You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Peng Yonghua <py...@vodafonemail.de> on 2017/05/26 01:08:43 UTC
capture exception
greeting,
I am not so good at perl/modperl,:)
In the handler, a method from a class was called, when something dies
from within the method, what's the correct way the handler will take?
for example, I wrote this API which works right if given a correct
domain name:
http://fenghe.org/domain/?d=yahoo.com
server response:
var data={"registration":"domain may be taken","domain":"yahoo.com"}
If given a wrong domain name:
http://fenghe.org/domain/?d=yahoo.nonexist
The server returns 500.
This is because, in the handler, I used this module (wrote also by me):
http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.03/lib/Net/Domain/Registration/Check.pm
And in the module, croak like this was happened,
croak "domain TLD not exists" unless tld_exists($tld);
When handler meets the croak, it dies (I guess) and server returns 500.
How will I make the full system work right? fix on handler, or the
module itself?
Thanks.
Re: capture exception
Posted by James Smith <js...@sanger.ac.uk>.
On 2017-05-30 03:49 PM, Dirk-Willem van Gulik wrote:
>
>> On 30 May 2017, at 16:43, John Dunlap <john@lariat.co
>> <ma...@lariat.co>> wrote:
>>
>> How is it a security hole?
> ….
>>
>> > my $ret = eval { $m->...() };
>>
>
> Just imagine $m->…() returning something containing a valid perl
> expression such as " `rm -rf /‘; “, system(“rm -rf /“); or something
> that wires up a shell to a TCP socket.
>
> Dw.
>
But that isn't how it works - the "{" "}" brace means $m->...() is run -
but the output is trapped... the two types of eval are different....
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
Re: capture exception
Posted by Perrin Harkins <ph...@gmail.com>.
https://www.effectiveperlprogramming.com/2011/03/know-the-different-evals/
On Tue, May 30, 2017 at 10:49 AM, Dirk-Willem van Gulik <
dirkx@webweaving.org> wrote:
>
> On 30 May 2017, at 16:43, John Dunlap <jo...@lariat.co> wrote:
>
> How is it a security hole?
>
> ….
>
> > my $ret = eval { $m->...() };
>
>
> Just imagine $m->…() returning something containing a valid perl
> expression such as " `rm -rf /‘; “, system(“rm -rf /“); or something that
> wires up a shell to a TCP socket.
>
> Dw.
>
>
Re: capture exception
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
> On 30 May 2017, at 16:43, John Dunlap <jo...@lariat.co> wrote:
>
> How is it a security hole?
….
> > my $ret = eval { $m->...() };
Just imagine $m->…() returning something containing a valid perl expression such as " `rm -rf /‘; “, system(“rm -rf /“); or something that wires up a shell to a TCP socket.
Dw.
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
How is it a security hole?
On Tue, May 30, 2017 at 10:41 AM, Ruben Safir <ru...@mrbrklyn.com> wrote:
> On Tue, May 30, 2017 at 09:47:59AM +0100, James Smith wrote:
> > Not really a mod_perl question but you can always wrap your method
> > call in an eval
> >
> > my $ret = eval { $m->...() };
> >
> > And then check $@ for the error message
> >
>
>
> that is a security hole
>
> >
> > On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> > >greeting,
> > >
> > >I am not so good at perl/modperl,:)
> > >
> > >In the handler, a method from a class was called, when something
> > >dies from within the method, what's the correct way the handler
> > >will take?
> > >
> > >for example, I wrote this API which works right if given a correct
> > >domain name:
> > >
> > >http://fenghe.org/domain/?d=yahoo.com
> > >
> > >server response:
> > >var data={"registration":"domain may be taken","domain":"yahoo.com"}
> > >
> > >If given a wrong domain name:
> > >
> > >http://fenghe.org/domain/?d=yahoo.nonexist
> > >
> > >The server returns 500.
> > >
> > >This is because, in the handler, I used this module (wrote also by me):
> > >
> > >http://search.cpan.org/~pyh/Net-Domain-Registration-Check-
> 0.03/lib/Net/Domain/Registration/Check.pm
> > >
> > >
> > >And in the module, croak like this was happened,
> > >
> > >croak "domain TLD not exists" unless tld_exists($tld);
> > >
> > >When handler meets the croak, it dies (I guess) and server returns 500.
> > >
> > >How will I make the full system work right? fix on handler, or the
> > >module itself?
> > >
> > >Thanks.
> >
> >
> >
> > --
> > The Wellcome Trust Sanger Institute is operated by Genome Research
> > Limited, a charity registered in England with number 1021457 and a
> > company registered in England with number 2742969, whose registered
> > office is 215 Euston Road, London, NW1 2BE.
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Ruben Safir <ru...@mrbrklyn.com>.
On Tue, May 30, 2017 at 09:47:59AM +0100, James Smith wrote:
> Not really a mod_perl question but you can always wrap your method
> call in an eval
>
> my $ret = eval { $m->...() };
>
> And then check $@ for the error message
>
that is a security hole
>
> On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> >greeting,
> >
> >I am not so good at perl/modperl,:)
> >
> >In the handler, a method from a class was called, when something
> >dies from within the method, what's the correct way the handler
> >will take?
> >
> >for example, I wrote this API which works right if given a correct
> >domain name:
> >
> >http://fenghe.org/domain/?d=yahoo.com
> >
> >server response:
> >var data={"registration":"domain may be taken","domain":"yahoo.com"}
> >
> >If given a wrong domain name:
> >
> >http://fenghe.org/domain/?d=yahoo.nonexist
> >
> >The server returns 500.
> >
> >This is because, in the handler, I used this module (wrote also by me):
> >
> >http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.03/lib/Net/Domain/Registration/Check.pm
> >
> >
> >And in the module, croak like this was happened,
> >
> >croak "domain TLD not exists" unless tld_exists($tld);
> >
> >When handler meets the croak, it dies (I guess) and server returns 500.
> >
> >How will I make the full system work right? fix on handler, or the
> >module itself?
> >
> >Thanks.
>
>
>
> --
> The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose registered
> office is 215 Euston Road, London, NW1 2BE.
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
How so? How would an attacker exploit it?
On Tue, May 30, 2017 at 10:46 AM, Ruben Safir <ru...@mrbrklyn.com> wrote:
> Using eval is an unacceptable security bug for all online and public
> access programs that aquire data from external non-secured sources.
>
>
>
> On Tue, May 30, 2017 at 09:39:53AM -0400, John Dunlap wrote:
> > Yes, I do that extensively and it works perfectly. It's as close to a
> true
> > Try/Catch block as we have in the perl world. However, I *usually* do not
> > return values from it because I use this construct to control my database
> > transaction demarcation and using the return value from outside of the
> eval
> > wouldn't be inside the transaction. With that said, I have had to do it
> > from time to time and it works just fine. Also, it is advisable to copy
> the
> > contents of $@ into a separate variable immediately. My understanding is
> > that this can prevent some weird concurrency issues, under some
> conditions.
> > My general form looks something like this,
> >
> > my $return = eval {
> > # BEGIN DATABASE TRANSACTION
> >
> > # DO SOME STUFF
> >
> > # COMMIT DATA BASE TRANSACTION
> >
> > return 'SOME VALUE';
> > };
> >
> > if ($@) {
> > my $error = $@;
> >
> > # ROLLBACK DATABASE TRANSACTION
> >
> > # LOG ERROR
> > }
> >
> >
> > On Tue, May 30, 2017 at 4:47 AM, James Smith <js...@sanger.ac.uk> wrote:
> >
> > > Not really a mod_perl question but you can always wrap your method
> call in
> > > an eval
> > >
> > > my $ret = eval { $m->...() };
> > >
> > > And then check $@ for the error message
> > >
> > >
> > > On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> > >
> > >> greeting,
> > >>
> > >> I am not so good at perl/modperl,:)
> > >>
> > >> In the handler, a method from a class was called, when something dies
> > >> from within the method, what's the correct way the handler will take?
> > >>
> > >> for example, I wrote this API which works right if given a correct
> domain
> > >> name:
> > >>
> > >> http://fenghe.org/domain/?d=yahoo.com
> > >>
> > >> server response:
> > >> var data={"registration":"domain may be taken","domain":"yahoo.com"}
> > >>
> > >> If given a wrong domain name:
> > >>
> > >> http://fenghe.org/domain/?d=yahoo.nonexist
> > >>
> > >> The server returns 500.
> > >>
> > >> This is because, in the handler, I used this module (wrote also by
> me):
> > >>
> > >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
> > >> 03/lib/Net/Domain/Registration/Check.pm
> > >>
> > >> And in the module, croak like this was happened,
> > >>
> > >> croak "domain TLD not exists" unless tld_exists($tld);
> > >>
> > >> When handler meets the croak, it dies (I guess) and server returns
> 500.
> > >>
> > >> How will I make the full system work right? fix on handler, or the
> module
> > >> itself?
> > >>
> > >> Thanks.
> > >>
> > >
> > >
> > >
> > > --
> > > The Wellcome Trust Sanger Institute is operated by Genome Research
> > > Limited, a charity registered in England with number 1021457 and a
> company
> > > registered in England with number 2742969, whose registered office is
> 215
> > > Euston Road, London, NW1 2BE.
> >
> >
> >
> >
> > --
> > John Dunlap
> > *CTO | Lariat *
> >
> > *Direct:*
> > *john@lariat.co <jo...@lariat.co>*
> >
> > *Customer Service:*
> > 877.268.6667
> > support@lariat.co
>
>
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Clive Eisen <cl...@hildebrand.co.uk>.
Let’s agree to differ
--
Clive Eisen
GPG: 75056DD0
> On 30 May 2017, at 19:36, Dirk-Willem van Gulik <di...@webweaving.org> wrote:
>
> On 30 May 2017, at 19:52, Clive Eisen <cl...@hildebrand.co.uk> wrote:
>
>> From my servers - data
>>
>> From anyone else's - user input
>
> A few years ago - I would have agreed. Having seen the impact of things like the bash-exploit getting triggered from the data returned by a IP reverse lookup - I am not so sure anymore,
>
> Dw.
>
Re: capture exception
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On 30 May 2017, at 19:52, Clive Eisen <cl...@hildebrand.co.uk> wrote:
> From my servers - data
>
> From anyone else's - user input
A few years ago - I would have agreed. Having seen the impact of things like the bash-exploit getting triggered from the data returned by a IP reverse lookup - I am not so sure anymore,
Dw.
Re: capture exception
Posted by Clive Eisen <cl...@hildebrand.co.uk>.
From my servers - data
From anyone else's - user input
--
Clive Eisen
GPG: 75056DD0
> On 30 May 2017, at 18:47, Ruben Safir <ru...@mrbrklyn.com> wrote:
>
> On Tue, May 30, 2017 at 05:10:17PM +0100, Clive Eisen wrote:
>> It is only a security hole if you eval user input.
>>
>
>
> What do you call return values from the internet?
>
>>
>> --
>> Clive Eisen
>> GPG: 75056DD0
>>
>>
>>
>>
>>
>>
>>> On 30 May 2017, at 17:00, Hiram Gibbard <hg...@gmail.com> wrote:
>>>
>>> I might be hijacking this... Sorry, but...I recently used the Perl eval function to determine if a ldap search returned a error or not. Basically, a user's record has a attribute that points to a assistant, and If that assistant no longer exists the app was throwing a error since it executed a ldap call to that assistant's record. So I used eval to check if the error was returned, and if so, skipped the function where it tied searched the assistant record in ldap. Is this the same eval scenario you described which has a security whole?
>>>
>>>
>>> I was just reading everyone's reply and now I am worried I created a security hole.
>>>
>>> Thanks
>>>
>>> On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <dirkx@webweaving.org <ma...@webweaving.org> <mailto:dirkx@webweaving.org <ma...@webweaving.org>>> wrote:
>>>
>>>> On 30 May 2017, at 16:58, pali@cpan.org <ma...@cpan.org> <mailto:pali@cpan.org <ma...@cpan.org>> wrote:
>>>>
>>>> On Tuesday 30 May 2017 15:53:13 James Smith wrote:
>>>>> String eval should be avoided at all costs [especially if you parse user
>>>>> input] - functional eval is different - and is a good model for catching
>>>>> errors etc
>>>>
>>>> Yes, string eval should be avoided in all usage. But this discussion was
>>>> about that functional eval.
>>>
>>> Aye - right you are - apologies for causing confusing and missing the (/{.
>>>
>>> Dw.
>>>
>>>
>>>
>>> --
>>> Hiram Gibbard
>>> hgibbard@gmail.com <ma...@gmail.com> <mailto:hgibbard@gmail.com <ma...@gmail.com>>
>>> http://hiramgibbard.com <http://hiramgibbard.com/> <http://hiramgibbard.com/ <http://hiramgibbard.com/>>
>>>
>>
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com <http://www.mrbrklyn.com/>
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com <http://www.nylxs.com/> - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources <http://www2.mrbrklyn.com/resources> - Unpublished Archive
> http://www.coinhangout.com <http://www.coinhangout.com/> - coins!
> http://www.brooklyn-living.com <http://www.brooklyn-living.com/>
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
1) Passing a block(as opposed to a string) is no more dangerous than
executing the same code outside of eval. For example,
my $success = eval {
my %member_hash;
my $member_hash;
my $member_Co;
foreach (@memb) {
# Fetch entry.
my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
ldap => $ldap,
dn => $_,
opts => {control => $control}, # Important!
);
$member_Co = $entry2->get_value('company');
}
return 1;
};
if (!$success) {
warn "ERROR: $@";
}
On Wed, May 31, 2017 at 12:38 PM, Hiram Gibbard <hg...@gmail.com> wrote:
> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP. The
> call to get the members for the group is all internal and our companies
> internal ldap server. is that considered "from internet". I didn't write
> this app, just trying to make adjustments. Currently if you hit a member of
> the group that has been terminated/removed from ldap, the app errors out
> because the its it a member of the group in which its trying to execute a
> look on while listing.
>
> my %member_hash;
> my $member_hash;
> my $member_Co;
> foreach (@memb) {
> # Fetch entry.
>
> my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
> ldap => $ldap,
> dn => $_,
> opts => {control => $control}, # Important!
> );
>
> $member_Co = $entry2->get_value('company');
>
> }
>
> 1. Is it a security issue to wrap $entry2 code in a eval { } statement?
> 2. I'm thinking there is a better way to do this because (code wise)
> becuase ever since i put the eval {} in place (in dev env), groups with
> thousands of members takes a very long time to display.
>
>
> here is the code for dn2entry.mpl:
>
>
>
>
> On Tue, May 30, 2017 at 3:13 PM, John Dunlap <jo...@lariat.co> wrote:
>
>> Okay, I can see that but we were talking specifically about eval. So, my
>> examples were intended to showcase the two ways that eval can be called and
>> not how to safely obtain data from the internet.
>>
>> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
>>
>>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>>> > In that example, the contents of $data are never evaluated by eval so
>>> > even if it can be "smashed"(whatever that means) eval would have
>>> nothing
>>> > to do with the failure.
>>>
>>>
>>> it means your bringing in data without a limit and you can smash the
>>> stack like that and I've seen this kind of code do just that.
>>>
>>> That is not just an issue for eval...
>>>
>>>
>>>
>>> --
>>> So many immigrant groups have swept through our town
>>> that Brooklyn, like Atlantis, reaches mythological
>>> proportions in the mind of the world - RI Safir 1998
>>> http://www.mrbrklyn.com
>>>
>>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>>> http://www.nylxs.com - Leadership Development in Free Software
>>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>>> http://www.coinhangout.com - coins!
>>> http://www.brooklyn-living.com
>>>
>>> Being so tracked is for FARM ANIMALS and and extermination camps,
>>> but incompatible with living as a free human being. -RI Safir 2013
>>>
>>
>>
>>
>> --
>> John Dunlap
>> *CTO | Lariat *
>>
>> *Direct:*
>> *john@lariat.co <jo...@lariat.co>*
>>
>> *Customer Service:*
>> 877.268.6667
>> support@lariat.co
>>
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com
> http://hiramgibbard.com
>
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Hiram Gibbard <hg...@gmail.com>.
Sorry, hit send prematurely... as i was saying the code for dn2entry.mpl
<%args>
$ldap
$dn
$opts => {}
</%args>
<%init>
my %search_opts = (
base => $dn,
scope => 'base',
filter => '(objectClass=*)',
%{$opts},
);
my $mesg = $ldap->search(%search_opts);
if($mesg->is_error) {
die "Error. Failed to search directory. Options:\n"
. join("\n", map { "$_=$search_opts{$_}" } keys %search_opts)
. ". LDAP error: [" . $mesg->error_name . "] " . $mesg->error_desc;
}
if($mesg->count != 1) {
die "Search for DN='$dn' returned " .$mesg->count.
" entries. We expected one entry.";
}
return scalar $mesg->entry(0);
</%init>
I'm wondering if i can put the check here to see if any object exists?
I realize there are other ways to skin a cat, such as a process to check
for terminated users in groups and remove them, or if hr deletes a member
to try and do it at that point, but i would like I still would like to add
the check in the app.
On Wed, May 31, 2017 at 11:38 AM, Hiram Gibbard <hg...@gmail.com> wrote:
> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP. The
> call to get the members for the group is all internal and our companies
> internal ldap server. is that considered "from internet". I didn't write
> this app, just trying to make adjustments. Currently if you hit a member of
> the group that has been terminated/removed from ldap, the app errors out
> because the its it a member of the group in which its trying to execute a
> look on while listing.
>
> my %member_hash;
> my $member_hash;
> my $member_Co;
> foreach (@memb) {
> # Fetch entry.
>
> my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
> ldap => $ldap,
> dn => $_,
> opts => {control => $control}, # Important!
> );
>
> $member_Co = $entry2->get_value('company');
>
> }
>
> 1. Is it a security issue to wrap $entry2 code in a eval { } statement?
> 2. I'm thinking there is a better way to do this because (code wise)
> becuase ever since i put the eval {} in place (in dev env), groups with
> thousands of members takes a very long time to display.
>
>
> here is the code for dn2entry.mpl:
>
>
>
>
> On Tue, May 30, 2017 at 3:13 PM, John Dunlap <jo...@lariat.co> wrote:
>
>> Okay, I can see that but we were talking specifically about eval. So, my
>> examples were intended to showcase the two ways that eval can be called and
>> not how to safely obtain data from the internet.
>>
>> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
>>
>>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>>> > In that example, the contents of $data are never evaluated by eval so
>>> > even if it can be "smashed"(whatever that means) eval would have
>>> nothing
>>> > to do with the failure.
>>>
>>>
>>> it means your bringing in data without a limit and you can smash the
>>> stack like that and I've seen this kind of code do just that.
>>>
>>> That is not just an issue for eval...
>>>
>>>
>>>
>>> --
>>> So many immigrant groups have swept through our town
>>> that Brooklyn, like Atlantis, reaches mythological
>>> proportions in the mind of the world - RI Safir 1998
>>> http://www.mrbrklyn.com
>>>
>>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>>> http://www.nylxs.com - Leadership Development in Free Software
>>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>>> http://www.coinhangout.com - coins!
>>> http://www.brooklyn-living.com
>>>
>>> Being so tracked is for FARM ANIMALS and and extermination camps,
>>> but incompatible with living as a free human being. -RI Safir 2013
>>>
>>
>>
>>
>> --
>> John Dunlap
>> *CTO | Lariat *
>>
>> *Direct:*
>> *john@lariat.co <jo...@lariat.co>*
>>
>> *Customer Service:*
>> 877.268.6667
>> support@lariat.co
>>
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com
> http://hiramgibbard.com
>
>
--
Hiram Gibbard
hgibbard@gmail.com
http://hiramgibbard.com
Re: capture exception
Posted by Peng Yonghua <py...@vodafonemail.de>.
Thanks for everyone's reply.
I got the idea from
https://stackoverflow.com/questions/4006267/what-is-the-best-way-to-handle-exceptions-in-perl
,
The consensus of the Perl community seems to be thatTry::Tiny
<http://search.cpan.org/perldoc?Try::Tiny>is the preferred way of doing
exception handling. The "lenient policy" you refer to is probably due to
a combination of:
* Perl not being a fully object-oriented language. (e.g. in contrast
to Java where you can't avoid dealing with exceptions.)
* The background of many Perl developers. (Languages like C^1 and
shell don't have exception mechanisms.)
* The kind of tasks people tend to use Perl for. (Small scripts for
text munging and report generation where exception handling isn't
needed.)
* Perl not having a (good) built-in exception mechanism.
Note that the last item means that you'll see a lot of code like this:
|eval{something()};if($@){warn "Oh no! [$@]\n";}|
That's exception handling even though it doesn't use try/catch syntax.
It's fragile, though, and will break in a number of subtle edge cases
that most people don't think about. Try::Tiny and the other exception
handling modules on CPAN were written to make it easier to get right.
On 2017/6/1 星期四 0:38, Hiram Gibbard wrote:
> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP.
> The call to get the members for the group is all internal and our
> companies internal ldap server. is that considered "from internet". I
> didn't write this app, just trying to make adjustments. Currently if
> you hit a member of the group that has been terminated/removed from
> ldap, the app errors out because the its it a member of the group in
> which its trying to execute a look on while listing.
>
Re: capture exception
Posted by Hiram Gibbard <hg...@gmail.com>.
So when we say "from the internet" does that include intranet? What I have
is a form that lists all the members of a group defined in LDAP. The call
to get the members for the group is all internal and our companies internal
ldap server. is that considered "from internet". I didn't write this app,
just trying to make adjustments. Currently if you hit a member of the group
that has been terminated/removed from ldap, the app errors out because the
its it a member of the group in which its trying to execute a look on while
listing.
my %member_hash;
my $member_hash;
my $member_Co;
foreach (@memb) {
# Fetch entry.
my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
ldap => $ldap,
dn => $_,
opts => {control => $control}, # Important!
);
$member_Co = $entry2->get_value('company');
}
1. Is it a security issue to wrap $entry2 code in a eval { } statement?
2. I'm thinking there is a better way to do this because (code wise)
becuase ever since i put the eval {} in place (in dev env), groups with
thousands of members takes a very long time to display.
here is the code for dn2entry.mpl:
On Tue, May 30, 2017 at 3:13 PM, John Dunlap <jo...@lariat.co> wrote:
> Okay, I can see that but we were talking specifically about eval. So, my
> examples were intended to showcase the two ways that eval can be called and
> not how to safely obtain data from the internet.
>
> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
>
>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>> > In that example, the contents of $data are never evaluated by eval so
>> > even if it can be "smashed"(whatever that means) eval would have nothing
>> > to do with the failure.
>>
>>
>> it means your bringing in data without a limit and you can smash the
>> stack like that and I've seen this kind of code do just that.
>>
>> That is not just an issue for eval...
>>
>>
>>
>> --
>> So many immigrant groups have swept through our town
>> that Brooklyn, like Atlantis, reaches mythological
>> proportions in the mind of the world - RI Safir 1998
>> http://www.mrbrklyn.com
>>
>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>> http://www.nylxs.com - Leadership Development in Free Software
>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>> http://www.coinhangout.com - coins!
>> http://www.brooklyn-living.com
>>
>> Being so tracked is for FARM ANIMALS and and extermination camps,
>> but incompatible with living as a free human being. -RI Safir 2013
>>
>
>
>
> --
> John Dunlap
> *CTO | Lariat *
>
> *Direct:*
> *john@lariat.co <jo...@lariat.co>*
>
> *Customer Service:*
> 877.268.6667
> support@lariat.co
>
--
Hiram Gibbard
hgibbard@gmail.com
http://hiramgibbard.com
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
Okay, I can see that but we were talking specifically about eval. So, my
examples were intended to showcase the two ways that eval can be called and
not how to safely obtain data from the internet.
On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
> On 05/30/2017 04:04 PM, John Dunlap wrote:
> > In that example, the contents of $data are never evaluated by eval so
> > even if it can be "smashed"(whatever that means) eval would have nothing
> > to do with the failure.
>
>
> it means your bringing in data without a limit and you can smash the
> stack like that and I've seen this kind of code do just that.
>
> That is not just an issue for eval...
>
>
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Ruben Safir <ru...@mrbrklyn.com>.
On 05/30/2017 04:04 PM, John Dunlap wrote:
> In that example, the contents of $data are never evaluated by eval so
> even if it can be "smashed"(whatever that means) eval would have nothing
> to do with the failure.
it means your bringing in data without a limit and you can smash the
stack like that and I've seen this kind of code do just that.
That is not just an issue for eval...
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
In that example, the contents of $data are never evaluated by eval so even
if it can be "smashed"(whatever that means) eval would have nothing to do
with the failure.
On Tue, May 30, 2017 at 4:01 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
> On 05/30/2017 02:29 PM, John Dunlap wrote:
> > eval {
> > my $data = get_data_from_internet();
> > };
>
> $data needs to be scrubbed before using and you think you can't smash
> $data??
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Ruben Safir <ru...@mrbrklyn.com>.
On 05/30/2017 02:29 PM, John Dunlap wrote:
> eval {
> my $data = get_data_from_internet();
> };
$data needs to be scrubbed before using and you think you can't smash
$data??
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
More(and perhaps more confusing) examples:
# SECURITY RISK
eval qq{
my $data = get_data_from_internet();
};
if ($@) {
# TODO: Handle errors
}
# SECURITY RISK
eval q{
my $data = get_data_from_internet();
};
if ($@) {
# TODO: Handle errors
}
# NOT A SECURITY RISK
eval {
my $data = get_data_from_internet();
};
if ($@) {
# TODO: Handle errors
}
On Tue, May 30, 2017 at 1:59 PM, John Dunlap <jo...@lariat.co> wrote:
> With all due respect, Ruben, unless I'm totally missing something(which is
> totally possible), you're being a little alarmist. According to perldoc you
> can call eval with two different ways:
>
> - *eval EXPR*
> - *eval BLOCK*
>
> The first approach is inherently a security risk, as you have correctly
> pointed out, but the second is not inherently a security risk and, to the
> best of my knowledge, is the only way of catching unhandled runtime errors.
> For example,
>
> # SECURITY RISK
> my $data = get_data_from_internet();
> eval $data;
>
> # NOT A SECURITY RISK
> eval {
> my $data = get_data_from_internet();
> };
> if ($@) {
> # TODO: Handle errors
> }
>
> On Tue, May 30, 2017 at 1:47 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
>
>> On Tue, May 30, 2017 at 05:10:17PM +0100, Clive Eisen wrote:
>> > It is only a security hole if you eval user input.
>> >
>>
>>
>> What do you call return values from the internet?
>>
>> >
>> > --
>> > Clive Eisen
>> > GPG: 75056DD0
>> >
>> >
>> >
>> >
>> >
>> >
>> > > On 30 May 2017, at 17:00, Hiram Gibbard <hg...@gmail.com> wrote:
>> > >
>> > > I might be hijacking this... Sorry, but...I recently used the Perl
>> eval function to determine if a ldap search returned a error or not.
>> Basically, a user's record has a attribute that points to a assistant, and
>> If that assistant no longer exists the app was throwing a error since it
>> executed a ldap call to that assistant's record. So I used eval to check if
>> the error was returned, and if so, skipped the function where it tied
>> searched the assistant record in ldap. Is this the same eval scenario you
>> described which has a security whole?
>> > >
>> > >
>> > > I was just reading everyone's reply and now I am worried I created a
>> security hole.
>> > >
>> > > Thanks
>> > >
>> > > On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <
>> dirkx@webweaving.org <ma...@webweaving.org>> wrote:
>> > >
>> > > > On 30 May 2017, at 16:58, pali@cpan.org <ma...@cpan.org>
>> wrote:
>> > > >
>> > > > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
>> > > >> String eval should be avoided at all costs [especially if you
>> parse user
>> > > >> input] - functional eval is different - and is a good model for
>> catching
>> > > >> errors etc
>> > > >
>> > > > Yes, string eval should be avoided in all usage. But this
>> discussion was
>> > > > about that functional eval.
>> > >
>> > > Aye - right you are - apologies for causing confusing and missing the
>> (/{.
>> > >
>> > > Dw.
>> > >
>> > >
>> > >
>> > > --
>> > > Hiram Gibbard
>> > > hgibbard@gmail.com <ma...@gmail.com>
>> > > http://hiramgibbard.com <http://hiramgibbard.com/>
>> > >
>> >
>>
>> --
>> So many immigrant groups have swept through our town
>> that Brooklyn, like Atlantis, reaches mythological
>> proportions in the mind of the world - RI Safir 1998
>> http://www.mrbrklyn.com
>>
>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>> http://www.nylxs.com - Leadership Development in Free Software
>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>> http://www.coinhangout.com - coins!
>> http://www.brooklyn-living.com
>>
>> Being so tracked is for FARM ANIMALS and and extermination camps,
>> but incompatible with living as a free human being. -RI Safir 2013
>>
>>
>
>
> --
> John Dunlap
> *CTO | Lariat *
>
> *Direct:*
> *john@lariat.co <jo...@lariat.co>*
>
> *Customer Service:*
> 877.268.6667
> support@lariat.co
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
With all due respect, Ruben, unless I'm totally missing something(which is
totally possible), you're being a little alarmist. According to perldoc you
can call eval with two different ways:
- *eval EXPR*
- *eval BLOCK*
The first approach is inherently a security risk, as you have correctly
pointed out, but the second is not inherently a security risk and, to the
best of my knowledge, is the only way of catching unhandled runtime errors.
For example,
# SECURITY RISK
my $data = get_data_from_internet();
eval $data;
# NOT A SECURITY RISK
eval {
my $data = get_data_from_internet();
};
if ($@) {
# TODO: Handle errors
}
On Tue, May 30, 2017 at 1:47 PM, Ruben Safir <ru...@mrbrklyn.com> wrote:
> On Tue, May 30, 2017 at 05:10:17PM +0100, Clive Eisen wrote:
> > It is only a security hole if you eval user input.
> >
>
>
> What do you call return values from the internet?
>
> >
> > --
> > Clive Eisen
> > GPG: 75056DD0
> >
> >
> >
> >
> >
> >
> > > On 30 May 2017, at 17:00, Hiram Gibbard <hg...@gmail.com> wrote:
> > >
> > > I might be hijacking this... Sorry, but...I recently used the Perl
> eval function to determine if a ldap search returned a error or not.
> Basically, a user's record has a attribute that points to a assistant, and
> If that assistant no longer exists the app was throwing a error since it
> executed a ldap call to that assistant's record. So I used eval to check if
> the error was returned, and if so, skipped the function where it tied
> searched the assistant record in ldap. Is this the same eval scenario you
> described which has a security whole?
> > >
> > >
> > > I was just reading everyone's reply and now I am worried I created a
> security hole.
> > >
> > > Thanks
> > >
> > > On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <
> dirkx@webweaving.org <ma...@webweaving.org>> wrote:
> > >
> > > > On 30 May 2017, at 16:58, pali@cpan.org <ma...@cpan.org>
> wrote:
> > > >
> > > > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
> > > >> String eval should be avoided at all costs [especially if you parse
> user
> > > >> input] - functional eval is different - and is a good model for
> catching
> > > >> errors etc
> > > >
> > > > Yes, string eval should be avoided in all usage. But this discussion
> was
> > > > about that functional eval.
> > >
> > > Aye - right you are - apologies for causing confusing and missing the
> (/{.
> > >
> > > Dw.
> > >
> > >
> > >
> > > --
> > > Hiram Gibbard
> > > hgibbard@gmail.com <ma...@gmail.com>
> > > http://hiramgibbard.com <http://hiramgibbard.com/>
> > >
> >
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Ruben Safir <ru...@mrbrklyn.com>.
On Tue, May 30, 2017 at 05:10:17PM +0100, Clive Eisen wrote:
> It is only a security hole if you eval user input.
>
What do you call return values from the internet?
>
> --
> Clive Eisen
> GPG: 75056DD0
>
>
>
>
>
>
> > On 30 May 2017, at 17:00, Hiram Gibbard <hg...@gmail.com> wrote:
> >
> > I might be hijacking this... Sorry, but...I recently used the Perl eval function to determine if a ldap search returned a error or not. Basically, a user's record has a attribute that points to a assistant, and If that assistant no longer exists the app was throwing a error since it executed a ldap call to that assistant's record. So I used eval to check if the error was returned, and if so, skipped the function where it tied searched the assistant record in ldap. Is this the same eval scenario you described which has a security whole?
> >
> >
> > I was just reading everyone's reply and now I am worried I created a security hole.
> >
> > Thanks
> >
> > On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <dirkx@webweaving.org <ma...@webweaving.org>> wrote:
> >
> > > On 30 May 2017, at 16:58, pali@cpan.org <ma...@cpan.org> wrote:
> > >
> > > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
> > >> String eval should be avoided at all costs [especially if you parse user
> > >> input] - functional eval is different - and is a good model for catching
> > >> errors etc
> > >
> > > Yes, string eval should be avoided in all usage. But this discussion was
> > > about that functional eval.
> >
> > Aye - right you are - apologies for causing confusing and missing the (/{.
> >
> > Dw.
> >
> >
> >
> > --
> > Hiram Gibbard
> > hgibbard@gmail.com <ma...@gmail.com>
> > http://hiramgibbard.com <http://hiramgibbard.com/>
> >
>
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by Clive Eisen <cl...@hildebrand.co.uk>.
It is only a security hole if you eval user input.
--
Clive Eisen
GPG: 75056DD0
> On 30 May 2017, at 17:00, Hiram Gibbard <hg...@gmail.com> wrote:
>
> I might be hijacking this... Sorry, but...I recently used the Perl eval function to determine if a ldap search returned a error or not. Basically, a user's record has a attribute that points to a assistant, and If that assistant no longer exists the app was throwing a error since it executed a ldap call to that assistant's record. So I used eval to check if the error was returned, and if so, skipped the function where it tied searched the assistant record in ldap. Is this the same eval scenario you described which has a security whole?
>
>
> I was just reading everyone's reply and now I am worried I created a security hole.
>
> Thanks
>
> On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <dirkx@webweaving.org <ma...@webweaving.org>> wrote:
>
> > On 30 May 2017, at 16:58, pali@cpan.org <ma...@cpan.org> wrote:
> >
> > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
> >> String eval should be avoided at all costs [especially if you parse user
> >> input] - functional eval is different - and is a good model for catching
> >> errors etc
> >
> > Yes, string eval should be avoided in all usage. But this discussion was
> > about that functional eval.
>
> Aye - right you are - apologies for causing confusing and missing the (/{.
>
> Dw.
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com <ma...@gmail.com>
> http://hiramgibbard.com <http://hiramgibbard.com/>
>
Re: capture exception
Posted by Ruben Safir <ru...@mrbrklyn.com>.
>
>
> I was just reading everyone's reply and now I am worried I created a
> security hole.
>
eval will randomly execute ANY externally aquired string and run it with
the full power and authority of Perl and your webserver.
Nothing but static strings of known perl code should be using eval...
actually it is better to just not use eval. Error checking can be done
on the fly and code that fails for some reason should end the process.
Apache will rekick an instance anyway.
> Thanks
>
> On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <
> dirkx@webweaving.org> wrote:
>
> >
> > > On 30 May 2017, at 16:58, pali@cpan.org wrote:
> > >
> > > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
> > >> String eval should be avoided at all costs [especially if you parse user
> > >> input] - functional eval is different - and is a good model for catching
> > >> errors etc
> > >
> > > Yes, string eval should be avoided in all usage. But this discussion was
> > > about that functional eval.
> >
> > Aye - right you are - apologies for causing confusing and missing the (/{.
> >
> > Dw.
> >
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com
> http://hiramgibbard.com
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
At the risk of oversimplifying the issue:
BAD: eval "MY CODE";
GOOD: eval {MY CODE};
On Tue, May 30, 2017 at 12:00 PM, Hiram Gibbard <hg...@gmail.com> wrote:
> I might be hijacking this... Sorry, but...I recently used the Perl eval
> function to determine if a ldap search returned a error or not. Basically,
> a user's record has a attribute that points to a assistant, and If that
> assistant no longer exists the app was throwing a error since it executed a
> ldap call to that assistant's record. So I used eval to check if the error
> was returned, and if so, skipped the function where it tied searched the
> assistant record in ldap. Is this the same eval scenario you described
> which has a security whole?
>
>
> I was just reading everyone's reply and now I am worried I created a
> security hole.
>
> Thanks
>
> On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <
> dirkx@webweaving.org> wrote:
>
>>
>> > On 30 May 2017, at 16:58, pali@cpan.org wrote:
>> >
>> > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
>> >> String eval should be avoided at all costs [especially if you parse
>> user
>> >> input] - functional eval is different - and is a good model for
>> catching
>> >> errors etc
>> >
>> > Yes, string eval should be avoided in all usage. But this discussion was
>> > about that functional eval.
>>
>> Aye - right you are - apologies for causing confusing and missing the (/{.
>>
>> Dw.
>>
>
>
>
> --
> Hiram Gibbard
> hgibbard@gmail.com
> http://hiramgibbard.com
>
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by Hiram Gibbard <hg...@gmail.com>.
I might be hijacking this... Sorry, but...I recently used the Perl eval
function to determine if a ldap search returned a error or not. Basically,
a user's record has a attribute that points to a assistant, and If that
assistant no longer exists the app was throwing a error since it executed a
ldap call to that assistant's record. So I used eval to check if the error
was returned, and if so, skipped the function where it tied searched the
assistant record in ldap. Is this the same eval scenario you described
which has a security whole?
I was just reading everyone's reply and now I am worried I created a
security hole.
Thanks
On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik <
dirkx@webweaving.org> wrote:
>
> > On 30 May 2017, at 16:58, pali@cpan.org wrote:
> >
> > On Tuesday 30 May 2017 15:53:13 James Smith wrote:
> >> String eval should be avoided at all costs [especially if you parse user
> >> input] - functional eval is different - and is a good model for catching
> >> errors etc
> >
> > Yes, string eval should be avoided in all usage. But this discussion was
> > about that functional eval.
>
> Aye - right you are - apologies for causing confusing and missing the (/{.
>
> Dw.
>
--
Hiram Gibbard
hgibbard@gmail.com
http://hiramgibbard.com
Re: capture exception
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
> On 30 May 2017, at 16:58, pali@cpan.org wrote:
>
> On Tuesday 30 May 2017 15:53:13 James Smith wrote:
>> String eval should be avoided at all costs [especially if you parse user
>> input] - functional eval is different - and is a good model for catching
>> errors etc
>
> Yes, string eval should be avoided in all usage. But this discussion was
> about that functional eval.
Aye - right you are - apologies for causing confusing and missing the (/{.
Dw.
Re: capture exception
Posted by pa...@cpan.org.
On Tuesday 30 May 2017 15:53:13 James Smith wrote:
> String eval should be avoided at all costs [especially if you parse user
> input] - functional eval is different - and is a good model for catching
> errors etc
Yes, string eval should be avoided in all usage. But this discussion was
about that functional eval.
> {There are some good uses of string eval - e.g. dymanically "use"ing
> modules}
That is wrong too. If you need to load module dynamically do it also
without stringified eval, to ensure security (somebody can include ';'
into module name...). It is done by "require" and "import". But easier
would be to use Module::Runtime which calls "require" correctly for you:
https://metacpan.org/pod/Module::Runtime
> James
Re: capture exception
Posted by James Smith <js...@sanger.ac.uk>.
String eval should be avoided at all costs [especially if you parse user
input] - functional eval is different - and is a good model for catching
errors etc
{There are some good uses of string eval - e.g. dymanically "use"ing
modules}
James
On 2017-05-30 03:46 PM, Ruben Safir wrote:
> Using eval is an unacceptable security bug for all online and public
> access programs that aquire data from external non-secured sources.
>
>
>
> On Tue, May 30, 2017 at 09:39:53AM -0400, John Dunlap wrote:
>> Yes, I do that extensively and it works perfectly. It's as close to a true
>> Try/Catch block as we have in the perl world. However, I *usually* do not
>> return values from it because I use this construct to control my database
>> transaction demarcation and using the return value from outside of the eval
>> wouldn't be inside the transaction. With that said, I have had to do it
>> from time to time and it works just fine. Also, it is advisable to copy the
>> contents of $@ into a separate variable immediately. My understanding is
>> that this can prevent some weird concurrency issues, under some conditions.
>> My general form looks something like this,
>>
>> my $return = eval {
>> # BEGIN DATABASE TRANSACTION
>>
>> # DO SOME STUFF
>>
>> # COMMIT DATA BASE TRANSACTION
>>
>> return 'SOME VALUE';
>> };
>>
>> if ($@) {
>> my $error = $@;
>>
>> # ROLLBACK DATABASE TRANSACTION
>>
>> # LOG ERROR
>> }
>>
>>
>> On Tue, May 30, 2017 at 4:47 AM, James Smith <js...@sanger.ac.uk> wrote:
>>
>>> Not really a mod_perl question but you can always wrap your method call in
>>> an eval
>>>
>>> my $ret = eval { $m->...() };
>>>
>>> And then check $@ for the error message
>>>
>>>
>>> On 2017-05-26 02:08 AM, Peng Yonghua wrote:
>>>
>>>> greeting,
>>>>
>>>> I am not so good at perl/modperl,:)
>>>>
>>>> In the handler, a method from a class was called, when something dies
>>>> from within the method, what's the correct way the handler will take?
>>>>
>>>> for example, I wrote this API which works right if given a correct domain
>>>> name:
>>>>
>>>> http://fenghe.org/domain/?d=yahoo.com
>>>>
>>>> server response:
>>>> var data={"registration":"domain may be taken","domain":"yahoo.com"}
>>>>
>>>> If given a wrong domain name:
>>>>
>>>> http://fenghe.org/domain/?d=yahoo.nonexist
>>>>
>>>> The server returns 500.
>>>>
>>>> This is because, in the handler, I used this module (wrote also by me):
>>>>
>>>> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
>>>> 03/lib/Net/Domain/Registration/Check.pm
>>>>
>>>> And in the module, croak like this was happened,
>>>>
>>>> croak "domain TLD not exists" unless tld_exists($tld);
>>>>
>>>> When handler meets the croak, it dies (I guess) and server returns 500.
>>>>
>>>> How will I make the full system work right? fix on handler, or the module
>>>> itself?
>>>>
>>>> Thanks.
>>>>
>>>
>>>
>>> --
>>> The Wellcome Trust Sanger Institute is operated by Genome Research
>>> Limited, a charity registered in England with number 1021457 and a company
>>> registered in England with number 2742969, whose registered office is 215
>>> Euston Road, London, NW1 2BE.
>>
>>
>>
>> --
>> John Dunlap
>> *CTO | Lariat *
>>
>> *Direct:*
>> *john@lariat.co <jo...@lariat.co>*
>>
>> *Customer Service:*
>> 877.268.6667
>> support@lariat.co
>
>
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
Re: capture exception
Posted by pa...@cpan.org.
On Tuesday 30 May 2017 10:46:08 Ruben Safir wrote:
> Using eval is an unacceptable security bug for all online and public
> access programs that aquire data from external non-secured sources.
Eval is exception handling. It catch problems which could be security
problem (like DOS attack) to correctly handle errors and recover.
Correct and secure code, like in defensing programming, should handle
*all* possible errors which could come from external modules or external
sources and recover from error state. And tool for this is: eval.
Re: capture exception
Posted by Ruben Safir <ru...@mrbrklyn.com>.
Using eval is an unacceptable security bug for all online and public
access programs that aquire data from external non-secured sources.
On Tue, May 30, 2017 at 09:39:53AM -0400, John Dunlap wrote:
> Yes, I do that extensively and it works perfectly. It's as close to a true
> Try/Catch block as we have in the perl world. However, I *usually* do not
> return values from it because I use this construct to control my database
> transaction demarcation and using the return value from outside of the eval
> wouldn't be inside the transaction. With that said, I have had to do it
> from time to time and it works just fine. Also, it is advisable to copy the
> contents of $@ into a separate variable immediately. My understanding is
> that this can prevent some weird concurrency issues, under some conditions.
> My general form looks something like this,
>
> my $return = eval {
> # BEGIN DATABASE TRANSACTION
>
> # DO SOME STUFF
>
> # COMMIT DATA BASE TRANSACTION
>
> return 'SOME VALUE';
> };
>
> if ($@) {
> my $error = $@;
>
> # ROLLBACK DATABASE TRANSACTION
>
> # LOG ERROR
> }
>
>
> On Tue, May 30, 2017 at 4:47 AM, James Smith <js...@sanger.ac.uk> wrote:
>
> > Not really a mod_perl question but you can always wrap your method call in
> > an eval
> >
> > my $ret = eval { $m->...() };
> >
> > And then check $@ for the error message
> >
> >
> > On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> >
> >> greeting,
> >>
> >> I am not so good at perl/modperl,:)
> >>
> >> In the handler, a method from a class was called, when something dies
> >> from within the method, what's the correct way the handler will take?
> >>
> >> for example, I wrote this API which works right if given a correct domain
> >> name:
> >>
> >> http://fenghe.org/domain/?d=yahoo.com
> >>
> >> server response:
> >> var data={"registration":"domain may be taken","domain":"yahoo.com"}
> >>
> >> If given a wrong domain name:
> >>
> >> http://fenghe.org/domain/?d=yahoo.nonexist
> >>
> >> The server returns 500.
> >>
> >> This is because, in the handler, I used this module (wrote also by me):
> >>
> >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
> >> 03/lib/Net/Domain/Registration/Check.pm
> >>
> >> And in the module, croak like this was happened,
> >>
> >> croak "domain TLD not exists" unless tld_exists($tld);
> >>
> >> When handler meets the croak, it dies (I guess) and server returns 500.
> >>
> >> How will I make the full system work right? fix on handler, or the module
> >> itself?
> >>
> >> Thanks.
> >>
> >
> >
> >
> > --
> > The Wellcome Trust Sanger Institute is operated by Genome Research
> > Limited, a charity registered in England with number 1021457 and a company
> > registered in England with number 2742969, whose registered office is 215
> > Euston Road, London, NW1 2BE.
>
>
>
>
> --
> John Dunlap
> *CTO | Lariat *
>
> *Direct:*
> *john@lariat.co <jo...@lariat.co>*
>
> *Customer Service:*
> 877.268.6667
> support@lariat.co
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
I think my head just exploded in a cloud of purple smoke.
On Tue, May 30, 2017 at 10:03 AM, <pa...@cpan.org> wrote:
> Hi!
>
> Please note that true value in $@ is *not* necessary condition for
> checking if error in eval occurred. And similarly empty string or logic
> false value in $@ is *not* necessary condition that eval succeeded.
>
> The only thing which is guaranteed is undef return value from eval in
> case it failed. So correct check is:
>
> my $success = eval {
> # MY CODE
> 1;
> };
>
> unless ($success) {
> # HANDLE ERROR, $@ may (but does not have to) contain error
> }
>
> "1;" in eval block is there to set $success to 1. In case MY CODE throw
> error, $success is set to undef by perl.
>
> Note that $@ is propagated back, so you should localize $@ before
> calling eval. This is especially required if MY CODE (or function called
> from MY CODE) calls also eval.
>
> So you can use this pattern:
>
> {
> local $@;
> eval {
> # MY CODE
> 1;
> } or do {
> # HANDLE ERROR in $@ (but may be undef!)
> };
> }
>
> If you do not write 1; then return value is taken from the last call in
> MY CODE. So if problem is also when last function return non zero, then
> you can remove "1;". You can also combine it with "and" block, but
> beware for and/or logical blocks:
>
> {
> local $@;
> eval {
> func_which_may_die_or_fail_with_zero();
> } and do {
> print "function succeeded\n";
> func_may_fail_with_zero();
> } or do {
> my $err = $@ || 'unknown error';
> warn "Error: $err\n";
> rollback();
> };
> }
>
> But I suggest to use module like Try::Tiny or Try::Catch which handle
> above eval and $@ logic for you and you can easily write:
>
> try {
> # MY CODE
> } catch {
> # HANDLE ERROR in $_ (may be undef!)
> my $err = $_ || 'unknown error';
> };
>
> On Tuesday 30 May 2017 09:39:53 John Dunlap wrote:
> > Yes, I do that extensively and it works perfectly. It's as close to a
> true
> > Try/Catch block as we have in the perl world. However, I *usually* do not
> > return values from it because I use this construct to control my database
> > transaction demarcation and using the return value from outside of the
> eval
> > wouldn't be inside the transaction. With that said, I have had to do it
> > from time to time and it works just fine. Also, it is advisable to copy
> the
> > contents of $@ into a separate variable immediately. My understanding is
> > that this can prevent some weird concurrency issues, under some
> conditions.
> > My general form looks something like this,
> >
> > my $return = eval {
> > # BEGIN DATABASE TRANSACTION
> >
> > # DO SOME STUFF
> >
> > # COMMIT DATA BASE TRANSACTION
> >
> > return 'SOME VALUE';
> > };
> >
> > if ($@) {
> > my $error = $@;
> >
> > # ROLLBACK DATABASE TRANSACTION
> >
> > # LOG ERROR
> > }
> >
> >
> > On Tue, May 30, 2017 at 4:47 AM, James Smith <js...@sanger.ac.uk> wrote:
> >
> > > Not really a mod_perl question but you can always wrap your method
> call in
> > > an eval
> > >
> > > my $ret = eval { $m->...() };
> > >
> > > And then check $@ for the error message
> > >
> > >
> > > On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> > >
> > >> greeting,
> > >>
> > >> I am not so good at perl/modperl,:)
> > >>
> > >> In the handler, a method from a class was called, when something dies
> > >> from within the method, what's the correct way the handler will take?
> > >>
> > >> for example, I wrote this API which works right if given a correct
> domain
> > >> name:
> > >>
> > >> http://fenghe.org/domain/?d=yahoo.com
> > >>
> > >> server response:
> > >> var data={"registration":"domain may be taken","domain":"yahoo.com"}
> > >>
> > >> If given a wrong domain name:
> > >>
> > >> http://fenghe.org/domain/?d=yahoo.nonexist
> > >>
> > >> The server returns 500.
> > >>
> > >> This is because, in the handler, I used this module (wrote also by
> me):
> > >>
> > >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
> > >> 03/lib/Net/Domain/Registration/Check.pm
> > >>
> > >> And in the module, croak like this was happened,
> > >>
> > >> croak "domain TLD not exists" unless tld_exists($tld);
> > >>
> > >> When handler meets the croak, it dies (I guess) and server returns
> 500.
> > >>
> > >> How will I make the full system work right? fix on handler, or the
> module
> > >> itself?
> > >>
> > >> Thanks.
> > >>
> > >
> > >
> > >
> > > --
> > > The Wellcome Trust Sanger Institute is operated by Genome Research
> > > Limited, a charity registered in England with number 1021457 and a
> company
> > > registered in England with number 2742969, whose registered office is
> 215
> > > Euston Road, London, NW1 2BE.
> >
> >
> >
> >
> > --
> > John Dunlap
> > *CTO | Lariat *
> >
> > *Direct:*
> > *john@lariat.co <jo...@lariat.co>*
> >
> > *Customer Service:*
> > 877.268.6667
> > support@lariat.co
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by pa...@cpan.org.
Hi!
Please note that true value in $@ is *not* necessary condition for
checking if error in eval occurred. And similarly empty string or logic
false value in $@ is *not* necessary condition that eval succeeded.
The only thing which is guaranteed is undef return value from eval in
case it failed. So correct check is:
my $success = eval {
# MY CODE
1;
};
unless ($success) {
# HANDLE ERROR, $@ may (but does not have to) contain error
}
"1;" in eval block is there to set $success to 1. In case MY CODE throw
error, $success is set to undef by perl.
Note that $@ is propagated back, so you should localize $@ before
calling eval. This is especially required if MY CODE (or function called
from MY CODE) calls also eval.
So you can use this pattern:
{
local $@;
eval {
# MY CODE
1;
} or do {
# HANDLE ERROR in $@ (but may be undef!)
};
}
If you do not write 1; then return value is taken from the last call in
MY CODE. So if problem is also when last function return non zero, then
you can remove "1;". You can also combine it with "and" block, but
beware for and/or logical blocks:
{
local $@;
eval {
func_which_may_die_or_fail_with_zero();
} and do {
print "function succeeded\n";
func_may_fail_with_zero();
} or do {
my $err = $@ || 'unknown error';
warn "Error: $err\n";
rollback();
};
}
But I suggest to use module like Try::Tiny or Try::Catch which handle
above eval and $@ logic for you and you can easily write:
try {
# MY CODE
} catch {
# HANDLE ERROR in $_ (may be undef!)
my $err = $_ || 'unknown error';
};
On Tuesday 30 May 2017 09:39:53 John Dunlap wrote:
> Yes, I do that extensively and it works perfectly. It's as close to a true
> Try/Catch block as we have in the perl world. However, I *usually* do not
> return values from it because I use this construct to control my database
> transaction demarcation and using the return value from outside of the eval
> wouldn't be inside the transaction. With that said, I have had to do it
> from time to time and it works just fine. Also, it is advisable to copy the
> contents of $@ into a separate variable immediately. My understanding is
> that this can prevent some weird concurrency issues, under some conditions.
> My general form looks something like this,
>
> my $return = eval {
> # BEGIN DATABASE TRANSACTION
>
> # DO SOME STUFF
>
> # COMMIT DATA BASE TRANSACTION
>
> return 'SOME VALUE';
> };
>
> if ($@) {
> my $error = $@;
>
> # ROLLBACK DATABASE TRANSACTION
>
> # LOG ERROR
> }
>
>
> On Tue, May 30, 2017 at 4:47 AM, James Smith <js...@sanger.ac.uk> wrote:
>
> > Not really a mod_perl question but you can always wrap your method call in
> > an eval
> >
> > my $ret = eval { $m->...() };
> >
> > And then check $@ for the error message
> >
> >
> > On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> >
> >> greeting,
> >>
> >> I am not so good at perl/modperl,:)
> >>
> >> In the handler, a method from a class was called, when something dies
> >> from within the method, what's the correct way the handler will take?
> >>
> >> for example, I wrote this API which works right if given a correct domain
> >> name:
> >>
> >> http://fenghe.org/domain/?d=yahoo.com
> >>
> >> server response:
> >> var data={"registration":"domain may be taken","domain":"yahoo.com"}
> >>
> >> If given a wrong domain name:
> >>
> >> http://fenghe.org/domain/?d=yahoo.nonexist
> >>
> >> The server returns 500.
> >>
> >> This is because, in the handler, I used this module (wrote also by me):
> >>
> >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
> >> 03/lib/Net/Domain/Registration/Check.pm
> >>
> >> And in the module, croak like this was happened,
> >>
> >> croak "domain TLD not exists" unless tld_exists($tld);
> >>
> >> When handler meets the croak, it dies (I guess) and server returns 500.
> >>
> >> How will I make the full system work right? fix on handler, or the module
> >> itself?
> >>
> >> Thanks.
> >>
> >
> >
> >
> > --
> > The Wellcome Trust Sanger Institute is operated by Genome Research
> > Limited, a charity registered in England with number 1021457 and a company
> > registered in England with number 2742969, whose registered office is 215
> > Euston Road, London, NW1 2BE.
>
>
>
>
> --
> John Dunlap
> *CTO | Lariat *
>
> *Direct:*
> *john@lariat.co <jo...@lariat.co>*
>
> *Customer Service:*
> 877.268.6667
> support@lariat.co
Re: capture exception
Posted by John Dunlap <jo...@lariat.co>.
Yes, I do that extensively and it works perfectly. It's as close to a true
Try/Catch block as we have in the perl world. However, I *usually* do not
return values from it because I use this construct to control my database
transaction demarcation and using the return value from outside of the eval
wouldn't be inside the transaction. With that said, I have had to do it
from time to time and it works just fine. Also, it is advisable to copy the
contents of $@ into a separate variable immediately. My understanding is
that this can prevent some weird concurrency issues, under some conditions.
My general form looks something like this,
my $return = eval {
# BEGIN DATABASE TRANSACTION
# DO SOME STUFF
# COMMIT DATA BASE TRANSACTION
return 'SOME VALUE';
};
if ($@) {
my $error = $@;
# ROLLBACK DATABASE TRANSACTION
# LOG ERROR
}
On Tue, May 30, 2017 at 4:47 AM, James Smith <js...@sanger.ac.uk> wrote:
> Not really a mod_perl question but you can always wrap your method call in
> an eval
>
> my $ret = eval { $m->...() };
>
> And then check $@ for the error message
>
>
> On 2017-05-26 02:08 AM, Peng Yonghua wrote:
>
>> greeting,
>>
>> I am not so good at perl/modperl,:)
>>
>> In the handler, a method from a class was called, when something dies
>> from within the method, what's the correct way the handler will take?
>>
>> for example, I wrote this API which works right if given a correct domain
>> name:
>>
>> http://fenghe.org/domain/?d=yahoo.com
>>
>> server response:
>> var data={"registration":"domain may be taken","domain":"yahoo.com"}
>>
>> If given a wrong domain name:
>>
>> http://fenghe.org/domain/?d=yahoo.nonexist
>>
>> The server returns 500.
>>
>> This is because, in the handler, I used this module (wrote also by me):
>>
>> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
>> 03/lib/Net/Domain/Registration/Check.pm
>>
>> And in the module, croak like this was happened,
>>
>> croak "domain TLD not exists" unless tld_exists($tld);
>>
>> When handler meets the croak, it dies (I guess) and server returns 500.
>>
>> How will I make the full system work right? fix on handler, or the module
>> itself?
>>
>> Thanks.
>>
>
>
>
> --
> The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a company
> registered in England with number 2742969, whose registered office is 215
> Euston Road, London, NW1 2BE.
--
John Dunlap
*CTO | Lariat *
*Direct:*
*john@lariat.co <jo...@lariat.co>*
*Customer Service:*
877.268.6667
support@lariat.co
Re: capture exception
Posted by James Smith <js...@sanger.ac.uk>.
Not really a mod_perl question but you can always wrap your method call
in an eval
my $ret = eval { $m->...() };
And then check $@ for the error message
On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> greeting,
>
> I am not so good at perl/modperl,:)
>
> In the handler, a method from a class was called, when something dies
> from within the method, what's the correct way the handler will take?
>
> for example, I wrote this API which works right if given a correct
> domain name:
>
> http://fenghe.org/domain/?d=yahoo.com
>
> server response:
> var data={"registration":"domain may be taken","domain":"yahoo.com"}
>
> If given a wrong domain name:
>
> http://fenghe.org/domain/?d=yahoo.nonexist
>
> The server returns 500.
>
> This is because, in the handler, I used this module (wrote also by me):
>
> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.03/lib/Net/Domain/Registration/Check.pm
>
>
> And in the module, croak like this was happened,
>
> croak "domain TLD not exists" unless tld_exists($tld);
>
> When handler meets the croak, it dies (I guess) and server returns 500.
>
> How will I make the full system work right? fix on handler, or the
> module itself?
>
> Thanks.
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.