From scottp at dd.com.au Mon Dec 1 13:58:14 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: Christmas Get Together Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Dudes It was December and all the mongers were sleeping... Time for a Christmas get together and break up. Would you prefer * Wednesday night - party * Wednesday night - movie and dinner * Weekend day lunch / BBQ * Something else Scott - -- Scott Penrose Welcome to the Digital Dimension http://www.dd.com.au/ scottp@dd.com.au Dismaimer: Contents of this mail and signature are bound to change randomly. Whilst every attempt has been made to control said randomness, the author wishes to remain blameless for the number of eggs that damn chicken laid. Oh and I don't want to hear about butterflies either. Please do not send me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/y51ZDCFCcmAm26YRAjHiAJ9xftLBm8icdp82C0E0TBxKDIOvRQCfRe8U wtazhZSoaXgdn0e0qLmauvA= =w1kR -----END PGP SIGNATURE----- From jens at cyber.com.au Mon Dec 1 18:36:51 2003 From: jens at cyber.com.au (Jens Porup) Date: Wed Aug 4 00:03:10 2004 Subject: Christmas Get Together In-Reply-To: References: Message-ID: <20031202003651.GD7412@vanilla.office.cyber.com.au> On Tue, Dec 02, 2003 at 06:58:14AM +1100, Scott Penrose wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hey Dudes > > It was December and all the mongers were sleeping... > > Time for a Christmas get together and break up. > > Would you prefer > > * Wednesday night - party > * Wednesday night - movie and dinner > * Weekend day lunch / BBQ > * Something else Wednesday night yum cha? From ts at meme.com.au Tue Dec 2 04:43:22 2003 From: ts at meme.com.au (Tony Smith) Date: Wed Aug 4 00:03:10 2004 Subject: Christmas Get Together In-Reply-To: References: Message-ID: >It was December and all the mongers were sleeping... So it seems! >Time for a Christmas get together and break up. > >Would you prefer > > * Wednesday night - party > * Wednesday night - movie and dinner > * Weekend day lunch / BBQ > * Something else Just one vote for sticking with the time slot, especially at this triple booked time of year. Venue and format are up to somebody else's imagination. -- Tony Smith 0405 499 718 TransForum Developer http://www.transforum.net/ From gustaf at cmetech.com.au Tue Dec 2 22:36:55 2003 From: gustaf at cmetech.com.au (gU5t4F) Date: Wed Aug 4 00:03:10 2004 Subject: Christmas Get Together In-Reply-To: References: Message-ID: <20031203043655.GA1507@cmetech.com.au> On Tue, Dec 02, 2003 at 09:43:22PM +1100, Tony Smith wrote: > >It was December and all the mongers were sleeping... > > So it seems! > > >Time for a Christmas get together and break up. > > > >Would you prefer > > > > * Wednesday night - party > > * Wednesday night - movie and dinner > > * Weekend day lunch / BBQ > > * Something else > > Just one vote for sticking with the time slot, especially at this > triple booked time of year. Venue and format are up to somebody > else's imagination. Yup, let's stick with wednesday nite. My vote is for a movie and dinner. Are there any movies playing currently that feature camels? We could all cheer when it appears and everyone else in the cinema would look at us as if we're insane ;o) Scooter, do you have any dvd's of movies with camels? We could do a movie at myinternet, then do dinner after? L8rz, Foobard - Jester from the Court of Chaos From rickm at isite.net.au Tue Dec 2 23:06:53 2003 From: rickm at isite.net.au (Rick Measham) Date: Wed Aug 4 00:03:10 2004 Subject: Christmas Get Together In-Reply-To: <20031203043655.GA1507@cmetech.com.au> References: <20031203043655.GA1507@cmetech.com.au> Message-ID: <20031203050414.M85995@isite.net.au> On Wed, 3 Dec 2003 15:36:55 +1100, gU5t4F wrote > Yup, let's stick with wednesday nite. My vote is for a > movie and dinner. Are there any movies playing currently > that feature camels? We could all cheer when it appears > and everyone else in the cinema would look at us as if > we're insane ;o) Sounds like a good idea, although I can't think of anything with a camel currently showing. From scottp at dd.com.au Wed Dec 3 05:19:39 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: Christmas Get Together In-Reply-To: <20031203043655.GA1507@cmetech.com.au> Message-ID: <95E0D59E-2582-11D8-AFD5-003065B58CF8@dd.com.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How about SPIES LIKE US - It has a Camel in it. Or Aladdin ? Hmmm.... can't think of anything else with a Camel. OK. I am investigating places to go, I will make a rough booking then get everyone to RSVP. So we have a plan... When: Next Wednesday Get together and nibbles 6-6:30 Movie 6:30 - 8:30 Dinner 8:30 onwards Scooter On Wednesday, Dec 3, 2003, at 15:36 Australia/Melbourne, gU5t4F wrote: > On Tue, Dec 02, 2003 at 09:43:22PM +1100, Tony Smith wrote: >>> It was December and all the mongers were sleeping... >> >> So it seems! >> >>> Time for a Christmas get together and break up. >>> >>> Would you prefer >>> >>> * Wednesday night - party >>> * Wednesday night - movie and dinner >>> * Weekend day lunch / BBQ >>> * Something else >> >> Just one vote for sticking with the time slot, especially at this >> triple booked time of year. Venue and format are up to somebody >> else's imagination. > > Yup, let's stick with wednesday nite. My vote is for a > movie and dinner. Are there any movies playing currently > that feature camels? We could all cheer when it appears > and everyone else in the cinema would look at us as if > we're insane ;o) > > Scooter, do you have any dvd's of movies with camels? We > could do a movie at myinternet, then do dinner after? > > L8rz, > Foobard - Jester from the Court of Chaos > > > > - -- Scott Penrose Open source developer http://linux.dd.com.au/ scottp@dd.com.au Dismaimer: Open sauce usually ends up never coming out (of the bottle). Please do not send me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/zcbPDCFCcmAm26YRAqvEAKCjTzf7WmU+0JhArFoRs4bKrSz0/QCgsExj U3XSMGogP2Jde4FBuLql15k= =1KHO -----END PGP SIGNATURE----- From scottp at dd.com.au Wed Dec 3 05:24:31 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: Camels Was: Christmas Get Together In-Reply-To: <20031203043655.GA1507@cmetech.com.au> Message-ID: <4383ECB2-2583-11D8-AFD5-003065B58CF8@dd.com.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Spies like us * Aladdin * Conan * The Mummy * Indiana Jones (the last crusade) * Lawrence of Arabia Scooter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/zcfzDCFCcmAm26YRAjZVAJ9k0SFcMhPW9AHp9Ui6xdAyCKQDjACePiY2 fB33vLHLmwAurOfqXGun4pY= =FMUv -----END PGP SIGNATURE----- From scottp at dd.com.au Wed Dec 3 05:25:53 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: More Christmas party info Message-ID: <74E56463-2583-11D8-AFD5-003065B58CF8@dd.com.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a party - sure it is a party of geeks - but please bring along your family, partners and friends. We are here to enjoy movies and food and maybe geek a bit :-) Scooter - -- Scott Penrose Anthropomorphic Personification Expert http://search.cpan.org/search?author=SCOTT scott@cpan.org Dismaimer: While every attempt has been made to make sure that this email only contains zeros and ones, there has been no effort made to guarantee the quantity or the order. Please do not send me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/zchFDCFCcmAm26YRAjY7AJ4sE1idVSvxaC/V6LVvbLeQ9osh6QCeMgnh QSUphr8rn0sJeDxhqrA67/E= =Z8Vr -----END PGP SIGNATURE----- From joshua at roughtrade.net Wed Dec 3 07:34:33 2003 From: joshua at roughtrade.net (Joshua Goodall) Date: Wed Aug 4 00:03:10 2004 Subject: Camels Was: Christmas Get Together In-Reply-To: <4383ECB2-2583-11D8-AFD5-003065B58CF8@dd.com.au> References: <20031203043655.GA1507@cmetech.com.au> <4383ECB2-2583-11D8-AFD5-003065B58CF8@dd.com.au> Message-ID: <20031203133433.GB3150@roughtrade.net> On Wed, Dec 03, 2003 at 10:24:31PM +1100, Scott Penrose wrote: > * Spies like us > * Aladdin > * Conan > * The Mummy > * Indiana Jones (the last crusade) > * Lawrence of Arabia Gallipoli. J From gerard at wiredless.org Sat Dec 6 19:10:52 2003 From: gerard at wiredless.org (Gerard) Date: Wed Aug 4 00:03:10 2004 Subject: Object persistence in mod_perl based applications Message-ID: <20031207011052.GB20719@mordor.wiredless.org> Hello everyone! I was wondering what methods people have used for object persistence in Apache/mod_perl based web applications? There seems to be several different approaches to it and i'd be interested to hear people's opinions and experiences with things they have tried. Cheers, Gerard. From x182ybr at alltel.net Sat Dec 6 12:48:58 2003 From: x182ybr at alltel.net (Sharon Mccormick) Date: Wed Aug 4 00:03:10 2004 Subject: Conference calls/best quality/$.079 per minute! nckvtf Message-ID: <9-8---$m4p05tvos69h3z49mq9@5da.7.6cbh0i> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031206/a8bc0f06/attachment.htm From gerard at wiredless.org Tue Dec 9 08:01:36 2003 From: gerard at wiredless.org (Gerard) Date: Wed Aug 4 00:03:10 2004 Subject: Problems with template toolkit and modperl Message-ID: <20031209140136.GA40125@mordor.wiredless.org> Hi everyone, I am experiencing some troubles with Template Toolkit+mod_perl and was wondering if anyone had seen this behavior and knows how to fix it. Within a mod_perl handler{}, I am calling a new Template and processing some object data. Now, outside of mod_perl, just using a normal perl script using the same template as I use in the mod_perl module, I can get this working. Within mod_perl, it will not work! I have narrowed it down to that fact that if I unbless the 'windows' objects in the code below, it gives me the desired results, but this is inefficient so I'd like it to be working properly! This is what the data structure looks like: my $data = { 'windows' => [ bless( { 'name' => 'blah', 'buttons' => [ { 'name' => 'frank', 'image' => 'whatever' } ], 'foo' => 'bar', }, 'Some::Object' ), bless( { 'name' => 'blah2', 'foo' => 'bar2' }, 'Some::Object' ), ] }; Here is the template code: [% FOREACH window = windows %] [% FOREACH button = window.buttons %] [% button.name %] [% button.image %] [% END %] [% window.name %] [% END %] This should give me: frank whatever blah blah2 But I only get: blah blah2 It refuses to access to buttons entry. My test script outside of mod_perl gives me the correct result. Any ideas? Thanks, Gerard. From scottp at dd.com.au Sun Dec 7 16:24:49 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: Problems with template toolkit and modperl In-Reply-To: <20031209140136.GA40125@mordor.wiredless.org> Message-ID: <2B57EBDC-2904-11D8-874B-003065B58CF8@dd.com.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, Dec 10, 2003, at 01:01 Australia/Melbourne, Gerard wrote: > Hi everyone, > > I am experiencing some troubles with Template Toolkit+mod_perl > and was > wondering if anyone had seen this behavior and knows how to fix it. > > Within a mod_perl handler{}, I am calling a new Template and > processing some > object data. Now, outside of mod_perl, just using a normal perl > script using > the same template as I use in the mod_perl module, I can get this > working. > Within mod_perl, it will not work! > > I have narrowed it down to that fact that if I unbless the 'windows' > objects > in the code below, it gives me the desired results, but this is > inefficient > so I'd like it to be working properly! > > This is what the data structure looks like: > > my $data = { > 'windows' => [ > bless( { > 'name' => 'blah', > 'buttons' => [ > { > 'name' => > 'frank', > 'image' => > 'whatever' > } > ], > 'foo' => 'bar', > }, 'Some::Object' ), > bless( { > 'name' => 'blah2', > 'foo' => 'bar2' > }, 'Some::Object' ), > ] > }; > > > Here is the template code: > > [% FOREACH window = windows %] > [% FOREACH button = window.buttons %] > [% button.name %] > [% button.image %] > [% END %] > [% window.name %] > [% END %] > > > This should give me: > frank > whatever > blah > blah2 > > But I only get: > blah > blah2 > > It refuses to access to buttons entry. > > My test script outside of mod_perl gives me the correct result. > > Any ideas? There is nothing obvious here, it looks really good. However there is one suggestions I can think of which is something to do with the fact that they are blessed. Maybe Template Toolkit is on with no execute code - so maybe it won't access blessed objects - I have no idea if this is true. Another thing where I have got stuck is when extra data is included by something else, thus overwritting your variable. However I do have one suggestion which will help you debug it... Use Data Dumper in Template Toolkit. [% USE Dumper %] [% Dumper.dump_html(windows) %] Or if plain text, just drop _html See what is in windows. You can then of course walk through it too. Tell us if you find anything. Scooter - -- Scott Penrose VP in charge of Pancakes http://linux.dd.com.au/ scottp@dd.com.au Dismaimer: If you receive this email in error - please eat it immediately to prevent it from falling into the wrong hands. Please do not send me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/06i1DCFCcmAm26YRAsDRAKChnd7BWoZPHjZxDSqnnRsV3wbySwCgnj73 O9RJqR7KhOha6/hIUjaaaOA= =QI+6 -----END PGP SIGNATURE----- From bsb at bereft.net Sun Dec 7 17:24:44 2003 From: bsb at bereft.net (Brad Bowman) Date: Wed Aug 4 00:03:10 2004 Subject: Problems with template toolkit and modperl In-Reply-To: <2B57EBDC-2904-11D8-874B-003065B58CF8@dd.com.au> References: <2B57EBDC-2904-11D8-874B-003065B58CF8@dd.com.au> Message-ID: <1070839484.4292.3.camel@oxum> > > Now, outside of mod_perl, just using a normal perl script using > > the same template as I use in the mod_perl module, I can get this > > working. > > Within mod_perl, it will not work! Does you test script use TT2? > > I have narrowed it down to that fact that if I unbless the 'windows' > > objects > > in the code below, it gives me the desired results, but this is > > inefficient > > so I'd like it to be working properly! It's b/c TT2 has the magic dot. hash.key gives you the element while object.method calls the method and gives you the result. In your case Some::Object needs a "buttons" accessor method. > However I do have one suggestion which will help you debug it... Use > Data Dumper in Template Toolkit. > > [% USE Dumper %] > [% Dumper.dump_html(windows) %] Less spaces: [%- USE dumper(Indent=2,Varname='VAR') -%] [%- MACRO dump(this) dumper.dump(this) | html | replace(" {4}"," ") -%] -- An affected laugh shows lack of self-respect in a man and lewdness in a woman. -- Hagakure http://bereft.net/hagakure/ From scottp at dd.com.au Sun Dec 7 17:34:56 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: Problems with template toolkit and modperl In-Reply-To: <1070839484.4292.3.camel@oxum> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, Dec 8, 2003, at 10:24 Australia/Melbourne, Brad Bowman wrote: >>> Now, outside of mod_perl, just using a normal perl script using >>> the same template as I use in the mod_perl module, I can get this >>> working. >>> Within mod_perl, it will not work! > > Does you test script use TT2? I had assumed Gerard was using TT2 - but are you ? >>> I have narrowed it down to that fact that if I unbless the 'windows' >>> objects >>> in the code below, it gives me the desired results, but this is >>> inefficient >>> so I'd like it to be working properly! > > It's b/c TT2 has the magic dot. hash.key gives you the > element while object.method calls the method and gives > you the result. In your case Some::Object needs a > "buttons" accessor method. Ahhh... so because it is blessed it assumes that it MUST be a method. I was under the impression that it tried methods first and then hash. So it should still work. >> However I do have one suggestion which will help you debug it... Use >> Data Dumper in Template Toolkit. >> >> [% USE Dumper %] >> [% Dumper.dump_html(windows) %] > > Less spaces: > > [%- USE dumper(Indent=2,Varname='VAR') -%] > [%- MACRO dump(this) dumper.dump(this) | html | replace(" {4}"," ") -%] Why ? HTML doesn't care ? Spaces make it easier to read :-) That being said of course, I do remove spaces for non debug documents :-) BTW. You can use 'FILTER' instead of doing it inline like above. That way you don't have to add '-' to each of your lines - this makes the Template a little more readable, and doesn't matter if you forget the '-' Scooter - -- Scott Penrose VP in charge of Pancakes http://linux.dd.com.au/ scottp@dd.com.au Dismaimer: If you receive this email in error - please eat it immediately to prevent it from falling into the wrong hands. Please do not send me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/07kjDCFCcmAm26YRAnMYAKCWprsvjY5NFfLtMPgZP3sYO9n+BwCgk5ib IWKb2c/c8wVALS/AES4dndA= =G+He -----END PGP SIGNATURE----- From 240974 at email.com Mon Dec 8 07:18:48 2003 From: 240974 at email.com (240974@email.com) Date: Wed Aug 4 00:03:10 2004 Subject: New Software 240974 Message-ID: <200312080518.hB85Ihj15935@mail.pm.org> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031208/e951a79d/attachment.htm From info at galeriamarketing.com Mon Dec 8 17:05:18 2003 From: info at galeriamarketing.com (Nuestra Franquicia) Date: Wed Aug 4 00:03:10 2004 Subject: =?iso-8859-1?Q?Disponible_en_su_Pa=EDs?= Message-ID: <2aa4e0114a93a844ffb008c1a9614417@mylinux.ep> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031208/89c6d271/attachment.htm From gerard at wiredless.org Thu Dec 11 00:54:38 2003 From: gerard at wiredless.org (Gerard) Date: Wed Aug 4 00:03:10 2004 Subject: Problems with template toolkit and modperl In-Reply-To: <2B57EBDC-2904-11D8-874B-003065B58CF8@dd.com.au> References: <20031209140136.GA40125@mordor.wiredless.org> <2B57EBDC-2904-11D8-874B-003065B58CF8@dd.com.au> Message-ID: <20031211065438.GA23807@mordor.wiredless.org> > > Another thing where I have got stuck is when extra data is included by > something else, thus overwritting your variable. > This seems to have been the problem, although no where in the data being passed to the template can I see the buttons data being overwritten. I simply renamed the buttons key to something else and it works! I was at one stage pulling something out of the database named 'buttons', but I have since completely removed that field, so I can't work out why it's conflicting still! At least it's now working.. > However I do have one suggestion which will help you debug it... Use > Data Dumper in Template Toolkit. > > [% USE Dumper %] > [% Dumper.dump_html(windows) %] Very handy.. Thanks! Gerard. From scottp at dd.com.au Tue Dec 9 00:21:59 2003 From: scottp at dd.com.au (Scott Penrose) Date: Wed Aug 4 00:03:10 2004 Subject: JOIN US FOR CHRISTMAS - Wednesday (Tomorrow) 6:30pm myinternet Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Dudes Come one, come partners, come family and friends. Come join in the Christmas fun at myinternet, Level 8, 14-20 Blackwood Street on the 10th of December 2003 at 6:30pm Bring $10 each, bring soft drinks and snacks. We will be: * Start with watching a low rated DVD (kiddies can watch) * Order Asian food, eat snacks and soft drink * Watch more 'advanced' DVDs We will have disposable plates and cups and cutlery, along with water, coffee and tea. We will order together some asian food, so you can order what you like with some stuff to share (rice etc) - should therefore be ok for most dietary needs. This is a night of fun and merryment. A big thank you to all perl mongers for joining in during the year - a special thanks to all those who did talks and contributions. And a break from what is going to be a busier schedule next year (there is already 4 events in planning, from a user group conference, talks to a major perl conference). Please come and join us. Scott - -- Scott Penrose Open source developer http://linux.dd.com.au/ scottp@dd.com.au Dismaimer: Open sauce usually ends up never coming out (of the bottle). Please do not send me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE/1WoKDCFCcmAm26YRAvXXAJ45XPX9L9sRs5qFCOTUNGCjmyhgzgCgiPOy 7VmApNNn54V+BdY1QdUFz4w= =csiL -----END PGP SIGNATURE----- From Nathan.Bailey at its.monash.edu Tue Dec 9 14:50:35 2003 From: Nathan.Bailey at its.monash.edu (Nathan Bailey) Date: Wed Aug 4 00:03:10 2004 Subject: Mozilla (XUL/JS) development? Message-ID: <6729.1071003035@silas.cc.monash.edu.au> Does anyone know of any Mozilla development happening in Melbourne? Anyone with XUL/JS skills? thanks, N From leif.eriksen at hpa.com.au Sun Dec 14 05:09:25 2003 From: leif.eriksen at hpa.com.au (leif.eriksen@hpa.com.au) Date: Wed Aug 4 00:03:10 2004 Subject: Filter::Handle Issue in 5.8+ Message-ID: <3FDC44E5.5080903@hpa.com.au> OK, I described this issue last night before the film, but here is a more cogent version. Filter::Handle is a CPAN module that been around for yonks (2years +), and works well in 5.005 and 5.6, but seems broken in one aspect in 5.8+ Filter::Handle allows you to apply arbitrary filters to output filehandles. You can perform any sorts of transformations on the outgoing text: you can prepend it with some data, you can replace all instances of one word with another, etc. Filter::Handle has 3 interfaces 1. OO 2. Functional 3. tie example usage #!/usr/bin/perl -w use strict; # is gay use IO::File; use POSIX; use Filter::Handle qw/subs/; my @captured; my $fh = IO::File->open($fname, O_RDWR|O_CREAT|O_TRUNC) or die "a horrible death :: $!\n"; tie $fh, Filter::Handle, sub { push @captured, @_; (); }; # ... series of slow and expensive calls that populate @captured # ... series of quick adjustments to @captured rather than repeat slow calls untie $fh; print $fh @captured # big dump exit 0; This code intercepts all writes to $fh, placing them in @captured. When we have assembled everything, we write everything to the real file in one big and (hopefully) efficient print. The problem is one of the test cases for Filter::Handle fails under 5.8+ ## 3. Test Filter/UnFilter routines. my $out; Filter \*STDOUT, sub { $out = sprintf "%d: %s\n", 1, "@_"; () }; print "Foo"; # FAILS !!!! UnFilter \*STDOUT; The reason for the failure is a deeply recursive call inside Filter::Handle - package Filter::Handle; sub Filter { my $fh = $_[0]; tie *{ $fh }, __PACKAGE__, @_; } sub PRINT { my $self = shift; my $fh = *{ $self->{fh} }; print $fh $self->{output}->(@_); # FAILS HERE } *print = *PRINT; 1; The line marked 'FAILS HERE' is the problem. Normally when you tie a variable, it is the variable that is the subject of the tie, not the value. So $scalar = 'text'; tie $scalar, Module; ties $scalar to Module, not 'text'. In the package that $scalar was tied to, access's to $scalar's value result in normal function calls to Module, which (hopefully) implements the required tie scalar interface. Inside Module's namespace, access's operate on the real value. e.g. #!/usr/bin/perl -w package Module; sub TIESCALAR {bless \my $inner, shift;} sub FETCH { my $impl = shift; print "accessed value $$impl by ", (caller(1))[3], "\n"; $$impl; } sub STORE { my $impl = shift; print 'set by ', (caller(1))[3], " to value ", $$impl = shift, "\n"; } sub DESTROY {} 1; package Run; sub run { tie my $tracked, Module; $tracked = 'here'; print $tracked, "\n"; } 1; package main; Run::run(); set by Run::run to value here accessed value here by Run::run here Back to my problem package Filter::Handle; sub PRINT { my $self = shift; my $fh = *{ $self->{fh} }; print $fh $self->{output}->(@_); # FAILS HERE } For my problem, the $fh is not the real file handle but is the tied filehandle again, meaning PRINT() is called again (and again, and again...). This didn't used to happen in perl < 5.8. Why this happens and how to fix it are a mystery to me, but I hesitate to name it as a bug in 5.8+, because the people who wrote that are way smarter than I am... Anybody want to give me a clue... -- Leif Eriksen Senior Analyst/Programmer HPA Direct: +61 3 9217 5545 Fax : +61 3 9217 5702 http://www.hpa.com.au/ ********************************************************************** IMPORTANT The contents of this e-mail and its attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you received this e-mail in error, please notify the HPA Postmaster, postmaster@hpa.com.au, then delete the e-mail. This footnote also confirms that this e-mail message has been swept for the presence of computer viruses by MimeSweeper. Before opening or using any attachments, check them for viruses and defects. Our liability is limited to resupplying any affected attachments. HPA collects personal information to provide and market our services. For more information about use, disclosure and access see our Privacy Policy at www.hpa.com.au ********************************************************************** From simon at unisolve.com.au Thu Dec 11 19:08:57 2003 From: simon at unisolve.com.au (Simon Taylor) Date: Wed Aug 4 00:03:10 2004 Subject: Filter::Handle Issue in 5.8+ In-Reply-To: <3FDC44E5.5080903@hpa.com.au> References: <3FDC44E5.5080903@hpa.com.au> Message-ID: <200312121208.57883.simon@unisolve.com.au> Hello Leif, > For my problem, the $fh is not the real file handle but is the tied > filehandle again, meaning PRINT() is called again (and again, and > again...). This didn't used to happen in perl < 5.8. Why this happens > and how to fix it are a mystery to me, but I hesitate to name it as a > bug in 5.8+, because the people who wrote that are way smarter than I am... > > Anybody want to give me a clue... Well {bless \my $inner, shift;}, what a well-documented problem report! Do either of these URLs help? 1. "Tied methods like FETCH etc. may now safely access tied values, i.e. resulting in a recursive call to FETCH etc. Remember to break the recursion, though." at http://use.perl.org/articles/03/09/26/2231256.shtml?tid=6 or.... 2. "A change to self-tying of globs has caused them to be recursively referenced (see: Two-Phased Garbage Collection in the perlobj manpage). You will now need an explicit untie to destroy a self-tied glob. This behaviour may be fixed at a later date." at http://www.perlpod.com/5.8.0/perldelta.html#selftying%20problems Good luck tracking this down. Regards, Simon -- Unisolve Pty Ltd - Melbourne, Australia +61 3 9568 2005 From leif.eriksen at hpa.com.au Mon Dec 15 02:52:09 2003 From: leif.eriksen at hpa.com.au (leif.eriksen@hpa.com.au) Date: Wed Aug 4 00:03:10 2004 Subject: Filter::Handle Issue in 5.8+ In-Reply-To: <200312121208.57883.simon@unisolve.com.au> References: <3FDC44E5.5080903@hpa.com.au> <200312121208.57883.simon@unisolve.com.au> Message-ID: <3FDD7639.8020904@hpa.com.au> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031215/631b0d48/attachment.htm From ajsavige at yahoo.com.au Fri Dec 12 00:31:21 2003 From: ajsavige at yahoo.com.au (=?iso-8859-1?q?Andrew=20Savige?=) Date: Wed Aug 4 00:03:10 2004 Subject: perl training road map Message-ID: <20031212063121.54700.qmail@web10906.mail.yahoo.com> IIRC, Nathan asked a while back about something like this: http://nntp.x.perl.org/group/perl.trainers/518 /-\ http://personals.yahoo.com.au - Yahoo! Personals New people, new possibilities. FREE for a limited time. From q107okm at charterinternet.com Fri Dec 12 21:12:51 2003 From: q107okm at charterinternet.com (Lessie Wade) Date: Wed Aug 4 00:03:10 2004 Subject: Have you found the best Life Insurance Policy? qfkkucg Message-ID: An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031212/b1209d21/attachment.htm From gcross at alphalink.com.au Sat Dec 13 03:36:15 2003 From: gcross at alphalink.com.au (Graeme Cross) Date: Wed Aug 4 00:03:10 2004 Subject: Cheap tech books at Collins Message-ID: <200312132036.15875.gcross@alphalink.com.au> if you haven't heard, the Collins bookshop at the top end of Swanston St (opposite RMIT) is closing down. They have an "end of lease" 30% off everything sale at the moment; lots of programming books (O'Reilly, Wrox, Addison Wesley, etc), so if you were thinking of buying computer books, they would be worth checking out. Cheers Graeme Obdisclaimer: I have no association with Collins, except for the fact that I have bought too many books from them over the years :) PS: If you are a veracious consumer of computer books, check out the O'Reilly Safari online book library. It's cheap and very very useful. My book expenditure has dropped dramatically but I'm reading more books and now only buying the ones I really need in dead-tree tree. -- Graeme Cross From ian at all.info Sat Dec 13 03:54:53 2003 From: ian at all.info (Ian Lenzen) Date: Wed Aug 4 00:03:10 2004 Subject: Internet Organizations listing Message-ID: <7248640.1071309293442.JavaMail.jwu@atlas> We are editing the Internet Organizations section of all.info and would like to include your web site: http://melbourne.pm.org/ The all.info search directory addresses the issue of site credibility. Web site producers are an integral part of all.info. As a site contact, your input is essential in helping our users better find and evaluate your website. To update or simply to verify your site's listing, please click this link to access your record: http://all.info/s?a=l&z=28evbve05v7330jl5ylfvw&x=melbourne-pm%40pm.org More information about all.info and examples of how producer data is displayed on our site is available at: http://www.all.info Thanks in advance. Ian Lenzen Editor, all.info Note: You may use the link below to indicate that you are NOT the proper site contact or to provide a corrected site contact: http://all.info/s?a=nl&z=28evbve05v7330jl5ylfvw&x=melbourne-pm%40pm.org If you have questions, please email: priority@all.info From mjs at beebo.org Sat Dec 13 10:06:32 2003 From: mjs at beebo.org (Michael Stillwell) Date: Wed Aug 4 00:03:10 2004 Subject: cpan source discovery Message-ID: <52822.202.156.160.55.1071331592.squirrel@bund.com.au> I discovered today that "http://cpan.org/" works as a "source" for cpan (the perl -MCPAN -e shell one). (After a whole swag of ftp ones failed--presumably because of firewall problems.) Quite fast, too. --M. -- http://beebo.org From dsdsgh_ghghgh at yahoo.com.br Tue Dec 16 15:29:38 2003 From: dsdsgh_ghghgh at yahoo.com.br (dsdsgh_ghghgh) Date: Wed Aug 4 00:03:10 2004 Subject: SAIBA COMO AUMENTAR O SEU PÊNIS DE 2 a 7 cm EM 2 MESES Message-ID: <20031216173202.C100D9829F@mail3.panix.com> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031216/d1a70d43/attachment.htm From ntetexct54 at myexcel.com Thu Dec 18 13:06:28 2003 From: ntetexct54 at myexcel.com (June Ochoa) Date: Wed Aug 4 00:03:10 2004 Subject: Do you want to retire rich? owa kdhdlb s rxicd Message-ID: <6v90x523$f7chl7-cg499s$5@kxki.to23z.adj> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031218/cb741247/attachment.htm From dsdsgh_ghghgh at yahoo.com.br Sun Dec 21 12:06:39 2003 From: dsdsgh_ghghgh at yahoo.com.br (dsdsgh_ghghgh) Date: Wed Aug 4 00:03:10 2004 Subject: CLINICA DO PENIS AUMENTE SEU PENIS EM ATE 7cm Message-ID: <20031221140818.17F2D48B8C@mail1.panix.com> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031221/04ecfb3d/attachment.htm From zdmyiroiezm at iiqbgqh.beautytipmakeup.info Mon Dec 22 19:47:36 2003 From: zdmyiroiezm at iiqbgqh.beautytipmakeup.info (Ooca Vw) Date: Wed Aug 4 00:03:10 2004 Subject: Modern Miracles REPAIRS & Builds Your Face ..please forward In-Reply-To: References: Message-ID: An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031222/585bd7ad/attachment.htm From goeffery_john2003 at yahoo.fr Wed Dec 24 07:18:37 2003 From: goeffery_john2003 at yahoo.fr (=?iso-8859-1?q?goeffery=20john?=) Date: Wed Aug 4 00:03:10 2004 Subject: From: goeffery & Sister,Janet Njaba To You Message-ID: <20031224131837.3109.qmail@web25205.mail.ukl.yahoo.com> From: Goeffery & Sister,Janet Njaba Abidjan, Cote D'Ivoire. Email: goeffery_john2003@yahoo.fr Dearest One, REQUEST TO BE OUR GUARDIAN AND THEN HELP US THUS: Good day and how are you today? I hope fine? After going through your profile, permit us to inform you of our desire of asking you to be a guardian or foster parent to us and then help us out in what we are about to tell you. I'm goeffery Njaba (24)years and have an younger Sister Janet(22)years. We are the children of Late Mr. & Mrs. John A. Njaba. Our father was a very wealthy cocoa merchant here in Abidjan, the economic capital of Cote D'Ivoire. He was poisoned to death by his business associates on one of their outings on a business trip. Our mother died when we where babies. Before the death of our father on July 2002 in a private hospital here in Abidjan, he secretly called us by his bed side and told us that he has the sum of Four million, five hundred thousand United State Dollars (US$4.500,000.00) deposited in a suspense account in one of the banks here in Abidjan. He told us that he used my name (goeffery) as the next of Kin in depositing the money. He then strongly advised us not to seek for assistance in the investment of the money from his lawyer nor any of his friend here but to seek for a foreign partner from a country of our choice (outside our country, Cote D'Ivoire) that willl assist us in the wise investment of the money.We have since left the money in the bank with the view of our making use of it for investment purposes after our education carrier here. But as you may be already aware by now, our country (Cote D'Ivoire) is presently at political crises. Rebels have already taken over the whole Northern part of the country and making efforts towards the capture of the commercial center of the country, Abidjan, where we are now. For this ugly development in this country, we have now decided to take quick actions and have this money transferred out of this country before it is too late to do that. We now want to transfer it out and use it for investment purpose like real estate management or hotel management. Because of this we are honorably seeking your assistance in the following ways: (1) To serve as a guardian to us and then assist us transfer the money into your bank account. (2) To make arrangement for us to come over to your country to further our education and then settle there parmanently. If you accept to stand as our guardian or foster parent to us, we need not discuss on any percentage with you as you have to see the whole money as yours and then assist us invest it. But if you still want a percentage, we are willing to offer you, 20 % of the total money as compensation for your assistance. Pleas tell us if you feel the percentage we offered is not ok by you. As soon as we receive your concrete assurance to assist us with our proposal and also your full contact address/phone number, we will then give the bank your contact information and then tell them to transfer the money into your account as we want to come over to stay with you parmanently. The bank will then contact you and communicate with you on the transfer. You shall then be giving us information on when the transfer will be over. We shall also send our pictures to you and shall also need yours too. No matter what your decision may turn out to be, please we beg you to keep this highly secret for our safety, as we believe that those that killed our Daddy are still after us. For more clarifications you may want please contact us with any of these email address: Thanks and God bless you as we wait for your urgent response. Best regards, Goeffery&Janet Njaba _________________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran?ais ! Yahoo! Mail : http://fr.mail.yahoo.com From david_dick at iprimus.com.au Thu Dec 25 02:00:24 2003 From: david_dick at iprimus.com.au (David Dick) Date: Wed Aug 4 00:03:10 2004 Subject: Test-suite for a password protected website In-Reply-To: <6729.1071003035@silas.cc.monash.edu.au> References: <6729.1071003035@silas.cc.monash.edu.au> Message-ID: <3FEA9918.9030700@iprimus.com.au> Interesting problem that i have encountered. If i have the time, it's good to be able to automatically and quickly validate a system's integrity by having a automated test suite (using something like Test::Harness, etc). However, from a security viewpoint, how do people cope with username / passwords. I seem to have hit a bit of a roadblock, in that i can test the business logic of a system easily, but to be able to say ok($response->code() eq '200', "My password protected web page is operational"); i think i need to either 1) embed a valid username / password into the test script. This seems just awful, more so if i want to package something up and release it 2) store my passwords in a decryptable format and decrypt a suitable one when the time comes This seems a bit better but where do i store the decryption keys, and how secure is a system that you can decrypt passwords anyway? 3) prompt for the username / password when the script runs This of course makes it impossible to run without human intervention (or Expect, in which case we have returned to 1.) 4) disable username / password requirements during testing Fine, except for a live environment Personally i think option 3 is the best compromise i can think of, as it does not require any passwords to be included in the test-suite or accessible from the test suite and if automation is desired then you can use Expect. Has anyone come up with a cool way of cracking this particular nut, or is it an area that just requires tradeoffs? From 241315 at hotmail.com Thu Dec 25 20:17:39 2003 From: 241315 at hotmail.com (241315@hotmail.com) Date: Wed Aug 4 00:03:11 2004 Subject: Please use discount code 241315 Message-ID: <200312251017.hBPAHB420640@mail.pm.org> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031225/7e71608a/attachment.htm From joshua at roughtrade.net Thu Dec 25 04:21:18 2003 From: joshua at roughtrade.net (Joshua Goodall) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <3FEA9918.9030700@iprimus.com.au> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> Message-ID: <20031225102118.GB3150@roughtrade.net> On Thu, Dec 25, 2003 at 07:00:24PM +1100, David Dick wrote: > 1) embed a valid username / password into the test script. > > This seems just awful, more so if i want to package something up and > release it > > 2) store my passwords in a decryptable format and decrypt a suitable one > when the time comes > > This seems a bit better but where do i store the decryption keys, and > how secure is a system that you can decrypt passwords anyway? > > 3) prompt for the username / password when the script runs > > This of course makes it impossible to run without human intervention (or > Expect, in which case we have returned to 1.) > > 4) disable username / password requirements during testing > > Fine, except for a live environment You can't test a shared secret without sharing the secret. 2) and 3) are your practical choices. There's no answer to "where shall I store the decryption keys", because you haven't disclosed your network topology or the type of encryption available to you. If PGP, then the answer of course is "in a keyring", and the private key must be available to the testing agent. (3) is only practical if your operational model is hands-on, and you trust the human enough. If you're really concerned about having to store that shared secret, you could always restrict its validity to the source address of the testing agent. Ultimately, you're going to have to share the secret with the test agent somehow, or sidestep that with some other authentication method (e.g. X509). - J -- Joshua Goodall "tea makes itself" joshua@roughtrade.net - Ana Susanj From franchiwsi at franchiwsi.com Sun Dec 21 10:35:04 2003 From: franchiwsi at franchiwsi.com (La Franquicia #1) Date: Wed Aug 4 00:03:11 2004 Subject: Una excelente Inversion Message-ID: An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031221/b1a06545/attachment.htm From leif.eriksen at hpa.com.au Mon Dec 29 16:51:26 2003 From: leif.eriksen at hpa.com.au (leif.eriksen@hpa.com.au) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <3FEA9918.9030700@iprimus.com.au> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> Message-ID: <3FF0AFEE.9030506@hpa.com.au> Another option that is 'somewhat' secure is to set the username and password in environmental variables, if you are using an OS that supports that concept, and you are testing in a way that supports reading your envirnment. The env vars have a lifetime of the shell you created them in (and any subshells you may have spawned, if you EXPORT them - if your shell supports that concept). So once defined, you can test all day if the shell lives that long. Have the Test::Harness scripts get the values from the env vars using the %ENV hash. use Env qw(USERNAME PASSWORD); ... if (login($ENV{USERNAME}, $ENV{PASSWORD})) { ok(some_test, some_result); ... } ... If you avoid the temptation of putting them in your .login/.localrc/.bashrc/, but just define them before you start testing, you have values that last until the shell is exitted from, local to your shell and not readily readable by casual system hacker - unless you walk away from your console... Leif David Dick wrote: > Interesting problem that i have encountered. > If i have the time, it's good to be able to automatically and quickly > validate a system's integrity by having a automated test suite (using > something like Test::Harness, etc). However, from a security > viewpoint, how do people cope with username / passwords. I seem to > have hit a bit of a roadblock, in that i can test the business logic > of a system easily, but to be able to say > > ok($response->code() eq '200', "My password protected web page is > operational"); > > i think i need to either > > 1) embed a valid username / password into the test script. > > This seems just awful, more so if i want to package something up and > release it > > 2) store my passwords in a decryptable format and decrypt a suitable > one when the time comes > > This seems a bit better but where do i store the decryption keys, and > how secure is a system that you can decrypt passwords anyway? > > 3) prompt for the username / password when the script runs > > This of course makes it impossible to run without human intervention > (or Expect, in which case we have returned to 1.) > > 4) disable username / password requirements during testing > > Fine, except for a live environment > > Personally i think option 3 is the best compromise i can think of, as > it does not require any passwords to be included in the test-suite or > accessible from the test suite and if automation is desired then you > can use Expect. > > Has anyone come up with a cool way of cracking this particular nut, or > is it an area that just requires tradeoffs? -- Leif Eriksen Senior Analyst/Programmer HPA Direct: +61 3 9217 5545 Fax : +61 3 9217 5702 http://www.hpa.com.au/ ********************************************************************** IMPORTANT The contents of this e-mail and its attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you received this e-mail in error, please notify the HPA Postmaster, postmaster@hpa.com.au, then delete the e-mail. This footnote also confirms that this e-mail message has been swept for the presence of computer viruses by MimeSweeper. Before opening or using any attachments, check them for viruses and defects. Our liability is limited to resupplying any affected attachments. HPA collects personal information to provide and market our services. For more information about use, disclosure and access see our Privacy Policy at www.hpa.com.au ********************************************************************** From joshua at roughtrade.net Sun Dec 28 19:58:39 2003 From: joshua at roughtrade.net (Joshua Goodall) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <3FF0AFEE.9030506@hpa.com.au> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> <3FF0AFEE.9030506@hpa.com.au> Message-ID: <20031229015839.GF3150@roughtrade.net> On Tue, Dec 30, 2003 at 09:51:26AM +1100, leif.eriksen@hpa.com.au wrote: > Another option that is 'somewhat' secure is to set the username and > password in environmental variables, if you are using an OS that > supports that concept, and you are testing in a way that supports > reading your envirnment. You should only do this if you are 100% certain that "ps wwex" or equivalent on your particular platform and all possible target platforms does NOT provide a handy dump of the environment table for all and sundry. Otherwise you've just proposed a classic, almost a traditional security blunder. - Joshua. -- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://mail.pm.org/archives/melbourne-pm/attachments/20031229/081ccb03/attachment.bin From leif.eriksen at hpa.com.au Mon Dec 29 20:21:53 2003 From: leif.eriksen at hpa.com.au (leif.eriksen@hpa.com.au) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <20031229015839.GF3150@roughtrade.net> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> <3FF0AFEE.9030506@hpa.com.au> <20031229015839.GF3150@roughtrade.net> Message-ID: <3FF0E141.4090004@hpa.com.au> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031230/c232f220/attachment.htm From mjs at beebo.org Sun Dec 28 23:13:38 2003 From: mjs at beebo.org (Michael Stillwell) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <3FEA9918.9030700@iprimus.com.au> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> Message-ID: <1534.219.93.184.118.1072674818.squirrel@bund.com.au> David Dick said: > Interesting problem that i have encountered. > > If i have the time, it's good to be able to automatically and > quickly > validate a system's integrity by having a automated test suite > (using > something like Test::Harness, etc). However, from a security > viewpoint, > how do people cope with username / passwords. Whenever I need to do this I put my username, password, and database connection string in files called USERNAME, PASSWORD and DATABASE. (In the form "q{name}", which can be read nicely with $username = do "USERNAME".) Not perfect (see other messages), but it does make clear the fact that usernames and passwords are embedded into the scripts, as well as where to go if the password changes. --M. -- http://beebo.org From daniel at rimspace.net Sun Dec 28 23:34:28 2003 From: daniel at rimspace.net (Daniel Pittman) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <3FF0E141.4090004@hpa.com.au> (leif eriksen's message of "Tue, 30 Dec 2003 13:21:53 +1100") References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> <3FF0AFEE.9030506@hpa.com.au> <20031229015839.GF3150@roughtrade.net> <3FF0E141.4090004@hpa.com.au> Message-ID: <87u13kdw63.fsf@enki.rimspace.net> On Tue, 30 Dec 2003, leif eriksen wrote: > well, that assumes a lot of things > > 1. The wily hax0r has obtained shell access to your test machine (that is > the target platform as this is a local test script, not a CPAN module) - > which is hopefully behind your firewall. Most reports from CERT and the like suggest that the biggest risk for your systems is internal, not external, attacks. :) > 2. If they get that far, they'll probably go for your production servers > before your test boxes first. This gives us time to kill the shell with > these env vars defined, or undefine them. ...or be a staff member (or student, or...) who now has access to the otherwise protected data owned by your company or institution. Much as you probably like and trust your coworkers, they are still the biggest security risk your organization faces, and shouldn't be discounted when doing security analysis. Daniel -- Men will always be mad, and those who think they can cure them are the maddest of all. -- Voltaire From david_dick at iprimus.com.au Mon Dec 29 01:27:49 2003 From: david_dick at iprimus.com.au (David Dick) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <20031229015839.GF3150@roughtrade.net> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> <3FF0AFEE.9030506@hpa.com.au> <20031229015839.GF3150@roughtrade.net> Message-ID: <3FEFD775.8050105@iprimus.com.au> Joshua Goodall wrote: >On Tue, Dec 30, 2003 at 09:51:26AM +1100, leif.eriksen@hpa.com.au wrote: > > >>Another option that is 'somewhat' secure is to set the username and >>password in environmental variables, if you are using an OS that >>supports that concept, and you are testing in a way that supports >>reading your envirnment. >> >> > >You should only do this if you are 100% certain that "ps wwex" or >equivalent on your particular platform and all possible target >platforms does NOT provide a handy dump of the environment table >for all and sundry. > >Otherwise you've just proposed a classic, almost a traditional >security blunder. > > > True, but in the context that i originally asked the question, i still think it's a really good idea. The problem is how to have a test-suite and package it up for customers without hard-coding a secret, or a path to the secret in the test-suite. From the perspective of simply giving the solution to the user, and letting them decide policy, it's really good. If the user wants to run the test-suite automatically every 5 mins, they can do so with a minimum of fuss (and they have to accept that a local user with sufficient privileges can compromise the secret). If they just want to run the test-suite once after installation, or after the code changes, they can do that with a minimum of fuss and much less risk. If they are completely unaware of the test-suite, no harm will come to them. So for me, a very acceptable compromise, thank you Mr Eriksen. only problem is that i feel like an idiot for not thinking of it myself. :) From hfgzkyfg8x at iopus.com Mon Dec 29 04:52:31 2003 From: hfgzkyfg8x at iopus.com (Wilson Moody) Date: Wed Aug 4 00:03:11 2004 Subject: Government Approved Investment Opportunity owjsficq Message-ID: <2s1$wu919-vd-83$306@e2x.5mq.2b4> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031229/29f26818/attachment.htm From joshua at roughtrade.net Mon Dec 29 05:36:39 2003 From: joshua at roughtrade.net (Joshua Goodall) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <3FEFD775.8050105@iprimus.com.au> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> <3FF0AFEE.9030506@hpa.com.au> <20031229015839.GF3150@roughtrade.net> <3FEFD775.8050105@iprimus.com.au> Message-ID: <20031229113639.GG3150@roughtrade.net> On Mon, Dec 29, 2003 at 06:27:49PM +1100, David Dick wrote: > If they are completely unaware of the > test-suite, no harm will come to them. So for me, a very acceptable > compromise, thank you Mr Eriksen. only problem is that i feel like an > idiot for not thinking of it myself. :) Using code that represents a well-known security error cannot be recommended without major, major caveats about usage. For example, Leif - there have been plenty of application vulnerabilities that have allowed people to run commands like "ps" *without* obtaining shell access, as you've erroneously assumed. Very few of them would be stopped by a firewall, and I expect there will be more in future. I have discovered such vulnerabilities during audits of commercial software (a memorable case was an unsafe use of "ls" in a commercial ftp server). The rest of the "gives us more time" items you've listed seem like pretty trivial barriers in these days where real black-hats can and do write invasive kernel modules (c.f. recent Debian compromise). So David - please don't ever pass a password you care about via an environment variable. - J -- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://mail.pm.org/archives/melbourne-pm/attachments/20031229/32161fa1/attachment.bin From david_dick at iprimus.com.au Mon Dec 29 14:37:12 2003 From: david_dick at iprimus.com.au (David Dick) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <20031229113639.GG3150@roughtrade.net> References: <6729.1071003035@silas.cc.monash.edu.au> <3FEA9918.9030700@iprimus.com.au> <3FF0AFEE.9030506@hpa.com.au> <20031229015839.GF3150@roughtrade.net> <3FEFD775.8050105@iprimus.com.au> <20031229113639.GG3150@roughtrade.net> Message-ID: <3FF09078.6030800@iprimus.com.au> Joshua Goodall wrote: >Using code that represents a well-known security error cannot be recommended >without major, major caveats about usage. > >For example, Leif - there have been plenty of application vulnerabilities >that have allowed people to run commands like "ps" *without* obtaining >shell access, as you've erroneously assumed. Very few of them would >be stopped by a firewall, and I expect there will be more in future. > >I have discovered such vulnerabilities during audits of commercial >software (a memorable case was an unsafe use of "ls" in a commercial >ftp server). > >The rest of the "gives us more time" items you've listed seem like >pretty trivial barriers in these days where real black-hats can and >do write invasive kernel modules (c.f. recent Debian compromise). > >So David - please don't ever pass a password you care about via >an environment variable. > >- J > > > The problem is to allow automated as well as normal running of a program if the user desires it. For a test-suite, both of these cases seem highly desirable. Automated execution means the access method need to be written in the clear somewhere. Whatever method is chosen for automated testing, the game is over in milliseconds of the box being compromised. Additionally, while reading from stdin is as secure as it is possible to get (afaik), to automate it, it requires the user to be well versed in Expect. Most programmers (not perl programmers of course ;)) have no idea even how to use Expect, let alone users. Thinking a bit more about it, it's not even as simple as that (you could generate the test suite at "make" time for the user). A typical perl test-suite runs the main (Test::Harness) process which kicks off x number of test scripts and reads the results from them. To pass input to the test script as well as reading output from it would require Expect (or equivalent 'orrible code) to be hacked into Test::Harness (or more specifically Test::Harness::Straps) as well. So you have Expect kicking off the Test::Harness process, which then uses Expect itself to handle the sub-processes. Very ugly. It opens up the problem of how to test the test-suite actually even works at all on the box you are deploying on. To the innocent user, it may seem as if the code has failed to build correctly. From wayland at smartchat.net.au Tue Dec 30 04:58:56 2003 From: wayland at smartchat.net.au (Timothy S. Nelson) Date: Wed Aug 4 00:03:11 2004 Subject: Test-suite for a password protected website In-Reply-To: <1534.219.93.184.118.1072674818.squirrel@bund.com.au> Message-ID: On Mon, 29 Dec 2003, Michael Stillwell wrote: > David Dick said: > > Interesting problem that i have encountered. > > > > If i have the time, it's good to be able to automatically and > > quickly > > validate a system's integrity by having a automated test suite > > (using > > something like Test::Harness, etc). However, from a security > > viewpoint, > > how do people cope with username / passwords. > > Whenever I need to do this I put my username, password, and > database connection string in files called USERNAME, PASSWORD > and DATABASE. (In the form "q{name}", which can be read nicely > with $username = do "USERNAME".) Wouldn't the best thing to do be to run the test process as a separate user (chroot?), and make this a file in /etc/ with only permissions for that user? Or if you're using Linux, maybe consider using the 2.6 kernel with its more finely-grained security controls? If I was doing it myself, I'd be doing some reading attempting to discover why the ideas above are bad, but this time I'll just send in the ideas and see what happens. :) --------------------------------------------------------------------- | Name: Tim Nelson | Because the Creator is, | | E-mail: wayland@smartchat.net.au | I am | --------------------------------------------------------------------- ----BEGIN GEEK CODE BLOCK---- Version 3.12 GCS d+ s:- a- C++>++++$ U++ P++ L++ E- W+++ N+ w>--- V- Y+>++ PGP->++ R !tv b++ DI++++ D+ G e++>++++ h! y- -----END GEEK CODE BLOCK----- From 368rtj at charter.net Wed Dec 31 03:04:21 2003 From: 368rtj at charter.net (Eliseo Connors) Date: Wed Aug 4 00:03:11 2004 Subject: Pay nothing for your conference calls! ec Message-ID: <0--xj77t4y$7$fz@9hsc48> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031231/24d43fa2/attachment.htm From lotto at california.prom2131.com Sun Dec 28 23:02:49 2003 From: lotto at california.prom2131.com (US$70 Millones) Date: Wed Aug 4 00:03:13 2004 Subject: Acumulado LOTTO California Message-ID: <1ee3cd94928804e385b5530f6ae1ea3a@mylinux.ep> An HTML attachment was scrubbed... URL: http://mail.pm.org/archives/melbourne-pm/attachments/20031229/660d6e16/attachment.htm