?

Yes. Thank you very much for the correction.

Sinan.

-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)
0
A
1/20/2004 10:28:53 PM
On Tue, 20 Jan 2004 13:45:52 -0700, Robin wrote:
> Also, how would I do this w/ out using CGI.pm

You would write your own CGI.pm equivalent from scratch.

The existing module is the robust and complete result of several years
of effort from many different people.  As I see it, you have two means
to achieve the same level of quality in your own version:

1. Start reading CGI specifications and writing code.
   You've got a lot of catching up to do.

2.

  package Robin::CGI;

  use base qw(CGI);

  1;

:)

-- 
Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/
0
Rocco
1/20/2004 10:54:32 PM
Here's what it looks like now, why isn't it printing it to the files...?

Thanks,
-Robin

#!/usr/bin/perl

#bbs v.1.1.4

$CGI::POST_MAX=1024 * 100;  # max 100K posts
$CGI::DISABLE_UPLOADS = 1;  # no uploads
use CGI qw(:standard);
require ('lib.cgi');
&data_cgivars;
$" = "";
$, = "";

&begin;
if ($PARAMS{'action'} eq "reply" && $PARAMS{'name'} ne "" && $PARAMS{'name'}
ne "post")
 { &reply; exit; }
if ($PARAMS{'action'} eq "replied")
 { &reply; &post (1); }
&post;

sub begin
 {
 mkdir ("BBSFILES/", 0755) if (! -e "BBSFILES/");
 }

sub post
 {
 my ($action) = @_;
 if ($action)
  {
  &mainoutput ("Your reply has been posted");
  exit;
  }

 if (param('submit'))
  {
  if (param('name') && param('email') && param('post') && param('name1') !~
/\./ && param('name') !~ /<.*>/ && param('email') !~ /<.*>/ && param('post')
!~ /<.*>/ && param('name') !~ /^\s*$/ && param('email') !~ /^\s*$/ &&
param('post') !~ /^\s*$/)
   {
   if (-e "BBSFILES/" . param('name') . ".post")
    {
    &mainoutput ("Name already in use.");
    exit;
    }
   #open (DBASE, ">>dbase.txt");
   #print DBASE ("param{'name'}\n");
   #close (DBASE);
   open (POSTFILE, ">>BBSFILES/" . param('name') . ".post");
   print POSTFILE ("Name - ", param('name') ,"<br>Email -
",param('email'),"<br>Post - <br>", param('post') ,"<br>[ <a
href=\"$0?action=reply&name=", param('name'),"\">Reply</a> ]<br><br>\n");
   close (POSTFILE);
   &mainoutput ("Your post has been posted");
   }
  else
   {
   &mainoutput  ("Error! You did not fill out all of the fields or you used
HTML tags which are invalid for this system or you used a period on your
name field which is also invalid. Please try again.");
   }
  }
 elsif (! param('submit'))
  {
  &mainoutput ("Welcome to the BBS");
  }

 }

sub reply
 {
 if (param('submit1'))
  {
  if (param('name1') && param('email1') && param('post1') && param('name1')
!~ /\./ && param('name1') !~ /<.*>/ && param('email1') !~ /<.*>/ &&
param('post1') !~ /<.*>/ && param('name1') !~ /^\s*$/ && param('email1') !~
/^\s*$/ && param('post1') !~ /^\s*$/)
   {
   if (-e "BBSFILES/" . param('name1') . ".$PARAMS{'name'}")
    {
    print ("Content-type:text/html\n\n");
    print ("Name already in use.");
    exit;
    }
   open (POSTFILE, ">>BBSFILES/" . param('name1') . ".$PARAMS{'name'}");
   print POSTFILE ("<BLOCKQUOTE>Name - ", param('name1'), "<br>Email - ",
param('email1'), "<br>Post - <br>", param('post1'), "<br></BLOCKQUOTE>\n");
   close (POSTFILE);
   }
  else
   {
   print ("Content-type:text/html\n\n");
   print ("Error! You did not fill out all of the fields or you used HTML
tags which are invalid for this system or you used a period on your name
field which is also invalid. Please try again.");
   exit;
   }
  }
 else
  {
  &replyoutput ("Reply to $PARAMS{'name'}");
  exit;
  }

 sub replyoutput
  {
   my ($replyoutput) = @_;
   print ("Content-type:text/html\n\n");
   print <<END;
 <html><body>
 <b>BBS</b> - $replyoutput
 <form name="form2" method="post"
action="$0?action=replied&name=$PARAMS{'name'}">
   <p>Name:
     <br>
     <input name="name1" type="text" id="name">
   </p>
   <p>Email:
      <br>
      <input name="email1" type="text" id="email">
 </p>
   <p>Your Post:</p>
   <p>
     <textarea name="post1" cols="30" rows="6" id="post"></textarea>
 </p>
     <input name="submit1" type="submit" id="submit" value="Submit">
     <input type="reset" name="Submit2" value="Reset">
 </form>
 <hr>
 </body></html>
END
  }
 }

sub mainoutput
{
my ($output) = @_;
print ("Content-type:text/html\n\n");
print <<END;
<html><body>
<b>BBS</b> - $output
<form name="form1" method="post" action="bbs.cgi">
  <p>Name:
    <br>
    <input name="name" type="text" id="name">
  </p>
  <p>Email:
     <br>
     <input name="email" type="text" id="email">
</p>
  <p>Your Post:</p>
  <p>
    <textarea name="post" cols="30" rows="6" id="post"></textarea>
</p>
  <p>
    <input name="submit" type="submit" id="submit" value="Submit">
    <input type="reset" name="Submit2" value="Reset">
</p>
</form>
<p><hr></p>
<b>Current Posts - Most recent are on bottom:</b><br><br>
END
opendir (BBSFILES, "BBSFILES/");
@files = readdir (BBSFILES);
closedir (BBSFILES);
chomp (@files);
foreach $tmp (@files)
 {
 if ($tmp ne "." && $tmp ne "..")
  {
  open (FILE, "BBSFILES/$tmp") || die "can't open file $!.";
  @file = <FILE>;
  close (FILE);
  @file2 = split (/\./, $tmp);
  #print @file2;
  if ($file2[1] eq "post")
   {
   opendir (BBSFILES, "BBSFILES/");
   @files1 = readdir (BBSFILES);
   closedir (BBSFILES);
   chomp (@files1);
   print (@file);
   print ("<b>Replies:</b><BR><br>");
   foreach $tmp2 (@files1)
    {
    open (FILE, "BBSFILES/$tmp2") || die "can't open file $!.";
    @secfile = <FILE>;
    close (FILE);
    @secfilesecs = split (/\./, $tmp2);
    #print @secfilesecs;
    if ($secfilesecs[1] eq $file2[0])
     {
     print (@secfile);
     }
    else
     {
     next;
     }
    }
   }
   else
    {
    next;
    }
  }
 }
print ("</body></html>");
}



0
Robin
1/20/2004 11:35:50 PM
Robin wrote:
> 
> $CGI::POST_MAX=1024 * 100;  # max 100K posts
> $CGI::DISABLE_UPLOADS = 1;  # no uploads
> use CGI qw(:standard);
> require ('lib.cgi');
> &data_cgivars;

Why don't you just drop this programming thing and start collecting 
stamps or something instead.

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

0
Gunnar
1/20/2004 11:42:11 PM
> Why don't you just drop this programming thing and start collecting
> stamps or something instead.
 ooh, stamps... haha, so do u know why it's not printing to the files?
-Robin


0
Robin
1/20/2004 11:48:46 PM
In article <buk1a9$jin$1@reader2.nmix.net>, Robin <robin@csf.edu> wrote:
:what I'm trying to do is get this bbs.cgi to work better.

:&begin;

Is there something restricting you to Perl4? Your style is archaic,
and if that is because of an external constraint then we need to 
know that before we recommend code changes.
-- 
Strange but true: there are entire WWW pages devoted to listing
programs designed to obfuscate HTML.
0
roberson
1/20/2004 11:59:53 PM
Robin wrote:
>> Why don't you just drop this programming thing and start
>> collecting stamps or something instead.
> 
> ooh, stamps... haha, so do u know why it's not printing to the
> files?

No, but I suppose there are quite a few reasons. The script should
better be completely rewritten, and I have no interest in doing that.

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

0
Gunnar
1/21/2004 12:04:04 AM
In article <buketp$no6$1@reader2.nmix.net>, Robin <robin@csf.edu> wrote:
:Here's what it looks like now, why isn't it printing it to the files...?

:if ($PARAMS{'action'} eq "reply" && $PARAMS{'name'} ne "" && $PARAMS{'name'}

: if (param('submit'))

Where is param() defined, and why do you sometimes use param() and
sometimes use $PARAMS{} ?

:   open (POSTFILE, ">>BBSFILES/" . param('name') . ".post");

You never test to see if your opens are successful. Could be for
any of a number of reasons. 
-- 
"Meme" is self-referential; memes exist if and only if the "meme" meme
exists. "Meme" is thus logically a meta-meme; but until the existance
of meta-memes is more widely recognized, "meta-meme" is not a meme.
   -- A Child's Garden Of Memes
0
roberson
1/21/2004 12:06:07 AM
"Robin" <robin@csf.edu> wrote in message
news:buk1pl$job$1@reader2.nmix.net...
> %A's meaning the representation of spaces when it transferes through
http -
> I still dunno what those are. ASCII chars?
>

Yes, you dolt, both % and A are in the ascii character set...

Matt


0
Matt
1/21/2004 12:37:16 AM
Robin wrote:
> why isn't it printing it to the files...?

<snip>


>    #open (DBASE, ">>dbase.txt");
>    #print DBASE ("param{'name'}\n");
>    #close (DBASE);

Because you told it not to?

0
Scott
1/21/2004 12:56:17 AM
In article <buk1pl$job$1@reader2.nmix.net>, Robin <robin@csf.edu> wrote:
:%A's meaning the representation of spaces when it transferes through http -
:I still dunno what those are. ASCII chars?

Ah, I think I understand. It's probably not %A, it is probably %0A
which is the encoded representation of linefeed... used by many
systems to indicate newline. Is the appropriate layer doing a
chomp() on the input lines?
-- 
The Knights Of The Lambda Calculus aren't dead --this is their normal form!
0
roberson
1/21/2004 1:05:13 AM
In article <buk1a9$jin$1@reader2.nmix.net> you write:
:what I'm trying to do is get this bbs.cgi to work better.

I do not see at the moment how you are protecting against the
possibility that someone might deliberately include html in their
posting. You seem to take in whatever the user sent, and output it
directly. So if someone puts in <blink>Hi, mom!</blink> then you'd
output exactly that and the browsers are going to react to it.
Even if it's javascript or if the user included </form> and
started a new <form> and so on.

:  if ($FORM{'name'} && $FORM{'email'} && $FORM{'post'} && $FORM{'name1'} !~
:/\./ && $FORM{'name'} !~ /<.*>/ && $FORM{'email'} !~ /<.*>/ && $FORM{'post'}
:!~ /<.*>/ && $FORM{'name'} !~ /^\s*$/ && $FORM{'email'} !~ /^\s*$/ &&
:$FORM{'post'} !~ /^\s*$/)

I see there that you do match $FORM{'post'} against /<.*>/ but
that is not going to work if the string has embeded newlines.
You would need /<.*>/s for that case. (The s modifier is not
available in perl4 though.)

Are the contents already encoded, newlines represented as %0A or
something like that? If so then are the < and > characters being
encoded as well? If they are then those pattern matches are
going to be redundant. And if they are, your matches on the name
fields before constructing the storage file name are going to
be missing some cases too.
-- 
   "There are three kinds of lies: lies, damn lies, and statistics."
   -- not Twain, perhaps Disraeli, first quoted by Leonard Courtney
0
roberson
1/21/2004 1:46:37 AM
On Tue, 20 Jan 2004 16:35:50 -0700, Robin <robin@csf.edu> wrote:
> Here's what it looks like now, why isn't it printing it to the files...?
> 
> Thanks,
> -Robin
> 
> #!/usr/bin/perl

#!/usr/bin/perl -T
use strict;
use warnings;

0
John
1/21/2004 1:52:28 AM
Got it working...thanks for all your great help...

--
Regards,
Robin
--
robin@csf.edu
--


0
Robin
1/21/2004 2:08:31 AM
Robin <robin@csf.edu> wrote:

> Here's what it looks like now, 


> #!/usr/bin/perl

   use warnings;
   use strict;


> &data_cgivars;


Have you been reading the followups to your postings?

If so, then why are you repeating the same mistakes?

If not, then why would we want to bother writing a followup
that will not be read?


-- 
    Tad McClellan                          SGML consulting
    tadmc@augustmail.com                   Perl programming
    Fort Worth, Texas
0
Tad
1/21/2004 2:14:37 AM
Robin <robin@csf.edu> wrote:

> Here's what it looks like now,


[ snip 200 lines of code ]


Have you seen the Posting Guidelines that are posted here frequently?


-- 
    Tad McClellan                          SGML consulting
    tadmc@augustmail.com                   Perl programming
    Fort Worth, Texas
0
Tad
1/21/2004 2:16:29 AM
>>>>> "R" == Robin  <robin@csf.edu> writes:

  R> Got it working...thanks for all your great help...

got what working? your code had multiple bugs, security loopholes,
redundant cruft (CGI.pm AND lib.cgi???? do you wear a belt and
suspenders?), bad perl code, perl4 type calls, etc.

no one here will use this and given the many (mostly crappy) free bbs
things out there, this will only join that pile and rot away.

uri

-- 
Uri Guttman  ------  uri@stemsystems.com  -------- http://www.stemsystems.com
--Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
Search or Offer Perl Jobs  ----------------------------  http://jobs.perl.org
0
Uri
1/21/2004 4:04:54 AM
"Uri Guttman" <uri@stemsystems.com> wrote in message
news:x7k73meyl5.fsf@mail.sysarch.com...
> >>>>> "R" == Robin  <robin@csf.edu> writes:
>
>   R> Got it working...thanks for all your great help...
>
> got what working? your code had multiple bugs, security loopholes,
> redundant cruft (CGI.pm AND lib.cgi???? do you wear a belt and
> suspenders?), bad perl code, perl4 type calls, etc.

I'd like to know one of the security holes. THanks- Robin


0
Robin
1/21/2004 4:14:48 AM
"Robin" <robin@csf.edu> wrote:

: So when someone
: types in spaces as their name it will work to reply to them

What does it do now, instead of "work to reply to them?"

: and on the
: "Reply to..." screen will actually stop showing the %A or whatever it is,

What exactly is "whatever it is?"

: what is that btw? 

It sounds like you could be talking about a URI-escaped string, which
would presumably be taken care of by that mysterious "lib.cgi" the
program require()s.  Is there a reason you're not using CGI.pm for this?

: Any help would be great.

You have not adequately described the problem.  Posting the entire
program accomplished nothing.

No "use warnings;".
No "use strict;".
No checking open() calls for success.
No file locking.
No taint checking.

Ask Perl for help before asking people.

[snip code]
:    open (POSTFILE, ">>BBSFILES/$FORM{'name'}.post");
[snip code]

Opening a file whose name includes a user-specified substring is a very
bad idea.

0
tiltonj
1/21/2004 5:21:58 AM
 > It sounds like you could be talking about a URI-escaped string, which
> would presumably be taken care of by that mysterious "lib.cgi" the
> program require()s.  Is there a reason you're not using CGI.pm for this?
>
> : Any help would be great.
>
> You have not adequately described the problem.  Posting the entire
> program accomplished nothing.
>
> No "use warnings;".
> No "use strict;".
> No checking open() calls for success.
> No file locking.
> No taint checking.
>
> Ask Perl for help before asking people.
>
> [snip code]
> :    open (POSTFILE, ">>BBSFILES/$FORM{'name'}.post");
> [snip code]
>
> Opening a file whose name includes a user-specified substring is a very
> bad idea.

I didn't think of that, hmm...
-Robin


0
Robin
1/21/2004 5:29:08 AM
>>>>> "R" == Robin  <robin@csf.edu> writes:

  R> "Uri Guttman" <uri@stemsystems.com> wrote in message
  R> news:x7k73meyl5.fsf@mail.sysarch.com...
  >> >>>>> "R" == Robin  <robin@csf.edu> writes:
  >> 
  R> Got it working...thanks for all your great help...
  >> 
  >> got what working? your code had multiple bugs, security loopholes,
  >> redundant cruft (CGI.pm AND lib.cgi???? do you wear a belt and
  >> suspenders?), bad perl code, perl4 type calls, etc.

  R> I'd like to know one of the security holes. THanks- Robin

you wrote it. you don't read perldocs (like the one that covers
security). you don't listen here.

that means security holes.

uri

-- 
Uri Guttman  ------  uri@stemsystems.com  -------- http://www.stemsystems.com
--Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
Search or Offer Perl Jobs  ----------------------------  http://jobs.perl.org
0
Uri
1/21/2004 5:34:29 AM
> you wrote it. you don't read perldocs (like the one that covers
> security). you don't listen here.
>
> that means security holes.
>
> uri
I started reading the perldocs actually, not to defend myself or anything.


0
Robin
1/21/2004 5:35:09 AM
>>>>> "R" == Robin  <robin@csf.edu> writes:

  R> I started reading the perldocs actually, not to defend myself or
  R> anything.

we told you to do that a long time ago. if you insist on doing
everything a week later, this will deteriorate to an even lower level
thread than i though possible.

do you realize how much good advice you have been ignoring? we even have
had a couple of testimonials from those who acted the same way a couple
of years ago and who have come to see the light of good perl
hacking. you claim you want to learn (and stop trying to teach/help. you
can't do that yet) but you don't do any learning stuff. have you read
the ENTIRE FAQ yet? that is the first thing you should do. read it ALL
and i mean ALL. skip if you don't understand something but don't ignore
it. you will now see the range of questions asked and answered and can
go back to find them later when you need.

uri

-- 
Uri Guttman  ------  uri@stemsystems.com  -------- http://www.stemsystems.com
--Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
Search or Offer Perl Jobs  ----------------------------  http://jobs.perl.org
0
Uri
1/21/2004 5:51:55 AM
Gunnar Hjalmarsson wrote:
> A. Sinan Unur wrote:
> 
>>
>> use CGI;
>> my $q = CGI->new();
>>
>> $CGI::POST_MAX=1024 * 100;  # max 100K posts
>> $CGI::DISABLE_UPLOADS = 1;  # no uploads
> 
> 
> Aren't those variables supposed to be set before the CGI object is created?

That should not make any difference since this is class data.

Karlheinz
0
Karlheinz
1/21/2004 8:14:16 AM
Robin <robin@csf.edu> wrote:
> what I'm trying to do is get this bbs.cgi to work better. So when someone
> types in spaces as their name it will work to reply to them and on the
> "Reply to..." screen will actually stop showing the %A or whatever it is,
> what is that btw? Any help would be great.
> 

I would fix the more fundamental problems first if I were you.

Chief among which are:

   * No check on the success of file and directory opens and mkdir()

   * No locking when writing to files

   * Use of unchecked user input to create filenames

   * No entity encoding of user input in HTML output

   * Bad CGI decoding

At least one of these presents a serious security risk and should
preclude the use of the program on a server connected to the internet.

HTH

/J\

0
Jonathan
1/21/2004 9:07:06 AM
Karlheinz Weindl <karlheinz.weindl@oooonlinehome.de> wrote in
news:bulcgt$4ed$1@online.de: 

> Gunnar Hjalmarsson wrote:
>> A. Sinan Unur wrote:
>> 
>>>
>>> use CGI;
>>> my $q = CGI->new();
>>>
>>> $CGI::POST_MAX=1024 * 100;  # max 100K posts
>>> $CGI::DISABLE_UPLOADS = 1;  # no uploads
>> 
>> 
>> Aren't those variables supposed to be set before the CGI object is
>> created? 
> 
> That should not make any difference since this is class data.

But sir, CGI.pm does the actual reading of the data when the first CGI 
object is created. 

Consider the following script:

#! /usr/bin/perl -T

use warnings;
use strict;

use CGI;
my $q = CGI->new();

$CGI::POST_MAX = 1;
$CGI::DISABLE_UPLOADS = 1;

unless($q->param('submit')) {
    show_form($q);
} else {
    process_form($q);
}

sub show_form {
    my ($q) = @_;
    print $q->header();
    print <<HTML;
<html>
<body>
<form method="post">
<input type="hidden" name="hidden" value="0123456789">
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
HTML
}

sub process_form {
    my ($q) = @_;
    print $q->header();
    print <<HTML;
<html>
<body>
<p>Hi</p>
</body>
</html>
HTML
}

__END__

You can try this out at http://www.unur.com/cgi-bin/ctest_after. Then, 
try the version where the limits are set before the first CGI object is 
created at:

http://www.unur.com/cgi-bin/ctest_before

See the difference?

Sinan
-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)
0
A
1/21/2004 12:41:30 PM
"A. Sinan Unur" <1usa@llenroc.ude> wrote in 
news:Xns94774E3E6FA5Easu1cornelledu@132.236.56.8:

> You can try this out at http://www.unur.com/cgi-bin/ctest_after.

Actually, you can't. I have had my morning coffee since posting this, and 
realized it is not a good idea to have a publicized vulnerability on my 
site. You don't have to take my word for it though. You can either try out 
the script yourself, or consult the CGI.pm documentation:

<blockquote>
You can use these variables in either of two ways.

1. On a script-by-script basis
Set the variable at the top of the script, right after the ``use'' 
statement: 

</blockquote>

-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)
0
A
1/21/2004 1:04:26 PM
Uri Guttman <uri@stemsystems.com> wrote:

>>>>>> "R" == Robin  <robin@csf.edu> writes:
> 
>   R> Got it working...thanks for all your great help...
> 
> got what working? your code had multiple bugs, security loopholes,
> redundant cruft (CGI.pm AND lib.cgi???? do you wear a belt and
> suspenders?), bad perl code, perl4 type calls, etc.
> 
> no one here will use this and given the many (mostly crappy) free bbs
> things out there, this will only join that pile and rot away.

Yeah, I wrote one, too, several years ago.  I suppose I should take it off 
the web.  The main reason I don't is because the page has links to a taint 
mode FAQ and a perl.com article about free CGI resources that recommends 
nms scripts.  At least my crappy BBS uses strict, warnings, taint mode, 
CGI.pm, and *tries* to be secure and easily maintainable.  But it still 
sucks....

After I tried writing one I found that I dislike web BBSs.  Someone 
mentioned perlmonks as a good place to learn.  I'm sure it is, but web BBSs 
-- all of them I've seen, anyway -- have such horrible interfaces.  "Whip 
me, beat me, make me write programs with Notepad and use a web BBS!"

-- 
David Wall
0
David
1/21/2004 2:48:19 PM
A. Sinan Unur schrieb:

> Karlheinz Weindl <karlheinz.weindl@oooonlinehome.de> wrote in
> news:bulcgt$4ed$1@online.de: 
> 
> 
>>Gunnar Hjalmarsson wrote:
>>
>>>A. Sinan Unur wrote:
>>>
>>>
>>>>use CGI;
>>>>my $q = CGI->new();
>>>>
>>>>$CGI::POST_MAX=1024 * 100;  # max 100K posts
>>>>$CGI::DISABLE_UPLOADS = 1;  # no uploads
>>>
>>>
>>>Aren't those variables supposed to be set before the CGI object is
>>>created? 
>>
>>That should not make any difference since this is class data.
> 
> 
> But sir, CGI.pm does the actual reading of the data when the first CGI 
> object is created. 
> 
> Consider the following script:
> 
> #! /usr/bin/perl -T
> 
> use warnings;
> use strict;
> 
> use CGI;
> my $q = CGI->new();
> 
> $CGI::POST_MAX = 1;
> $CGI::DISABLE_UPLOADS = 1;
> 
> unless($q->param('submit')) {
>     show_form($q);
> } else {
>     process_form($q);
> }
> 
> sub show_form {
>     my ($q) = @_;
>     print $q->header();
>     print <<HTML;
> <html>
> <body>
> <form method="post">
> <input type="hidden" name="hidden" value="0123456789">
> <input type="submit" name="submit" value="Submit">
> </form>
> </body>
> </html>
> HTML
> }
> 
> sub process_form {
>     my ($q) = @_;
>     print $q->header();
>     print <<HTML;
> <html>
> <body>
> <p>Hi</p>
> </body>
> </html>
> HTML
> }
> 
> __END__
> 

So, what am I supposed see running this?
Definitely not the submit button and the 'Hi'.


Karlheinz
0
Karlheinz
1/21/2004 3:26:22 PM
Karlheinz Weindl <karlheinz.weindl@oooonlinehome.de> wrote in news:bum5r0
$b1p$1@online.de:

> A. Sinan Unur schrieb:
> 
>> Karlheinz Weindl <karlheinz.weindl@oooonlinehome.de> wrote in
>> news:bulcgt$4ed$1@online.de: 
>> 
>> 
>>>Gunnar Hjalmarsson wrote:
>>>
>>>>A. Sinan Unur wrote:
>>>>
>>>>
>>>>>use CGI;
>>>>>my $q = CGI->new();
>>>>>
>>>>>$CGI::POST_MAX=1024 * 100;  # max 100K posts
>>>>>$CGI::DISABLE_UPLOADS = 1;  # no uploads
>>>>
>>>>
>>>>Aren't those variables supposed to be set before the CGI object is
>>>>created? 
>>>
>>>That should not make any difference since this is class data.
>> 
>> 
>> But sir, CGI.pm does the actual reading of the data when the first CGI 
>> object is created. 
>> 
>> Consider the following script:
>> 

....

>> use CGI;
>> my $q = CGI->new();
>> 
>> $CGI::POST_MAX = 1;
>> $CGI::DISABLE_UPLOADS = 1;

....

 
> So, what am I supposed see running this?
> Definitely not the submit button and the 'Hi'.

If you set the variables after creating the CGI object (as above), that is 
exactly what you are going to see. Whereas if you set the variables before 
creating the CGI object, you will see the submit button again.

Noe that I have removed the ctest_after script from my site because I do 
not have a built in vulnerability advertised on the UseNet on my site. 
You'll have to try the to versions out and see for yourself.

In fact, if you could be bothered to check the source code for CGI.pm 
before posting assertions and challenges, you will see that content length 
is only checked and STDIN only read in init and only if the CGI has not yet 
been initialized. So setting the variables above after you have created the 
first CGI object is futile.

This will hopefully be my last communication with you on this topic.

-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)
0
A
1/21/2004 3:59:32 PM
A. Sinan Unur wrote:

[...]
>>>use CGI;
>>>my $q = CGI->new();
>>>
>>>$CGI::POST_MAX = 1;
>>>$CGI::DISABLE_UPLOADS = 1;
> 
> 
> ...
> 
>  
> 
>>So, what am I supposed see running this?
>>Definitely not the submit button and the 'Hi'.
> 
> 
> If you set the variables after creating the CGI object (as above), that is 
> exactly what you are going to see. Whereas if you set the variables before 
> creating the CGI object, you will see the submit button again.

Sorry, did not mean to annoy you. I just did not get your point of 
restricting the POST size to 1 byte at a first glance.

[...]
> This will hopefully be my last communication with you on this topic.

Probably next time I should post under the pseudonym 'Robin' to receive 
a less harsh tone from your side :)

bye
Karlheinz
0
Karlheinz
1/21/2004 5:36:52 PM
Karlheinz Weindl <karlheinz.weindl@oooonlinehome.de> wrote in
news:bumdfl$qro$1@online.de: 

> A. Sinan Unur wrote:
>
>> If you set the variables after creating the CGI object (as above),
>> that is exactly what you are going to see. Whereas if you set the
>> variables before creating the CGI object, you will see the submit
>> button again. 
> 
> Sorry, did not mean to annoy you. I just did not get your point of 
> restricting the POST size to 1 byte at a first glance.
> 
> [...]
>> This will hopefully be my last communication with you on this topic.
> 
> Probably next time I should post under the pseudonym 'Robin' to
> receive a less harsh tone from your side :)

OK, I admit that was a little over the top. Apologies. No need to sink to 
those lows :)

Sinan.

-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)
0
A
1/21/2004 5:56:59 PM
>
> I do not see at the moment how you are protecting against the
> possibility that someone might deliberately include html in their
> posting. You seem to take in whatever the user sent, and output it
> directly. So if someone puts in <blink>Hi, mom!</blink> then you'd
> output exactly that and the browsers are going to react to it.
> Even if it's javascript or if the user included </form> and
> started a new <form> and so on.
>
> :  if ($FORM{'name'} && $FORM{'email'} && $FORM{'post'} && $FORM{'name1'}
!~
> :/\./ && $FORM{'name'} !~ /<.*>/ && $FORM{'email'} !~ /<.*>/ &&
$FORM{'post'}
> :!~ /<.*>/ && $FORM{'name'} !~ /^\s*$/ && $FORM{'email'} !~ /^\s*$/ &&
> :$FORM{'post'} !~ /^\s*$/)
>
> I see there that you do match $FORM{'post'} against /<.*>/ but
> that is not going to work if the string has embeded newlines.
> You would need /<.*>/s for that case. (The s modifier is not
> available in perl4 though.)

Thanks for this and thanks for the email, I'll actually get that code fixed
so its less of a security loop....

-Robin


0
Robin
1/22/2004 12:41:54 AM
Robin wrote:

>>>require ('lib.cgi');

Bad idea.

>>use CGI;
>>my $q = CGI->new();

Good idea.

> How would I do this without using cgi?

Why would you want to avoid CGI.pm?

Oh, I see:
    Post - Welcome to the Perl 4 Beginners BBS

The world does *NOT* need any more Perl 4 Beginners.

Perl 5 came out at the end of 1994.  That's almost
ten years!   Come on, Robin, get with the program!
Learn to use perl 5.  Your life will be better for it.
	-Joe
-- 
I love my TiVo - http://www.inwap.com/u/joe/tivo/
0
Joe
1/22/2004 12:24:01 PM
Robin wrote:

> Here's what it looks like now, why isn't it printing it to the files...?
> use CGI qw(:standard);
> require ('lib.cgi');
> &data_cgivars;

Your main problem is that you can't use CGI and 'lib.cgi' in the
same program.  The CGI module does everything that lib.cgi used
to do, the function calls and variable names have changed.
	-Joe

-- 
I love my TiVo - http://www.inwap.com/u/joe/tivo/
0
Joe
1/22/2004 12:29:33 PM
> Robin wrote:
>
> >>>require ('lib.cgi');
>
> Bad idea.
>
> >>use CGI;
> >>my $q = CGI->new();
>
> Good idea.
>
> > How would I do this without using cgi?
>
> Why would you want to avoid CGI.pm?
>
> Oh, I see:
>     Post - Welcome to the Perl 4 Beginners BBS

It was supposed to say perl4beginners-I do use perl 5 if you really have to
know. I wanted to use my library because I still dunno how to work CGI.pm,
but I'm learning it.

> The world does *NOT* need any more Perl 4 Beginners.
>
> Perl 5 came out at the end of 1994.  That's almost
> ten years!   Come on, Robin, get with the program!
> Learn to use perl 5.  Your life will be better for it.
> -Joe

peace,
-Robin


0
Robin
1/22/2004 7:47:24 PM
"Joe Smith" <Joe.Smith@inwap.com> wrote in message
news:NmPPb.103392$nt4.325983@attbi_s51...
> Robin wrote:
>
> > Here's what it looks like now, why isn't it printing it to the files...?
> > use CGI qw(:standard);
> > require ('lib.cgi');
> > &data_cgivars;
>
> Your main problem is that you can't use CGI and 'lib.cgi' in the
> same program.  The CGI module does everything that lib.cgi used
> to do, the function calls and variable names have changed.
> -Joe

huh, it seemed to work using both of them...
I guess I'll just use cgi for the beta...peace,
-Robin


0
Robin
1/22/2004 7:48:43 PM
>>>>> "R" == Robin  <robin@csf.edu> writes:

  R> It was supposed to say perl4beginners-I do use perl 5 if you really
  R> have to know. I wanted to use my library because I still dunno how
  R> to work CGI.pm, but I'm learning it.

that is pathetic. your lib is HARDER to use than cgi.pm. cgi.pm has to
be one of the easiest to use modules in existance given the complexity
of what goes on behind the curtain.

please take up some other hobby. programming is not for you. do you
realize how much you don't know and at the rate you seem to absorb stuff
you might be able to code on your own in 30 years.

uri

-- 
Uri Guttman  ------  uri@stemsystems.com  -------- http://www.stemsystems.com
--Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
Search or Offer Perl Jobs  ----------------------------  http://jobs.perl.org
0
Uri
1/22/2004 8:05:20 PM
>>>>> "Robin" == Robin  <robin@csf.edu> writes:

Robin> It was supposed to say perl4beginners-I do use perl 5 if you
Robin> really have to know. I wanted to use my library because I still
Robin> dunno how to work CGI.pm, but I'm learning it.

Really?  How tough is it to learn this:

    use CGI qw(param);

    my $name = param('name'); # get param field named 'name'
    my @options = param('options'); # get multi-field (all values)

That's *it*.  That's all you need to know about CGI.pm and you can
throw away *everything* you've seen from the Perl4 days.  Really.  You
can.  You can do it.  You don't have to use any of the other shortcut
things, or sticky fields, or anything else.  Just please please please
use CGI.pm to read the params in a portable, safe fashion.

print "Just another Perl hacker,"

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
0
merlyn
1/22/2004 9:54:38 PM
> please take up some other hobby.

yeah well... maybe if you didn't post at all you'd be coding on your own...

:-)

-Robin


0
Robin
1/22/2004 10:43:09 PM
>>>>> "R" == Robin  <robin@csf.edu> writes:

  >> please take up some other hobby.

  R> yeah well... maybe if you didn't post at all you'd be coding on your own...

i code plenty as it is. i also read and think plenty too. that is the
difference between my work and the scribbling you do. you have
reinvented many wheels and they come out very square. 

uri

-- 
Uri Guttman  ------  uri@stemsystems.com  -------- http://www.stemsystems.com
--Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
Search or Offer Perl Jobs  ----------------------------  http://jobs.perl.org
0
Uri
1/22/2004 11:11:55 PM
>   >> please take up some other hobby.
>
>   R> yeah well... maybe if you didn't post at all you'd be coding on your
own...
>
> i code plenty as it is. i also read and think plenty too. that is the
> difference between my work and the scribbling you do. you have
> reinvented many wheels and they come out very square.
>
> uri
>

Yeah well, I read a lot of non-tech stuff and some tech, but probably not as
much as you...I think, else how would I write code at all even if I my code
sucks, don't mean to be overtly defensive... peace,
-Robin


0
Robin
1/23/2004 1:59:06 AM
Robin wrote:

> "Joe Smith" <Joe.Smith@inwap.com> wrote in message
> news:NmPPb.103392$nt4.325983@attbi_s51...
> 
>>Robin wrote:
>>
>>
>>>Here's what it looks like now, why isn't it printing it to the files...?
>>>use CGI qw(:standard);
>>>require ('lib.cgi');
>>>&data_cgivars;
>>
>>Your main problem is that you can't use CGI and 'lib.cgi' in the
>>same program.  The CGI module does everything that lib.cgi used
>>to do, the function calls and variable names have changed.
>>-Joe
> 
> 
> huh, it seemed to work using both of them...

You *CANNOT* use both and have competent programming.
There are many examples of incompetent programming that "appear"
to work, but are extremely flawed.

When you actually use CGI.pm, it means a lot more than simply
putting 'use CGI' in your program.  It means using the methods
and functions that come with that module.  In particular, it
means replacing home-grown routines that print "Content-type:"
with routines that provide a full and proper set of HTML headers.
If you were really using CGI, you would not have a call
to data_cgivars().

	-Joe
-- 
I love my TiVo - http://www.inwap.com/u/joe/tivo/
0
Joe
1/26/2004 5:10:26 AM
Joe Smith wrote:
> When you actually use CGI.pm, it means a lot more than simply 
> putting 'use CGI' in your program.  It means using the methods and
> functions that come with that module.

It should be noted that very few people choose to use everything that
comes with the giant CGI module.

> In particular, it means replacing home-grown routines that print
> "Content-type:" with routines that provide a full and proper set of
> HTML headers.

Well, CGI.pm abstracts quite a few trivial things without cause. It
may be a few more characters to type:

     print "Content-type: text/html\n\n";

compared to:

     print $query->header;

but printing the header directly has a pedagogic advantage, since you
learn what it looks like and are more likely to find out _why_ it's
printed. Prompting beginners not to do that is ill-advised IMO.

> If you were really using CGI, you would not have a call to
> data_cgivars().

Okay, on _that_ we can agree. ;-)

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

0
Gunnar
1/26/2004 6:50:35 AM
On Mon, 26 Jan 2004, Gunnar Hjalmarsson wrote:

> Well, CGI.pm abstracts quite a few trivial things without cause. It
> may be a few more characters to type:
>
>      print "Content-type: text/html\n\n";
>
> compared to:
>
>      print $query->header;

Except that the second one will (at least by default in recent CGI.pm
versions) follow the good practice recommended by security alert
CA-2000-02, irrespective of whether the script author is aware of this
recommendation or not.

> but printing the header directly has a pedagogic advantage,

It can, indeed, but only if the candidate is willing to learn why
CGI.pm wants the header to be:

 Content-Type: text/html; charset=ISO-8859-1

(or whatever other character coding is being used).

And then there's the consideration of what if an NPH script is
required?  Here again, CGI.pm adapts calmly to the situation, whereas
the hand-knitter needs to explore a fresh area of the CGI spec.

> since you learn what it looks like and are more likely to find out
> _why_ it's printed. Prompting beginners not to do that is
> ill-advised IMO.

Ideally, one would do both: learn what's happening under the covers,
_and_ use CGI.pm at the core of production CGI code.

0
Alan
1/26/2004 12:44:07 PM
Alan J. Flavell wrote:
> On Mon, 26 Jan 2004, Gunnar Hjalmarsson wrote:
>> Well, CGI.pm abstracts quite a few trivial things without cause.
>> It may be a few more characters to type:
>> 
>>     print "Content-type: text/html\n\n";
>> 
>> compared to:
>> 
>>     print $query->header;
> 
> Except that the second one will (at least by default in recent
> CGI.pm versions) follow the good practice recommended by security
> alert CA-2000-02, irrespective of whether the script author is
> aware of this recommendation or not.

Okay, it was kind of embarrassing to miss the charset in that example. ;-)

But is there really security considerations behind CGI.pm's default
setting of a character set? Isn't the reason rather to simply increase
the chances that the script generates valid HTML/XHTML?

The document you refer to addresses security issues in connection with
generated web content. But by referring to it in connection with a
discussion whether it's advisable to use CGI.pm for generating HTTP
headers, I think you make the mistake to give the impression that
CGI.pm takes care of all sorts of security issues. Unfortunately, a
lot of comments in this group about CGI contribute erroneously to that
impression.

Security is a good reason to learn enough to understand what you are
doing when dealing with CGI, rather than a reason to apply CGI.pm's
high degree of abstraction.

> Ideally, one would do both: learn what's happening under the
> covers, _and_ use CGI.pm at the core of production CGI code.

Maybe.

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

0
Gunnar
1/26/2004 2:43:02 PM
On Mon, 26 Jan 2004, Gunnar Hjalmarsson wrote:

> But is there really security considerations behind CGI.pm's default
> setting of a character set?

My recollection is that it was introduced in response to CA-2000-02,
although he doesn't say so in so many words in the change log.
However, Google will find some security-related discussions in Feb.
2000 about CGI.pm which followed from the alert (and the amended
Apache version).

IIRC it was introduced in CGI.pm 2.57 (deceased) and released in
CGI.pm 2.58 dated 23-Mar-2000.

CA-2000-02 is dated 2 Feb 2000.  This is no mere co-incidence.

How many programmers fixed their hand-crafted scripts within that
space of time?

> The document you refer to addresses security issues in connection with
> generated web content.

It's a complex issue.  I'm aware of other places where the use of
CGI.pm by default takes care of security-relevant mistakes which users
regularly make in hand-knitted code.

> But by referring to it in connection with a
> discussion whether it's advisable to use CGI.pm for generating HTTP
> headers, I think you make the mistake to give the impression that
> CGI.pm takes care of all sorts of security issues.

If that is so, then I would emphatically like to dispel that
impression.  It does take care of some issues, but by no means does it
replace many other precautions that need to be taken for secure and
reliable scripts.  Its author, after all, maintains a web security
FAQ, and that FAQ says much more than simply "use the module, Luke".
And rightly so.

0
Alan
1/26/2004 5:33:39 PM
Alan J. Flavell wrote:
> [CGI.pm's] author, after all, maintains a web security FAQ, and
> that FAQ says much more than simply "use the module, Luke".

Yes, it does. I just wish that also those, who frequently prompt
beginners to use CGI.pm, would say more.

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

0
Gunnar
1/26/2004 7:01:38 PM
"Gunnar Hjalmarsson" <noreply@gunnar.cc> wrote in message
news:bv3o6c$nck1d$1@ID-184292.news.uni-berlin.de...
> Alan J. Flavell wrote:
> > [CGI.pm's] author, after all, maintains a web security FAQ, and
> > that FAQ says much more than simply "use the module, Luke".
>
> Yes, it does. I just wish that also those, who frequently prompt
> beginners to use CGI.pm, would say more.

beginners aready have enough to worry about.
as they advance in skills and knowledge, they can study
the modules they rely the most on, but mainly to be more
aware of what is going on. only when they have mastered
the art of reading the perldocs and faqs, should they go on
to learn to read the HTTP specs.

gnari




0
gnari
1/26/2004 8:07:56 PM
Reply: