«

Someone posted an unathorized post to my blog, if someone has time...could
you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
point out the security problems??

Thanks in advance.

--
Regards,
-Robin
--
[ webmaster @ infusedlight.net ]
www.infusedlight.net

"Robin" <webmaster @ infusedlight . net> wrote in message
news:c73lo9$a08$...
> Someone posted an unathorized post to my blog, if someone has time...could
> you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
> point out the security problems??
>

of course, it is your auth.pl that is the weakest link.

gnari

Robin wrote:
> Someone posted an unathorized post to my blog, if someone has time...could
> you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
> point out the security problems??
quick read (can't be arsed to consider the security problems):

my $rootfile =
$rootfile =~ s/.+\///;

what is this supposed to be doing?

my @blogposts;
@blogposts = getposts ();

why is this two lines?

perltidy is still your friend. Please use it.

$mon++;
$year +=1900;

why are you doing this? There are many fine CPAN modules that handles
dates without such jiggery-pokery.

open (BLOG, $blogfile) or push (@errors, "An error occured:
couldn't open blog file.");

why are you using files when your needs would be much better served with
a proper database?


open (COUNT, ">$countfile") or push (@errors, "An error occured during
posting: couldn't open count file.");
flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
posting: couldn't lock count file.");

your open fails and you save the error (but not $!, which would tell you
what the error is), yet you still continue to the flock. why?


why are you printing html directly from perl? *please* look at (and
understand, and use) templating solutions.

Mark

On Mon, 03 May 2004 02:04:07 +0100,
Mark Clements <> wrote:
> Robin wrote:
>> Someone posted an unathorized post to my blog, if someone has time...could
>> you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
>> point out the security problems??
> quick read (can't be arsed to consider the security problems):
>
> my $rootfile =
> $rootfile =~ s/.+\///;
>
> what is this supposed to be doing?

Delete everything other than the filename (ie. getting the basename
of a path). Of course it doesn't work for paths containing newlines.

It also should use something other than /, such as s!.+/!!... or
even better File::Basename.

> why are you using files when your needs would be much better served with
> a proper database?

How are files not a "proper" database?

--
Sam Holden

"gnari" <> wrote in message
news:c742sf$6gh$...
> "Robin" <webmaster @ infusedlight . net> wrote in message
> news:c73lo9$a08$...
> > Someone posted an unathorized post to my blog, if someone has
time...could
> > you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
> > point out the security problems??
> >
>
> of course, it is your auth.pl that is the weakest link.
>
> gnari

agreed, thanks... I'll set it up to use cookies...
-robin

"Mark Clements" <> wrote in message
news:40959a87$...
> Robin wrote:
> > Someone posted an unathorized post to my blog, if someone has
time...could
> > you check this out, http://www.infusedlight.net/robin/temp/blog.txt and
> > point out the security problems??
> quick read (can't be arsed to consider the security problems):
>
> my $rootfile =
> $rootfile =~ s/.+\///;
>
> what is this supposed to be doing?

I posted the new one. Look again.

> my @blogposts;
> @blogposts = getposts ();
>
> why is this two lines?

heheh...I dunno. Sorry.

> perltidy is still your friend. Please use it.

Ok. I'll check it out.

> $mon++;
> $year +=1900;
>
> why are you doing this? There are many fine CPAN modules that handles
> dates without such jiggery-pokery.

well, I tend to use as few modules as possible so that someone can install
the script on their server without having to download a lot of modules.

> open (BLOG, $blogfile) or push (@errors, "An error occured:
> couldn't open blog file.");
>
> why are you using files when your needs would be much better served with
> a proper database?
>
>
> open (COUNT, ">$countfile") or push (@errors, "An error occured during
> posting: couldn't open count file.");
> flock (COUNT, LOCK_EX) or push (@errors, "An error occured during
> posting: couldn't lock count file.");
>
> your open fails and you save the error (but not $!, which would tell you
> what the error is), yet you still continue to the flock. why?

If the open fails, the flock will fail so why not try it and then the error
output will come into play. With the new one it does include $!.

> why are you printing html directly from perl? *please* look at (and
> understand, and use) templating solutions.

Like I said b4 I'd rather not use too many modules that aren't installed on
everyone's server.

-Robin

sorry to post a script that wouldn't compile, I actually posted the one in
progress without checking if it would work,that was completely my mistake.
now it runs - www.infusedlight.net/robin/temp/blog.txt - and the auth script
source code is www.infusedlight.net/robin/temp/auth.txt
Sorry about my formatting, I use an editor that screws it all up. I'll use
perltidy next time.

Gnari, thanks. Was that you who hacked it? I don't care really, but how
would you be able to get the auth.pl password from my old search script? see
the previous post, "free source search engine...etc"

-Robin

Robin <robin @ infusedlight.net> wrote in comp.lang.perl.misc:
> sorry to post a script that wouldn't compile, I actually posted the one in
> progress without checking if it would work,that was completely my mistake.

Yes, it is, and you're making too many of them. Dumping one sloppy
post after the other to the group is just rude. Stop it!

Anno

Robin wrote:

> well, I tend to use as few modules as possible so that someone can install
> the script on their server without having to download a lot of modules.

With that design, your script will not have much in terms of functionality.
The end result will be more of a toy than a production-quality program.

It probably doesn't matter much; I doubt that more than a handful of
people will ever be using it.
-Joe

Sam Holden wrote:

>>my $rootfile =
>>$rootfile =~ s/.+\///;
>>
>>what is this supposed to be doing?
> Delete everything other than the filename (ie. getting the basename
> of a path). Of course it doesn't work for paths containing newlines.
s/// returns the number of substitutions, though in this case since /g
isn't specified it will only ever return 0 or 1, so $rootfile is set to
0 or 1.

>>why are you using files when your needs would be much better served with
>>a proper database?
> How are files not a "proper" database?
OK - you can do it that way but using an RDBMS of some description has
many advantages over reading and writing files directly.

Mark