Mailing List Archive

Let’s agree to differ

--
Clive Eisen
GPG: 75056DD0






> On 30 May 2017, at 19:36, Dirk-Willem van Gulik <dirkx@webweaving.org> wrote:
>
> On 30 May 2017, at 19:52, Clive Eisen <clive@hildebrand.co.uk> wrote:
>
>> From my servers - data
>>
>> From anyone else's - user input
>
> A few years ago - I would have agreed. Having seen the impact of things like the bash-exploit getting triggered from the data returned by a IP reverse lookup - I am not so sure anymore,
>
> Dw.
>

On 05/30/2017 02:29 PM, John Dunlap wrote:
> eval {
> my $data = get_data_from_internet();
> };

$data needs to be scrubbed before using and you think you can't smash
$data??

--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

In that example, the contents of $data are never evaluated by eval so even
if it can be "smashed"(whatever that means) eval would have nothing to do
with the failure.

On Tue, May 30, 2017 at 4:01 PM, Ruben Safir <ruben@mrbrklyn.com> wrote:

> On 05/30/2017 02:29 PM, John Dunlap wrote:
> > eval {
> > my $data = get_data_from_internet();
> > };
>
> $data needs to be scrubbed before using and you think you can't smash
> $data??
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>



--
John Dunlap
*CTO | Lariat *

*Direct:*
*john@lariat.co <john@lariat.co>*

*Customer Service:*
877.268.6667
support@lariat.co

On 05/30/2017 04:04 PM, John Dunlap wrote:
> In that example, the contents of $data are never evaluated by eval so
> even if it can be "smashed"(whatever that means) eval would have nothing
> to do with the failure.


it means your bringing in data without a limit and you can smash the
stack like that and I've seen this kind of code do just that.

That is not just an issue for eval...



--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Okay, I can see that but we were talking specifically about eval. So, my
examples were intended to showcase the two ways that eval can be called and
not how to safely obtain data from the internet.

On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ruben@mrbrklyn.com> wrote:

> On 05/30/2017 04:04 PM, John Dunlap wrote:
> > In that example, the contents of $data are never evaluated by eval so
> > even if it can be "smashed"(whatever that means) eval would have nothing
> > to do with the failure.
>
>
> it means your bringing in data without a limit and you can smash the
> stack like that and I've seen this kind of code do just that.
>
> That is not just an issue for eval...
>
>
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>



--
John Dunlap
*CTO | Lariat *

*Direct:*
*john@lariat.co <john@lariat.co>*

*Customer Service:*
877.268.6667
support@lariat.co

So when we say "from the internet" does that include intranet? What I have
is a form that lists all the members of a group defined in LDAP. The call
to get the members for the group is all internal and our companies internal
ldap server. is that considered "from internet". I didn't write this app,
just trying to make adjustments. Currently if you hit a member of the group
that has been terminated/removed from ldap, the app errors out because the
its it a member of the group in which its trying to execute a look on while
listing.

my %member_hash;
my $member_hash;
my $member_Co;
foreach (@memb) {
# Fetch entry.

my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
ldap => $ldap,
dn => $_,
opts => {control => $control}, # Important!
);

$member_Co = $entry2->get_value('company');

}

1. Is it a security issue to wrap $entry2 code in a eval { } statement?
2. I'm thinking there is a better way to do this because (code wise)
becuase ever since i put the eval {} in place (in dev env), groups with
thousands of members takes a very long time to display.


here is the code for dn2entry.mpl:




On Tue, May 30, 2017 at 3:13 PM, John Dunlap <john@lariat.co> wrote:

> Okay, I can see that but we were talking specifically about eval. So, my
> examples were intended to showcase the two ways that eval can be called and
> not how to safely obtain data from the internet.
>
> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ruben@mrbrklyn.com> wrote:
>
>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>> > In that example, the contents of $data are never evaluated by eval so
>> > even if it can be "smashed"(whatever that means) eval would have nothing
>> > to do with the failure.
>>
>>
>> it means your bringing in data without a limit and you can smash the
>> stack like that and I've seen this kind of code do just that.
>>
>> That is not just an issue for eval...
>>
>>
>>
>> --
>> So many immigrant groups have swept through our town
>> that Brooklyn, like Atlantis, reaches mythological
>> proportions in the mind of the world - RI Safir 1998
>> http://www.mrbrklyn.com
>>
>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>> http://www.nylxs.com - Leadership Development in Free Software
>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>> http://www.coinhangout.com - coins!
>> http://www.brooklyn-living.com
>>
>> Being so tracked is for FARM ANIMALS and and extermination camps,
>> but incompatible with living as a free human being. -RI Safir 2013
>>
>
>
>
> --
> John Dunlap
> *CTO | Lariat *
>
> *Direct:*
> *john@lariat.co <john@lariat.co>*
>
> *Customer Service:*
> 877.268.6667
> support@lariat.co
>



--
Hiram Gibbard
hgibbard@gmail.com
http://hiramgibbard.com

Sorry, hit send prematurely... as i was saying the code for dn2entry.mpl

<%args>
$ldap
$dn
$opts => {}
</%args>
<%init>
my %search_opts = (
base => $dn,
scope => 'base',
filter => '(objectClass=*)',
%{$opts},
);

my $mesg = $ldap->search(%search_opts);

if($mesg->is_error) {
die "Error. Failed to search directory. Options:\n"
. join("\n", map { "$_=$search_opts{$_}" } keys %search_opts)
. ". LDAP error: [" . $mesg->error_name . "] " . $mesg->error_desc;
}

if($mesg->count != 1) {
die "Search for DN='$dn' returned " .$mesg->count.
" entries. We expected one entry.";
}

return scalar $mesg->entry(0);
</%init>

I'm wondering if i can put the check here to see if any object exists?


I realize there are other ways to skin a cat, such as a process to check
for terminated users in groups and remove them, or if hr deletes a member
to try and do it at that point, but i would like I still would like to add
the check in the app.


On Wed, May 31, 2017 at 11:38 AM, Hiram Gibbard <hgibbard@gmail.com> wrote:

> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP. The
> call to get the members for the group is all internal and our companies
> internal ldap server. is that considered "from internet". I didn't write
> this app, just trying to make adjustments. Currently if you hit a member of
> the group that has been terminated/removed from ldap, the app errors out
> because the its it a member of the group in which its trying to execute a
> look on while listing.
>
> my %member_hash;
> my $member_hash;
> my $member_Co;
> foreach (@memb) {
> # Fetch entry.
>
> my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
> ldap => $ldap,
> dn => $_,
> opts => {control => $control}, # Important!
> );
>
> $member_Co = $entry2->get_value('company');
>
> }
>
> 1. Is it a security issue to wrap $entry2 code in a eval { } statement?
> 2. I'm thinking there is a better way to do this because (code wise)
> becuase ever since i put the eval {} in place (in dev env), groups with
> thousands of members takes a very long time to display.
>
>
> here is the code for dn2entry.mpl:
>
>
>
>
> On Tue, May 30, 2017 at 3:13 PM, John Dunlap <john@lariat.co> wrote:
>
>> Okay, I can see that but we were talking specifically about eval. So, my
>> examples were intended to showcase the two ways that eval can be called and
>> not how to safely obtain data from the internet.
>>
>> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ruben@mrbrklyn.com> wrote:
>>
>>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>>> > In that example, the contents of $data are never evaluated by eval so
>>> > even if it can be "smashed"(whatever that means) eval would have
>>> nothing
>>> > to do with the failure.
>>>
>>>
>>> it means your bringing in data without a limit and you can smash the
>>> stack like that and I've seen this kind of code do just that.
>>>
>>> That is not just an issue for eval...
>>>
>>>
>>>
>>> --
>>> So many immigrant groups have swept through our town
>>> that Brooklyn, like Atlantis, reaches mythological
>>> proportions in the mind of the world - RI Safir 1998
>>> http://www.mrbrklyn.com
>>>
>>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>>> http://www.nylxs.com - Leadership Development in Free Software
>>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>>> http://www.coinhangout.com - coins!
>>> http://www.brooklyn-living.com
>>>
>>> Being so tracked is for FARM ANIMALS and and extermination camps,
>>> but incompatible with living as a free human being. -RI Safir 2013
>>>
>>
>>
>>
>> --
>> John Dunlap
>> *CTO | Lariat *
>>
>> *Direct:*
>> *john@lariat.co <john@lariat.co>*
>>
>> *Customer Service:*
>> 877.268.6667
>> support@lariat.co
>>
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com
> http://hiramgibbard.com
>
>


--
Hiram Gibbard
hgibbard@gmail.com
http://hiramgibbard.com

1) Passing a block(as opposed to a string) is no more dangerous than
executing the same code outside of eval. For example,

my $success = eval {
my %member_hash;
my $member_hash;
my $member_Co;
foreach (@memb) {
# Fetch entry.

my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
ldap => $ldap,
dn => $_,
opts => {control => $control}, # Important!
);

$member_Co = $entry2->get_value('company');
}

return 1;
};

if (!$success) {
warn "ERROR: $@";
}

On Wed, May 31, 2017 at 12:38 PM, Hiram Gibbard <hgibbard@gmail.com> wrote:

> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP. The
> call to get the members for the group is all internal and our companies
> internal ldap server. is that considered "from internet". I didn't write
> this app, just trying to make adjustments. Currently if you hit a member of
> the group that has been terminated/removed from ldap, the app errors out
> because the its it a member of the group in which its trying to execute a
> look on while listing.
>
> my %member_hash;
> my $member_hash;
> my $member_Co;
> foreach (@memb) {
> # Fetch entry.
>
> my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
> ldap => $ldap,
> dn => $_,
> opts => {control => $control}, # Important!
> );
>
> $member_Co = $entry2->get_value('company');
>
> }
>
> 1. Is it a security issue to wrap $entry2 code in a eval { } statement?
> 2. I'm thinking there is a better way to do this because (code wise)
> becuase ever since i put the eval {} in place (in dev env), groups with
> thousands of members takes a very long time to display.
>
>
> here is the code for dn2entry.mpl:
>
>
>
>
> On Tue, May 30, 2017 at 3:13 PM, John Dunlap <john@lariat.co> wrote:
>
>> Okay, I can see that but we were talking specifically about eval. So, my
>> examples were intended to showcase the two ways that eval can be called and
>> not how to safely obtain data from the internet.
>>
>> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ruben@mrbrklyn.com> wrote:
>>
>>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>>> > In that example, the contents of $data are never evaluated by eval so
>>> > even if it can be "smashed"(whatever that means) eval would have
>>> nothing
>>> > to do with the failure.
>>>
>>>
>>> it means your bringing in data without a limit and you can smash the
>>> stack like that and I've seen this kind of code do just that.
>>>
>>> That is not just an issue for eval...
>>>
>>>
>>>
>>> --
>>> So many immigrant groups have swept through our town
>>> that Brooklyn, like Atlantis, reaches mythological
>>> proportions in the mind of the world - RI Safir 1998
>>> http://www.mrbrklyn.com
>>>
>>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>>> http://www.nylxs.com - Leadership Development in Free Software
>>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>>> http://www.coinhangout.com - coins!
>>> http://www.brooklyn-living.com
>>>
>>> Being so tracked is for FARM ANIMALS and and extermination camps,
>>> but incompatible with living as a free human being. -RI Safir 2013
>>>
>>
>>
>>
>> --
>> John Dunlap
>> *CTO | Lariat *
>>
>> *Direct:*
>> *john@lariat.co <john@lariat.co>*
>>
>> *Customer Service:*
>> 877.268.6667
>> support@lariat.co
>>
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com
> http://hiramgibbard.com
>
>


--
John Dunlap
*CTO | Lariat *

*Direct:*
*john@lariat.co <john@lariat.co>*

*Customer Service:*
877.268.6667
support@lariat.co

Thanks for everyone's reply.

I got the idea from
https://stackoverflow.com/questions/4006267/what-is-the-best-way-to-handle-exceptions-in-perl
,

The consensus of the Perl community seems to be thatTry::Tiny
<http://search.cpan.org/perldoc?Try::Tiny>is the preferred way of doing
exception handling. The "lenient policy" you refer to is probably due to
a combination of:

* Perl not being a fully object-oriented language. (e.g. in contrast
to Java where you can't avoid dealing with exceptions.)
* The background of many Perl developers. (Languages like C^1 and
shell don't have exception mechanisms.)
* The kind of tasks people tend to use Perl for. (Small scripts for
text munging and report generation where exception handling isn't
needed.)
* Perl not having a (good) built-in exception mechanism.

Note that the last item means that you'll see a lot of code like this:

|eval{something()};if($@){warn "Oh no! [$@]\n";}|

That's exception handling even though it doesn't use try/catch syntax.
It's fragile, though, and will break in a number of subtle edge cases
that most people don't think about. Try::Tiny and the other exception
handling modules on CPAN were written to make it easier to get right.


On 2017/6/1 ??? 0:38, Hiram Gibbard wrote:
> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP.
> The call to get the members for the group is all internal and our
> companies internal ldap server. is that considered "from internet". I
> didn't write this app, just trying to make adjustments. Currently if
> you hit a member of the group that has been terminated/removed from
> ldap, the app errors out because the its it a member of the group in
> which its trying to execute a look on while listing.
>