Professional Web Applications Themes

Remote.pm (File::Remote) error handling question - PERL Modules

In File::Remote, the actual call (in my case to scp) is made by this routine. sub _system { my($self, cmd) = _self_or_default(_); # return "Broken pipe" if cmd invalid chomp(my $return = `cmd 2>&1 1>/dev/null || echo 32`); _debug("_system(cmd) = $return"); if ($return) { # if echo'ed an int (internal tests), use it, else use "Permission denied" (13) $return =~ m/^(\d+)$/; $! = $1 || 13; return undef; } return 1; } When the call succeeds, all is well. However, if it fails, is there any obvious reason why it would always use Permission Denied (13) instead of returning the ...

  1. #1

    Default Remote.pm (File::Remote) error handling question

    In File::Remote, the actual call (in my case to scp) is made by this
    routine.

    sub _system {
    my($self, cmd) = _self_or_default(_);

    # return "Broken pipe" if cmd invalid
    chomp(my $return = `cmd 2>&1 1>/dev/null || echo 32`);
    _debug("_system(cmd) = $return");

    if ($return) {
    # if echo'ed an int (internal tests), use it, else use
    "Permission denied" (13)
    $return =~ m/^(\d+)$/;
    $! = $1 || 13;
    return undef;
    }
    return 1;
    }

    When the call succeeds, all is well. However, if it fails, is there
    any obvious reason why it would always use Permission Denied (13)
    instead of returning the actual error returned by the call? If I
    follow this correctly, then if the actual call to the command in cmd
    fails, $result will contain whatever cmd put out to stderr, plus a
    line with 32, but the return code ($?) will still be 0. The only way
    I see for $1 to get something (ignoring any previous matches) was if
    cmd writes an integet to stderr, but exits with 0.

    Am I missing something?

    terminlman@yahoo.com Guest

  2. #2

    Default Re: Remote.pm (File::Remote) error handling question

    A hacker can use File::Remote to create programs on somebody else's
    server, such as a webserver. If the errors generated by improper use
    of File::Remote (ie such as writing into directories that aren't
    there) are passed back to the hacker, they can use this information to
    infer the directory structure on the remote computer, what type of
    server it is, and even gain access to account directories.

    To protect against this, it is common practice to replace any returned
    errors with a general "permission denied" or "an error occurred,
    contact the administrator" error. This way, even if the hacker
    accidently did gain access into the remote computer at a level that
    they could write to it, they are less likely to know of their success.

    Andy Guest

  3. #3

    Default Re: Remote.pm (File::Remote) error handling question

    If File::Remote is used within the CGI structure of a web site, then
    restricting the error messages that get passed back makes sense - but
    should that really be the job of File::Remote, or should it be the
    job of whatever uses it and then formats the results to surface on the
    web page being generated. It's nice to help protect people from
    themselves, but I wan't to use this locally - no web involved at all -
    so restricting information that would help me figure out what's going
    wrong still doesn't make sense to me.

    Oh well. I'm just writing a scipt for a very specific purpose (not
    web related) so it turns out to be easier just to roll my own
    (bacticks and explicitly checking both return value and $?) and not
    use the module.

    Jack Guest

  4. #4

    Default Re: Remote.pm (File::Remote) error handling question

    You can always customize the code in that module and keep a copy for
    yourself. Just comment out the part that moves the "access denied"
    code:

    ie

    $! = $1 || 13; becomes $! = $1 # || 13;

    save the code and then do the following commands on the root directory
    for the module:

    perl Makefile.PL
    nmake
    nmake test
    nmake install

    The module should now return the actual error code.


    Andy Guest

Similar Threads

  1. Replies: 0
    Last Post: November 27th, 09:13 AM
  2. Remote.pm (File::Remote) problem
    By Dayton Jones in forum PERL Modules
    Replies: 9
    Last Post: March 3rd, 01:12 AM
  3. Collection on remote file server error
    By NuroTec in forum Coldfusion Server Administration
    Replies: 1
    Last Post: June 2nd, 10:12 PM
  4. Handling Complex Data With Remote Object
    By flexbay in forum Macromedia Flex General Discussion
    Replies: 0
    Last Post: March 15th, 02:01 AM
  5. Setting folder permissions on remote machine / remote domain
    By Tim Chandler in forum ASP.NET Security
    Replies: 0
    Last Post: October 7th, 04:17 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139