From mcli at brc.ubc.ca Mon Dec 5 16:05:11 2005 From: mcli at brc.ubc.ca (Vincent Li) Date: Mon, 5 Dec 2005 16:05:11 -0800 (PST) Subject: [Van-pm] CGI taint mode Message-ID: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> Hello Vancouver PM: I read about Lincoln Stein's WWW Security FAQ. I am testing a sample upload.pl. While I turned on the taint mode, and did the taint check as following: --------- 35 if ($file =~ /^([-\@\w.]+)$/) { 36 $file = $1; 37 } 38 else { 39 error("invalid filename: $file"); 40 } 41 42 print h2('File name'),$file; 43 print h2('File MIME type'), 44 uploadInfo($file)->{'Content-Type'}; ---------- The script always give me error Software error: Can't use an undefined value as a HASH reference at test line 43. the full upload scrirpt is: ----------- 1 #!/usr/bin/perl -wT 2 #file: upload.pl 3 4 $| = 1; 5 use strict; 6 use CGI qw/:standard/; 7 use CGI::Carp qw(warningsToBrowser fatalsToBrowser); 8 use Fcntl qw( :DEFAULT :flock ); 9 use Readonly; 10 11 $CGI::POST_MAX=1024 * 100; 12 $CGI::DISABLE_UPLOADS=0; 13 $ENV{PATH}='/usr/bin,/bin'; 14 15 Readonly my $UPLOAD_DIR => q[/var/www/apache2-default/upload]; 16 17 print header, 18 start_html('file upload'), 19 h1('file upload'); 20 print_form() unless param; 21 print_results() if param; 22 print end_html; 23 24 sub print_form { 25 print start_multipart_form(), 26 filefield(-name=>'upload',-size=>60),br, 27 submit(-label=>'Upload File'), 28 end_form; 29 } 30 31 sub print_results { 32 my $length; 33 my $file = param('upload'); 34 35 if ($file =~ /^([-\@\w.]+)$/) { 36 $file = $1; 37 } 38 else { 39 error("invalid filename: $file"); 40 } 41 42 print h2('File name'),$file; 43 print h2('File MIME type'), 44 uploadInfo($file)->{'Content-Type'}; 45 46 sysopen(my $OUT, "$UPLOAD_DIR/$file", O_WRONLY|O_TRUNC|O_CREAT, 0600) 47 or error( " Could not create: $!"); 48 49 while (<$file>) { 50 print $OUT $_; 51 } 52 } 53 54 sub error { 55 my ($reason ) = @_; 56 57 print header, 58 start_html( "Error" ), 59 print h1( "Error" ), 60 p( "Your upload was not procesed because the following error ", 61 "occured: " ), 62 p (i( $reason ) ), 63 end_html; 64 exit; 65 } ---------------- Thank in Advance!!! -- Vincent Li System Admin, UBC http://mcli.homelinux.org:8080 From stas at stason.org Mon Dec 5 18:43:09 2005 From: stas at stason.org (Stas Bekman) Date: Mon, 05 Dec 2005 18:43:09 -0800 Subject: [Van-pm] CGI taint mode In-Reply-To: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> Message-ID: <4394FABD.90602@stason.org> Vincent Li wrote: > Hello Vancouver PM: > > I read about Lincoln Stein's WWW Security FAQ. I am testing a sample > upload.pl. While I turned on the taint mode, and did the taint check as > following: > > --------- > 35 if ($file =~ /^([-\@\w.]+)$/) { > 36 $file = $1; > 37 } > 38 else { > 39 error("invalid filename: $file"); > 40 } > 41 add: warn "Trying to upload file: $file\n"; before and after the above chunk and check error_log to make sure it's there, it sounds like $file is undef in your case. > 42 print h2('File name'),$file; > 43 print h2('File MIME type'), > 44 uploadInfo($file)->{'Content-Type'}; > ---------- > > The script always give me error > > Software error: > Can't use an undefined value as a HASH reference at test line 43. line reporter is often skewed so most likely it talks about line 44 in your code, if that's what confusing you, Vincent. -- _____________________________________________________________ Stas Bekman mailto:stas at stason.org http://stason.org/ MailChannels: Assured Messaging(TM) http://mailchannels.com/ The "Practical mod_perl" book http://modperlbook.org/ http://perl.apache.org/ http://perl.org/ http://logilune.com/ From mcli at brc.ubc.ca Tue Dec 6 11:31:07 2005 From: mcli at brc.ubc.ca (Vincent Li) Date: Tue, 6 Dec 2005 11:31:07 -0800 (PST) Subject: [Van-pm] CGI taint mode In-Reply-To: <4394FABD.90602@stason.org> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> <4394FABD.90602@stason.org> Message-ID: <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> > Vincent Li wrote: >> Hello Vancouver PM: >> >> I read about Lincoln Stein's WWW Security FAQ. I am testing a sample >> upload.pl. While I turned on the taint mode, and did the taint check as >> following: >> >> --------- >> 35 if ($file =~ /^([-\@\w.]+)$/) { >> 36 $file = $1; >> 37 } >> 38 else { >> 39 error("invalid filename: $file"); >> 40 } >> 41 > > add: > > warn "Trying to upload file: $file\n"; > > before and after the above chunk and check error_log to make sure it's > there, it sounds like $file is undef in your case. > I put your line after the chunk, error_log shows: [Tue Dec 6 11:18:31 2005] test: Use of uninitialized value in hash element at (eval 31) line 3. [Tue Dec 6 11:18:31 2005] test: Can't use an undefined value as a HASH reference at test line 43. >> 42 print h2('File name'),$file; What confused me is line 42 print out the filename in browser, my guess is $file is defined >> 43 print h2('File MIME type'), >> 44 uploadInfo($file)->{'Content-Type'}; But line 44 uploadinfo function see $file as undefined. line 42 and 44 are in the same scope, I don't understand why line 42 and 44 see $file differently. >> ---------- >> >> The script always give me error >> >> Software error: >> Can't use an undefined value as a HASH reference at test line 43. > > line reporter is often skewed so most likely it talks about line 44 in > your code, if that's what confusing you, Vincent. > > -- > _____________________________________________________________ > Stas Bekman mailto:stas at stason.org http://stason.org/ > MailChannels: Assured Messaging(TM) http://mailchannels.com/ > The "Practical mod_perl" book http://modperlbook.org/ > http://perl.apache.org/ http://perl.org/ http://logilune.com/ Thanks Stas. -- Vincent Li System Admin, UBC http://mcli.homelinux.org:8080 From stas at stason.org Tue Dec 6 11:52:57 2005 From: stas at stason.org (Stas Bekman) Date: Tue, 06 Dec 2005 11:52:57 -0800 Subject: [Van-pm] CGI taint mode In-Reply-To: <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> <4394FABD.90602@stason.org> <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> Message-ID: <4395EC19.6000700@stason.org> Vincent Li wrote: [...] >>>43 print h2('File MIME type'), >>>44 uploadInfo($file)->{'Content-Type'}; > > > But line 44 uploadinfo function see $file as undefined. line 42 and 44 are > in the same scope, I don't understand why line 42 and 44 see $file > differently. It doesn't see it as undefined. It just doesn't find that file and uploadInfo($file) returns undef. So you need to write it as: if (my $info = uploadInfo($file)) { print $info->{'Content-Type'}; } else { warn "can't find $file"; } -- _____________________________________________________________ Stas Bekman mailto:stas at stason.org http://stason.org/ MailChannels: Assured Messaging(TM) http://mailchannels.com/ The "Practical mod_perl" book http://modperlbook.org/ http://perl.apache.org/ http://perl.org/ http://logilune.com/ From mcli at brc.ubc.ca Tue Dec 6 14:07:53 2005 From: mcli at brc.ubc.ca (Vincent Li) Date: Tue, 6 Dec 2005 14:07:53 -0800 (PST) Subject: [Van-pm] CGI taint mode In-Reply-To: <4395EC19.6000700@stason.org> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> <4394FABD.90602@stason.org> <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> <4395EC19.6000700@stason.org> Message-ID: <52661.137.82.2.58.1133906873.squirrel@sparc.brc.ubc.ca> > Vincent Li wrote: > [...] >>>>43 print h2('File MIME type'), >>>>44 uploadInfo($file)->{'Content-Type'}; >> >> >> But line 44 uploadinfo function see $file as undefined. line 42 and 44 >> are >> in the same scope, I don't understand why line 42 and 44 see $file >> differently. > > It doesn't see it as undefined. It just doesn't find that file and > uploadInfo($file) returns undef. So you need to write it as: > > > if (my $info = uploadInfo($file)) { > print $info->{'Content-Type'}; > } > else { > warn "can't find $file"; > } Now I understand, I rewrote the script as you said, it gives me "Global symbol "$info" requires explicit package name....". I changed it to my $info = uploadInfo($file); if ($info) { print $info->{'Content-Type'}; } else { warn "can't find $file"; } then, no error complain, but nothing wrong with your declarartion of $info. In error_log, it did say the file could not be found. What reason cause the file not be found? -- Vincent Li System Admin, UBC http://mcli.homelinux.org:8080 From stas at stason.org Tue Dec 6 15:28:38 2005 From: stas at stason.org (Stas Bekman) Date: Tue, 06 Dec 2005 15:28:38 -0800 Subject: [Van-pm] CGI taint mode In-Reply-To: <52661.137.82.2.58.1133906873.squirrel@sparc.brc.ubc.ca> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> <4394FABD.90602@stason.org> <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> <4395EC19.6000700@stason.org> <52661.137.82.2.58.1133906873.squirrel@sparc.brc.ubc.ca> Message-ID: <43961EA6.50609@stason.org> Vincent Li wrote: [...] > Now I understand, I rewrote the script as you said, it gives me "Global > symbol "$info" requires explicit package name....". I changed it to > > my $info = uploadInfo($file); > if ($info) { > print $info->{'Content-Type'}; > } > else { > warn "can't find $file"; > } > > then, no error complain, but nothing wrong with your declarartion of > $info. In error_log, it did say the file could not be found. What > reason cause the file not be found? I don't know. Check the guts of uploadInfo? -- _____________________________________________________________ Stas Bekman mailto:stas at stason.org http://stason.org/ MailChannels: Assured Messaging(TM) http://mailchannels.com/ The "Practical mod_perl" book http://modperlbook.org/ http://perl.apache.org/ http://perl.org/ http://logilune.com/ From mcli at brc.ubc.ca Tue Dec 6 16:16:19 2005 From: mcli at brc.ubc.ca (Vincent Li) Date: Tue, 6 Dec 2005 16:16:19 -0800 (PST) Subject: [Van-pm] CGI taint mode In-Reply-To: <43961EA6.50609@stason.org> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> <4394FABD.90602@stason.org> <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> <4395EC19.6000700@stason.org> <52661.137.82.2.58.1133906873.squirrel@sparc.brc.ubc.ca> <43961EA6.50609@stason.org> Message-ID: <49644.142.103.92.226.1133914579.squirrel@sparc.brc.ubc.ca> > Vincent Li wrote: > [...] >> Now I understand, I rewrote the script as you said, it gives me "Global >> symbol "$info" requires explicit package name....". I changed it to >> >> my $info = uploadInfo($file); >> if ($info) { >> print $info->{'Content-Type'}; >> } >> else { >> warn "can't find $file"; >> } >> >> then, no error complain, but nothing wrong with your declarartion of >> $info. In error_log, it did say the file could not be found. What >> reason cause the file not be found? > > I don't know. Check the guts of uploadInfo? It must be my untaint regular expression did something wrong that uploadInfo does not like my $file = param('upload'); if ($file =~ /^([-\@\w.]+)$/) { $file = $1; } else { warn "invalid filename: $file" } If I remove the above chunk of script and not run on tained mode, the script works fine. Thanks Again, Stas. From stas at stason.org Tue Dec 6 16:18:53 2005 From: stas at stason.org (Stas Bekman) Date: Tue, 06 Dec 2005 16:18:53 -0800 Subject: [Van-pm] CGI taint mode In-Reply-To: <49644.142.103.92.226.1133914579.squirrel@sparc.brc.ubc.ca> References: <61716.137.82.2.58.1133827511.squirrel@sparc.brc.ubc.ca> <4394FABD.90602@stason.org> <51622.137.82.2.58.1133897467.squirrel@sparc.brc.ubc.ca> <4395EC19.6000700@stason.org> <52661.137.82.2.58.1133906873.squirrel@sparc.brc.ubc.ca> <43961EA6.50609@stason.org> <49644.142.103.92.226.1133914579.squirrel@sparc.brc.ubc.ca> Message-ID: <43962A6D.50109@stason.org> Vincent Li wrote: >>Vincent Li wrote: >>[...] >> >>>Now I understand, I rewrote the script as you said, it gives me "Global >>>symbol "$info" requires explicit package name....". I changed it to >>> >>>my $info = uploadInfo($file); >>>if ($info) { >>> print $info->{'Content-Type'}; >>>} >>>else { >>> warn "can't find $file"; >>>} >>> >>>then, no error complain, but nothing wrong with your declarartion of >>>$info. In error_log, it did say the file could not be found. What >>>reason cause the file not be found? >> >>I don't know. Check the guts of uploadInfo? > > > It must be my untaint regular expression did something wrong that > uploadInfo does not like > > my $file = param('upload'); > if ($file =~ /^([-\@\w.]+)$/) { > $file = $1; > } > else { > warn "invalid filename: $file" > } > > If I remove the above chunk of script and not run on tained mode, the > script works fine. Then try to compare what the filename it gets while w/ -T and while w/o. Basically you need to roll up your sleeves, get into uploadInfo's guts and debug, either using print() calls or a perl debugger... -- _____________________________________________________________ Stas Bekman mailto:stas at stason.org http://stason.org/ MailChannels: Assured Messaging(TM) http://mailchannels.com/ The "Practical mod_perl" book http://modperlbook.org/ http://perl.apache.org/ http://perl.org/ http://logilune.com/ From ksimpson at daisy.mailchannels.com Tue Dec 6 16:19:36 2005 From: ksimpson at daisy.mailchannels.com (Ken Simpson) Date: Tue, 6 Dec 2005 16:19:36 -0800 Subject: [Van-pm] Perl and VoIP Jobs Message-ID: <20051207001936.GA14761@mailchannels.com> Hi Everyone, We are looking for senior-level Perl and C developers to add to our team to help us complete a very ambitious development project starting in January. Experience and skills which are of particular interest include: * Humility. * Dedication. * A sense of humour. * "Web 2.0"-style front end development (i.e. AJAX). * XML stuff like AxKit. * Intimate knowledge of the asterisk platform and the ability to script it. * An understanding of VoIP; preferably experience building VoIP applications or at least working knowledge of the protocols. * Knowledge of SMTP (e.g. you have written an SMTP engine or a plugin for Postfix or Sendmail). If you already have a job (as most of you do), then let us make you an offer you can't refuse. Join people like Stas Bekman (former mod_perl maintainer) in our huge warehouse-style office in Yaletown and help us change the world. If you are keen and experienced and looking for an opportunity to work with a fantastic team and to get paid well financially and experientially, please get in touch. Regards, Ken -- MailChannels: Assured Messaging (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741 From shijialeee at yahoo.com Wed Dec 7 13:58:24 2005 From: shijialeee at yahoo.com (James.Q.L) Date: Wed, 7 Dec 2005 13:58:24 -0800 (PST) Subject: [Van-pm] former mod_perl maintainer ? Re: Perl and VoIP Jobs In-Reply-To: <20051207001936.GA14761@mailchannels.com> Message-ID: <20051207215825.14726.qmail@web50402.mail.yahoo.com> > If you already have a job (as most of you do), then let us make you an > offer you can't refuse. Join people like Stas Bekman (former mod_perl > maintainer) in our huge warehouse-style office in Yaletown and help us > change the world. > i can't help but wondering... is Stas no more the mod_perl maintainer ? He has been doing a great job and would be sad to see him go. Qiang. __________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com From stas at stason.org Wed Dec 7 15:51:50 2005 From: stas at stason.org (Stas Bekman) Date: Wed, 07 Dec 2005 15:51:50 -0800 Subject: [Van-pm] former mod_perl maintainer ? Re: Perl and VoIP Jobs In-Reply-To: <20051207215825.14726.qmail@web50402.mail.yahoo.com> References: <20051207215825.14726.qmail@web50402.mail.yahoo.com> Message-ID: <43977596.8090601@stason.org> James.Q.L wrote: >>If you already have a job (as most of you do), then let us make you an >>offer you can't refuse. Join people like Stas Bekman (former mod_perl >>maintainer) in our huge warehouse-style office in Yaletown and help us >>change the world. >> > > > i can't help but wondering... is Stas no more the mod_perl maintainer ? He has been doing a great > job and would be sad to see him go. Stas is taking a break. Thanks for your kind words, James. -- _____________________________________________________________ Stas Bekman mailto:stas at stason.org http://stason.org/ MailChannels: Assured Messaging(TM) http://mailchannels.com/ The "Practical mod_perl" book http://modperlbook.org/ http://perl.apache.org/ http://perl.org/ http://logilune.com/ From lukec at ActiveState.com Thu Dec 15 12:33:54 2005 From: lukec at ActiveState.com (Luke Closs) Date: Thu, 15 Dec 2005 12:33:54 -0800 Subject: [Van-pm] meta user group meeting/holiday get together Message-ID: <20051215203354.GB10414@activestate.com> All of the perl mongers are invited to this event. ----- Forwarded message from Shezmeen Hudani ----- Hi All, Just a quick note to let you all know that ActiveState and the Vancouver PHP User Group is hosting a holiday social for various User Groups in the mezz tonight. The festivities will begin at 6:30pm. If anyone has any questions, or needs further information, please contact me directly. Thank You, Shezmeen Hudani Marketing Associate shezmeenh at activestate.com ----- End forwarded message ----- -- Luke Closs PureMessage Developer There is always time to juggle in the Sophos Zone. From thuang at yachtworld.com Mon Dec 19 17:35:07 2005 From: thuang at yachtworld.com (Tanya Huang) Date: Mon, 19 Dec 2005 17:35:07 -0800 Subject: [Van-pm] Perl Job posting Message-ID: <200512191735.07551.thuang@yachtworld.com> Hello All, My company has an opening for a junior/intermediate web application programmer to program in Perl and some Java. If you are interested, or know of anyone who might be, the email to apply to is: engineering-jobs at boats.com (more info at the bottom of this email). The job is posted on T-Net, but we've been getting mainly Java people with very little Perl. An updated job description is shown below. Java experience is OPTIONAL. thanks :) Tanya --------------- Job Description: YachtWorld.com is looking for a Junior/Intermediate Web Developer to join the engineering team in our downtown Vancouver office. This is a full time position which offers a competitive salary and benefits package. The working environment is fun and relaxed. You will be responsible for developing web applications using Perl technologies. You will have the opportunity to do end-to-end engineering, from analysis and design to ensuring the application is tested and deployed successfully. At times you will implement entire new features yourself, and at other times you will work in collaboration with other developers. Qualifications and Experience You must have: - A bachelor's degree in computer science or an engineering/scientific discipline - One year's commercial server-side programming experience, using Perl - Experience developing web-based user interfaces with HTML and CSS - Familiarity with relational database concepts and SQL - Familiarity with object-oriented design Knowledge of the following is a plus: - MySQL database server - Apache web server, Tomcat or Resin - Linux or other Unix - XML - Java/J2EE - Javascript About us We provide e-commerce and on-line marketing services to the marine industry, and work closely with boat brokers, builders, dealers, and customers to help promote the growth of the industry. Our flagship products, the www.boats.com and www.yachtworld.com web sites, are the leading marine destinations on the internet, with over 3 million page views per day. boats.com & YachtWorld.com are a division of TraderOnline.com, which is a division of Trader Publishing Company. Trader Publishing Company is headquartered in Norfolk, Virginia and owned equally by Landmark Communications, Inc. and Cox Enterprises, Inc. You will be joining a fast-growing, financially stable, profitable dot.com owned by billion dollar companies. Please email your resume to engineering-jobs at boats.com (with subject line "Junior/Intermediate Web Developer"), indicating your availability and salary requirements. From jac at natura.di.uminho.pt Tue Dec 20 01:59:31 2005 From: jac at natura.di.uminho.pt (=?iso-8859-1?Q?Jos=E9?= Castro) Date: Tue, 20 Dec 2005 09:59:31 +0000 Subject: [Van-pm] Perl Job posting In-Reply-To: <200512191735.07551.thuang@yachtworld.com> References: <200512191735.07551.thuang@yachtworld.com> Message-ID: <20051220095930.GA13560@natura.di.uminho.pt> * Tanya Huang (thuang at yachtworld.com) wrote: > > The job is posted on T-Net, but we've been getting mainly Java people with > very little Perl. Have you tried jobs.perl.org ? :-) -- Jose Alves de Castro http://jose-castro.org/ From thuang at yachtworld.com Tue Dec 20 09:53:42 2005 From: thuang at yachtworld.com (Tanya Huang) Date: Tue, 20 Dec 2005 09:53:42 -0800 Subject: [Van-pm] Perl Job posting In-Reply-To: <20051220095930.GA13560@natura.di.uminho.pt> References: <200512191735.07551.thuang@yachtworld.com> <20051220095930.GA13560@natura.di.uminho.pt> Message-ID: <200512200953.42945.thuang@yachtworld.com> Hi Jos?, Yes, we plan to soon :) thanks, Tanya On Tuesday 20 December 2005 01:59, Jos? Castro wrote: > * Tanya Huang (thuang at yachtworld.com) wrote: > > The job is posted on T-Net, but we've been getting mainly Java people > > with very little Perl. > > Have you tried jobs.perl.org ? :-) > > -- > Jose Alves de Castro > http://jose-castro.org/