Can any body tell me what is wrong with my code below, I am trying to create
a file before writing/appending data in it? Code line to create and open it
as below:
eta name=3D"ProgId" content=3D"Word.Document">
ent=3D"Microsoft Word 11">
rd 11">
CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml">
Hi,
=A0
Can any body tell me what is wrong with my code b=
elow, I am trying to create a file before writing/appending data in it? Cod=
e line to create and open it as below:
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
--===============0069560710==--
I don't find any issue with your code. It should work fine.
Can you tell me what exactly you are trying to do and complete code?
--
Regards,
Mustafa
________________________________
From: activeperl-bounces@listserv.ActiveState.com
[mailto:activeperl-bounces@listserv.ActiveState.com] On Behalf Of SAQIB
RAFIQUE
Sent: Friday, July 03, 2009 11:57 AM
To: activeperl@listserv.activestate.com
Subject: PERL create file
Hi,
Can any body tell me what is wrong with my code below, I am trying to
create a file before writing/appending data in it? Code line to create
and open it as below:
$output =3D "/home/saqib/performance_debug_20090703.txt";
open(OUTPUT,"+>>$output") || die("Could not open output file ! \n");
Please do not print this email unless it is absolutely necessary. =0A=
=0A=
The information contained in this electronic message and any attachments to=
this message are intended for the exclusive use of the addressee(s) and may=
contain proprietary, confidential or privileged information. If you are not=
the intended recipient, you should not disseminate, distribute or copy this=
e-mail. Please notify the sender immediately and destroy all copies of this=
message and any attachments. =0A=
=0A=
WARNING: Computer viruses can be transmitted via email. The recipient should=
check this email and any attachments for the presence of viruses. The compa=
ny accepts no liability for any damage caused by any virus transmitted by th=
is email. =0A=
=0A=
www.wipro.com
ial
color=3D#0000ff size=3D2> I don't find any issue with your=
code.
It should work fine.
ial
color=3D#0000ff size=3D2>Can you tell me what exactly you are trying to do a=
nd
complete code?
--
Regards,
Mustafa
From:
activeperl-bounces@listserv.ActiveState.com
[mailto:activeperl-bounces@listserv.ActiveState.com] On Behalf Of SAQ=
IB
RAFIQUE Sent: Friday, July 03, 2009 11:57 AM To:
activeperl@listserv.activestate.com Subject: PERL create
file
Hi,
Can any body tell me what is wrong with my code belo=
w, I
am trying to create a file before writing/appending data in it? Code line to=
ze:10.0pt;font-family:=0A=
"Palatino Linotype","serif";color:green'> Please do not print this email unl=
ess it is absolutely necessary.
Arial","sans-serif"'>
=0A=
=0A=
=0A=
The information contained in this electronic message and any attachments=
to this message are intended for the exclusive use of the addressee(s) and=
may contain proprietary, confidential or privileged information. If you are=
not the intended recipient, you should not disseminate, distribute or copy=
this e-mail. Please notify the sender immediately and destroy all copies of=
this message and any attachments.
=0A=
=0A=
WARNING: Computer viruses can be transmitted via email. The recipient sho=
uld check this email and any attachments for the presence of viruses. The co=
mpany accepts no liability for any damage caused by any virus transmitted by=
this email.
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
--===============2104716680==--
Are you shure you have the rights to write to
"/home/saqib/performance_debug_20090703.txt";
??
Stanislaw Romanski
----- Original Message -----=20
From: SAQIB RAFIQUE=20
To: activeperl@listserv.ActiveState.com=20
Sent: Friday, July 03, 2009 8:27 AM
Subject: PERL create file
Hi,
Can any body tell me what is wrong with my code below, I am trying to =
create a file before writing/appending data in it? Code line to create =
and open it as below:
To:
title=3Dactiveperl@listserv.ActiveState.com=20
=
href=3D"mailto:activeperl@listserv.ActiveState.com">activepe rl@listserv.A=
ctiveState.com=20
Sent: Friday, July 03, 2009 =
8:27 AM
Subject: PERL create file
Hi,
Can any body tell me what is wrong with my =
code below, I=20
am trying to create a file before writing/appending data in it? Code =
line to=20
create and open it as below:
_______________________________________________ ActivePerl =
mailing=20
list ActivePerl@listserv.ActiveState.com To unsubscribe:=20
=
http://listserv.ActiveState.com/mailman/mysubs=
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
--===============0828618596==--
RE: PERL create file
am 03.07.2009 13:08:25 von Brian Raven
From: activeperl-bounces@listserv.ActiveState.com
[mailto:activeperl-bounces@listserv.ActiveState.com] On Behalf Of SAQIB
RAFIQUE
Sent: 03 July 2009 07:27
To: activeperl@listserv.activestate.com
Subject: PERL create file
> Hi,
> Can any body tell me what is wrong with my code below, I am trying to
create a file before writing/appending
> data in it? Code line to create and open it as below:
>
> $output = "/home/saqib/performance_debug_20090703.txt";
> open(OUTPUT,"+>>$output") || die("Could not open output file ! \n");
Its not exactly clear what you are trying to do, as your code doesn't
quite match you description (you don't mention wanting to read from the
file as well). Also, you don't say what problems you are having. To
improve your I would advise using the 3 argument form of open, localise
the file handle, and include the reason for the failure in your error
message. So, to open a file for appending, creating it if it doesn't
exist, I might have the following.
my $output = "/home/saqib/performance_debug_20090703.txt";
open my $fd, ">>", $output or die "Failed to open $output: $!\n";
As it is an output file you should also check that the close was
successful, as this is where any disk dull errors will, usually, be
discovered.
HTH
--
Brian Raven
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy.
Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: PERL create file
am 03.07.2009 13:26:46 von Bill Luebkert
Brian Raven wrote:
>
> To
> improve your I would advise using the 3 argument form of open, localise
> the file handle,
Neither of those suggestions 'should' change a thing.
and include the reason for the failure in your error
> message.
That's what would be useful, change the or die to :
open OUT, "+>>$output" or die "open for read/append $output: $! ($^E)";
or (if read not needed):
open OUT, ">>$output" or die "open for append $output: $! ($^E)";
and maybe you'll get something useful (assuming it's dieing on the open).
The $^E should give additional helpful text since $! is often cryptic.
> So, to open a file for appending, creating it if it doesn't
> exist, I might have the following.
>
> my $output = "/home/saqib/performance_debug_20090703.txt";
> open my $fd, ">>", $output or die "Failed to open $output: $!\n";
I'm guessing he may want to read as well as write or he doesn't
understand what +>> means. There's nothing wrong with the code
per se - the only probable error might be one of permissions on
the output dir, but seeing as it's apparently to his home dir,
theat would seem unlikely unless it's like in a CGI script running
as a different user or some such.
> As it is an output file you should also check that the close was
> successful, as this is where any disk dull errors will, usually, be
> discovered.
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: PERL create file
am 06.07.2009 11:32:35 von Ingo Schwarze
Hi Bill and Brian,
Bill Luebkert wrote on Fri, Jul 03, 2009 at 04:26:46AM -0700:
> Brian Raven wrote:
>> I would advise using the 3 argument form of open,
>> localise the file handle,
> Neither of those suggestions 'should' change a thing.
No, but they are excellent advice anyway, and a strict style can help
a lot when chasing bugs.
The two-argument form of open(3p) really ought to be considered legacy,
and there is no excuse for using it in new code, except in very
special circumstances. I feel two-argument open nearly as ugly as
the failure to use strict and warnings. At least, the multi-argument
form is required for anything security-related. Even in cases where
two-argument open can actually been proven to be correct as well, like
in the case discussed here, the correctness of the multi-argument form
is definitely easier to verify by code inspection, so using it is
always a gain in security.
The same applies to non-local file handles. They should have no place
in new code, except in very special circumstances.
I think the regulars should consistently encourage good coding
practices (which both of you almost always do, thanks!), even if
the sloppiness at hand cannot be proven to be causing the problem
or to be hiding the cause of the problem presented.
Yours,
Ingo
--
Ingo Schwarze | Software Engineer | Framework Team
Astaro AG | www.astaro.com | 76227 Karlsruhe | Germany
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: PERL create file
am 06.07.2009 15:25:28 von Bill Luebkert
Ingo Schwarze wrote:
> Hi Bill and Brian,
>
> Bill Luebkert wrote on Fri, Jul 03, 2009 at 04:26:46AM -0700:
>> Brian Raven wrote:
>
>>> I would advise using the 3 argument form of open,
>>> localise the file handle,
>
>> Neither of those suggestions 'should' change a thing.
>
> No, but they are excellent advice anyway, and a strict style can help
> a lot when chasing bugs.
>
> The two-argument form of open(3p) really ought to be considered legacy,
> and there is no excuse for using it in new code, except in very
> special circumstances. I feel two-argument open nearly as ugly as
> the failure to use strict and warnings. At least, the multi-argument
> form is required for anything security-related. Even in cases where
> two-argument open can actually been proven to be correct as well, like
> in the case discussed here, the correctness of the multi-argument form
> is definitely easier to verify by code inspection, so using it is
> always a gain in security.
I totally disagree - I see nothing wrong with using the 2 arg form and
have always and will continue to use it. I find the 3 arg form to be
the more ugly of the two and would probably only use it myself if I
needed to (there are cases where only 2-arg will do what you want and
other cases where only 3-arg will work - but those are so rare they're
hardly worth mentioning and I'd be avoiding creating situations that
would 'require' the necessity of either form specifically).
> The same applies to non-local file handles. They should have no place
> in new code, except in very special circumstances.
Whether or not a file handle is localized or not depends on how you've
coded your script. It's always nice to localize and compartmentalize
when possible, but for quick solutions and non-critical solutions that
don't have to worry about long life or multiple maintainers it just
isn't always practical to put the extra effort in - 90% of the scripts
I write are for one-time or infrequent use. It could be you're referring
more to using anonymous FH references rather than 'localizing' the FH.
> I think the regulars should consistently encourage good coding
> practices (which both of you almost always do, thanks!), even if
> the sloppiness at hand cannot be proven to be causing the problem
> or to be hiding the cause of the problem presented.
First you have to definitively define good coding practices. While I
always use strict and warnings, the other suggestions made in this
thread I seldom adhere to. I'm of course not writing for NASA anymore
either - I write what's comfortable for me and there's always more than
one way to do it. ;)
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: PERL create file
am 06.07.2009 16:40:23 von Serguei Trouchelle
Bill Luebkert wrote:
> I totally disagree - I see nothing wrong with using the 2 arg form and
> have always and will continue to use it. I find the 3 arg form to be
> the more ugly of the two
Can't say about "uglier" thing -- it's in the eye of the beholder, but using one parameter for two different things is
just illogical.
--
Serguei Trouchelle
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: PERL create file
am 06.07.2009 23:23:08 von Bill Luebkert
Serguei Trouchelle wrote:
> Bill Luebkert wrote:
>
>> I totally disagree - I see nothing wrong with using the 2 arg form and
>> have always and will continue to use it. I find the 3 arg form to be
>> the more ugly of the two
>
> Can't say about "uglier" thing -- it's in the eye of the beholder, but using one parameter for two different things is
> just illogical.
Well, then there's plenty of illogical stuff in Perl. ;)
The open is tailored after shell syntax - I suppose you'd
have a problem there too what with the piping and redirection
etc.
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
RE: PERL create file
am 06.07.2009 23:50:46 von Jan Dubois
On Mon, 06 Jul 2009, Bill Luebkert wrote:
> Serguei Trouchelle wrote:
>> Bill Luebkert wrote:
>>
>>> I totally disagree - I see nothing wrong with using the 2 arg form
>>> and have always and will continue to use it. I find the 3 arg form
>>> to be the more ugly of the two
>>
>> Can't say about "uglier" thing -- it's in the eye of the beholder,
>> but using one parameter for two different things is just illogical.
>
> Well, then there's plenty of illogical stuff in Perl. ;)
>
> The open is tailored after shell syntax - I suppose you'd have a
> problem there too what with the piping and redirection etc.
The "real" problem is that while(<>) is using the 2-arg form of
open(), so specially crafted filenames ending with a '|' can
executed arbitrary commands when you run `perl myscript *`. This
is only an issue on Unix as the pipe symbol is not a valid filename
character on Windows.
There is nothing you can do about it though, but not use while(<>)
if you cannot trust the filenames in your directory. But then you
are in a bad spot already if you cannot trust your local files...
Cheers,
-Jan
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: PERL create file
am 07.07.2009 19:45:46 von Ingo Schwarze
Hi Jan,
> The "real" problem is that while(<>) is using the 2-arg form of
> open(), so specially crafted filenames ending with a '|' can
> executed arbitrary commands when you run `perl myscript *`. This
> is only an issue on Unix as the pipe symbol is not a valid filename
> character on Windows.
Wow, i wasn't even aware of that weakness in the idiom, though
admittedly i tend to use while (<>) only after emptying @ARGV.
But still, thanks for the hint!
It's not the only problem, though.
open my $fh, $filename or ...
is a nightmare in general unless you are *really* sure $filename
does not contain any user-tweakable components.
> There is nothing you can do about it though, but not use while(<>)
Sure, opening the files manually and specifying the file handle
explicitely causes very little extra effort and will usually pay
off in terms of stability, clarity and ease of maintenance, even
without the exploit you described.
> if you cannot trust the filenames in your directory. But then you
> are in a bad spot already if you cannot trust your local files...
Not necessarily.
When writing suid programs or when writing system maintenance tools
that are expected to be run using sudo(8) or su(1) or by privileged
users in general, it is the usual case that the you cannot trust the
contents of the file systems, except those parts owned by root and
not writeable by anyone else, including all parent directories.
On a related note, it's really old news that dot in PATH is almost
always a terrible idea for just the same reason.
Yours,
Ingo
P.S.
One of the nice things about Perl is that it's actually not a bad
language security-wise with a bit of coding discipline. :)
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs