Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^4: CGI::Application vs CGI::Builder

by adrianh (Chancellor)
on May 03, 2004 at 14:26 UTC ( #350021=note: print w/replies, xml ) Need Help??


in reply to Re: Re: Re: CGI::Application vs CGI::Builder
in thread CGI::Application vs CGI::Builder

It's exactly that ;-). Just try to install an old version and you will have a prompt telling you that you are installing an old version

If they're installing automatically from CPAN they'll get the latest CPAN version automatically.

If they're deliberately requesting and older version then they're doing it deliberately and don't want the warning.

If your site has a more up-to-date version than the one on CPAN surely its your job to get the latest version uploaded to PAUSE ;-)

In any case this doesn't need you to execute arbitrary code - you just need to fetch the version number and do a comparison.

and for the counter... knowing how many people find useful my work is one of the reasons that make me publish my modules ;-)

If you really have to have a counter then a simple HTTP GET will do the job (it can be the GET you use to get the current version if you really want to do the version checking twice).

A count of module usage produced in this way will, of course, be wildly inaccurate since there are lots of installs that have nothing to do with actual usage (CPAN testers, people who are curious but never use, etc.)

Well, if you go through some old version of my modules, the Makefile.PL had a prompt. After receiving a lot of users' complaint i take off the prompt. No secret backdoor.

Just because people didn't like the warning doesn't mean it shouldn't have been there. I for one would be extremely annoyed if a CPAN module was downloading an executing code that I didn't see first. Especially since in this instance there is no need to download and execute arbitrary code. From the other reactions here many people seem to share that opinion.

The effort and time that require writing modules like CGI::Builder and related documentation is a little bit TOO MUCH to be wasted in similar stupid hacks.

Unfortunately there is a large body of evidence that nasty people are willing to expend foolishly large amounts of time and effort in producing exploits.

Note: I am not trying to imply that you are such a nasty person. As a human being I try to be all nice and fluffy and trust people until they do something to demonstrate that I can't trust them. I like living my live that way.

However, as a computing professional I can't trust something that runs arbitrary code on my or my clients machines. With your system look at who I have to trust (in addition to CPAN):

  • I have to trust that the code that is downloaded is actually okay and I have to go through another step to download and inspect it.
  • I have to trust that you are not an evil person who is deliberately trying to exploit my machine. You might be doing really evil things like only putting the exploit in every 8th download so a simple check on what's downloaded isn't enough.
  • I have to trust that somebody has not cracked your box and is feeding us an exploit without your knowledge.
  • I have to trust everything between my box and your box is not pretending to be your box and feeding me an exploiit.
  • etc.
I think that a possible solution may be adding an expiration date in the code in the Makefile.PL, thus if it runs after that date, it just warn the user of the probably old version and does nothing with perl.4pro.net.

This only reduces the window of opportunity. It does not remove it.

Any other suggestion?
  1. Just don't do it at all. Let CPAN handle your versioning problems. Get your feedback from users via e-mail, cpanratings, etc. Learn not to worry about the number of times your code is installed since it doesn't really mean much.
  2. If you really cannot cope without some meaningless numbers do not download and execute arbitrary code. You don't need to do so if all you want to do is check a version number or get a count of the number of times Makefile.PL is run.
  3. Ask the user before starting any network connections off your own back.

Replies are listed 'Best First'.
Re: Re^4: CGI::Application vs CGI::Builder
by Anonymous Monk on May 03, 2004 at 20:21 UTC

    I perfectly agree with you, but please, consider this:

    There is no problem with CPAN version handling, the problem is that there are a lot of old installation coming from activestate. I really hate to see that someone could run some old version that may have some bug which is already fixed in the new version. (hubris?)

    > Learn not to worry about the number of times your code is installed
    > since it doesn't really mean much.

    Well, I am not english native, and writing the documentation takes me really A LOT of time, so knowing that my effort are useful to someone really helps me, even if the numbers are "wildly inaccurate". Nobody likes to do something possibly useless!

    > Unfortunately there is a large body of evidence that nasty people are
    > willing to expend foolishly large amounts of time and effort in producing exploits.

    That's true, but who could be so stupid to do bad things using its own name and its own registered domain? Anyway, I hope that my quick fix can solve that problem.

    Thank you for your feedback. I will take it into consideration.

    dd

      but who could be so stupid to do bad things using its own name and its own registered domain?

      How do I know you're you, that it's your domain, etc. :-)

      Also it might not be you. EvilHacker may spend foolishly large amounts of time cracking your box.

      Anyway, I hope that my quick fix can solve that problem

      Yes it does. Although I still think that asking before making a network connection that the user didn't ask for is the only polite thing to do.

        How do I know you're you

        Simple: just take a look at the placement of the semicolons :-))))

        EvilHacker may spend foolishly large amounts of time cracking your box.

        ... and this is a responsability that I don't want to have, so I changed, re-buld and just published on CPAN a new version of all my distributions, each one including the changed Makefile.PM version check. No more security problems.

        Domizio Demichelis

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://350021]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (4)
As of 2019-12-16 07:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?