Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

  (email not shown publicly)
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Tuesday June 11, 2002
10:32 AM

Countdown - 19 days

[ #5585 ]

We have our first iteration planning meeting done. As this project will have only one "iteration", we pretty much need to get it pretty darned close to perfect the first time so a lot of nit-picky questions were asked. Unfortunately, right before I left yesterday, I received another "critical" task regarding my other project ("yes, Ovid, we know that the POS is our first priority. So is this").

On the plus side, much of the conversion work to DBI should be done today and the iteration meeting revealed that much of what we need is already in place. This is still doable.

Update: Hoo boy. Getting my other work done will take longer than expected. I'm working on the code written by a programmer that we had to let go. We have a form whose data and a file attachment are being emailed. The programmer put the To: address in the form, so someone can easily munge it to anonymously send email anywhere (can you say "Spam" boys and girls?). To try and limit file size, here's what the programmer did:

  • Open an output file in append mode.
  • Read the uploaded file and write to output file.
  • stat the output file to determine file size.
  • unlink the output file (why was it opened in append mode?)
  • If file size is greater than allowed size, send an error message back to the user

It gets worse. The programmer didn't check to see if the open was successful, but didn't tell our admin about needing to save a file, so permissions weren't set on the directory and the open always fails silently, so preventing a denial of service by limiting file size has failed miserably.

Apparently, the programmer jumped through these hoops because $CGI::POST_MAX wasn't working: he set that value after reading all of the data, thus making it useless.

I don't feel so bad about my code, now :)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.