Re: A better way ?

On Thu, Apr 18, 2002 at 06:21:52AM +0200, Paul Johnson wrote: On Wed, Apr 17, 2002 at 07:59:22PM -0400, Michael G Schwern wrote: Just because the safety is on doesn't mean you should juggle handguns. Never know whose foot it'll blow off. Awww. You're no fun. *bang* -- Michael G.

Re: A better way ?

Michael G Schwern [EMAIL PROTECTED] schrieb im Newsbeitrag 20020417205231.GV851@blackrider">news:20020417205231.GV851@blackrider... | On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: | There's already a %dispatch set up for you by perl... | | I'd have used it but it just fell into

Re: A better way ?

On Wed, Apr 17, 2002 at 02:02:02PM -0400, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1,

Re: A better way ?

[EMAIL PROTECTED] wrote: On Wed, Apr 17, 2002 at 02:02:02PM -0400, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub

Re: A better way ?

-- Bill -Sx- Jones [EMAIL PROTECTED] I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1, 7) eq 'REPORTS'); $vSub

Re: A better way ?

On Wed, Apr 17, 2002 at 02:02:02PM -0400, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1,

Re: A better way ?

suicide is an honorable option. croak $$: The uers are idiots! unless $api eq makes sense; Adding in some sort of delimiter: SNEEX|ADMIN|END my %jumpz = ( SNEEX = \foo, ADMIN = \bar, ... ); my $regex = join '|', keys %jumpz; if( my ($name) = $vflag =~

Re: A better way ?

On 4/17/02 2:22 PM, Michael G Schwern [EMAIL PROTECTED] wrote: The above implies the format is something like: SNEEXADMINEND in which case, suicide is an honorable option. :) Actually, the input data looks more like [SNEEX] [ADMIN] [END] Sorry for the mass hysteria;

Re: A better way ?

Actually, the input data looks more like [SNEEX] [ADMIN] [END] my $regex = '\b(' . join('|', keys %jumpz) . ')\b'; if( my ($name) = $foo =~ /$regex/o ) { my $sub = $jumpz{$name}; ... } Sorry for the mass hysteria; What hysteria? Hysteria? Oh, no...

Re: A better way ?

On Wed, Apr 17, 2002 at 02:34:20PM -0400, Bill -Sx- Jones wrote: On 4/17/02 2:22 PM, Michael G Schwern [EMAIL PROTECTED] wrote: The above implies the format is something like: SNEEXADMINEND in which case, suicide is an honorable option. :) Actually, the input data looks

Re: A better way ?

On Wed, 17 Apr 2002 15:01:50 -0400, Michael G Schwern wrote: On Wed, Apr 17, 2002 at 02:34:20PM -0400, Bill -Sx- Jones wrote: Actually, the input data looks more like [SNEEX] [ADMIN] [END] # setup %Dispatch as before, then... while( $vData =~ /\[([A-Z])\]/g ) {

Re: A better way ?

-- Michael G Schwern [EMAIL PROTECTED] On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: There's already a %dispatch set up for you by perl... I'd have used it but it just fell into the gaping security hole. A recent Phrack article pointed out that one of the SOAP/RPC/XML

Re: A better way ?

On Wed, Apr 17, 2002 at 04:38:50PM -0500, Steven Lembark wrote: A recent Phrack article pointed out that one of the SOAP/RPC/XML modules was doing this: $soap-$tainted_method_name(@args); Use -T and untaint by extracting the subname: my $flag = ::$input =~ /\w+$/;

Re: A better way ?

Michael G Schwern wrote: On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: There's already a %dispatch set up for you by perl... I'd have used it but it just fell into the gaping security hole. A recent Phrack article pointed out that one of the SOAP/RPC/XML modules was

Re: A better way ?

On Wed, Apr 17, 2002 at 04:16:08PM -0700, Rick Klement wrote: Notice that the regex match (which should have been /\[([A-Z]+)\]/ ) effectively untaints and closes the security hole by disallowing anything through that is not [A-Z]+ This is still too lenient, you've just narrowed the possible

Re: A better way ?

I like something like this, where the sub name is is sub_KEYWORD (from a CGI, hopefully you can extract usefulness): eval sub_.param('page') if (param defined param('page') defined sub_.param('page')); page_login; # If all else fails... - adm At 02:02 PM 4/17/2002, Bill -Sx- Jones wrote:

Re: A better way ?

On Wed, Apr 17, 2002 at 09:01:37PM -0400, Aaron D. Marasco wrote: I like something like this, where the sub name is is sub_KEYWORD (from a CGI, hopefully you can extract usefulness): eval sub_.param('page') if (param defined param('page') defined sub_.param('page')); The last clause

Re: A better way ?

On Wed, Apr 17, 2002 at 07:59:22PM -0400, Michael G Schwern wrote: Just because the safety is on doesn't mean you should juggle handguns. Never know whose foot it'll blow off. Awww. You're no fun. -- Paul Johnson - [EMAIL PROTECTED] http://www.pjcj.net