Perl Scripting And Developing Blog

o Does not handle multiple simultaneous connections. o Reads are asynchronous, writes are synchronous. o Messages larger than 64K will be segmented. EndUsage } use vars qw($opt_i $opt_o $opt_1 $opt_v); getopts(’i:o:1:v’) and $opt_o or die usage; my $proxy_port = $opt_i or die usage; my ($server_host, $server_port) = $opt_o =~ /^(.+):(d+)$/ or die usage; my $verbose = 1 if $opt_v; my $only_one = 1 if $opt_1; $SIG{TERM} = $SIG{INT} = $SIG{HUP} = &shutdown; my $proxy = IO::Socket::INET->new(LocalPort => $proxy_port, Type => SOCK_STREAM, Proto => ‘tcp’, Reuse => 1, Listen => 1) or die “Can’t listen on port $proxy_port: $!n”; print “[listening on port $proxy_port]n” if $verbose; my ($client, $server); OUTER: while ($client = $proxy->accept) { my ($client_host, $client_port) = (gethostbyaddr($client->peeraddr, AF_INET) || $client->peerhost, $client->peerport); print “[connection from $client_host on $client_port]n” if $verbose; $server = IO::Socket::INET->new(PeerAddr => $server_host, PeerPort => $server_port, Proto => ‘tcp’, Type => SOCK_STREAM) or die “Can’t connect to $server_host:$server_portn”; print “[connected to server $server_host:$server_port]n” if $verbose; my $selector = IO::Select->new($client, $server); CONNECTION: while (my @ready = $selector->can_read) {
Note: If you are looking for cheap and reliable provider to host and run your servlet application check Vision servlet hosting services

$| = 1; near the beginning of your program to unbuffer STDOUT so that when you send output, it gets passed to the Web server immediately. 13.7 cgi-test Let’s add to our black bag the following script: #!/usr/bin/perl -Tw use strict; print “Content-type: text/plainnn”; print “$_: $ENV{$_}n” for sort keys %ENV; print “nInput:n”; print ; Use this whenever you have doubts about what a form is really sending to the server. Just make this script the target of the form action, and you’ll get a terse dump of the environment variables and any content that the form sent via POST. 13.8 Eavesdropping Sometimes you’d just like to listen in on the conversation between a browser and a server, like a gossip-hungry neighbor on a party line. Perhaps you’re dealing with browsers whose caching behavior is questionable, and you don’t want to guess what’s really being fetched. You could use a connection-sniffing tool like tcpdump to monitor the traffic between the client and the server, but this generally requires superuser access to put the network interface into “promiscuous” mode. So try instead our proxylog tool: #!/usr/bin/perl -w use strict; use Getopt::Std; use IO::Socket; use IO::Select; sub usage { <<"EndUsage"; $0 lets you snoop on the conversation between a client and server. $0 -i clientport -o serverhost:port [-1] [-v] -i incoming port to listen to -o outgoing port to make connection to -1 only process one client request, then exit -v verbose Caveats:
Note: If you are looking for cheap and reliable provider to host and run your servlet application check Vision servlet hosting services

The bottom line is that the first output from your program must be header lines including a Content-type header, which must be followed by a blank line before your content. If you use CGI.pm, the header routine is all you need to output headers properly; as long as you call it before anything else that produces output, you should have little to worry about. But sometimes, the bugs can gang up on you and foil this strategy. Run your CGI program from the command line to check that it produces the right output in the right order. It is crucial to find out what your program outputs to STDERR. This is where the output from dieand warn goes, including any complaints from use strictor -w. The popular Apache server puts STDERR messages in the error log file, but the Netscape Enterprise server directs them to the browser in the order it receives them. What will that be? Let’s look at a simple script that produces a warning in addition to output: #!/usr/bin/perl -w use strict; my $x; print “Content-type: text/plainnn”; print “Value of $x is $xn”; Run this at the shell prompt and you’ll see Content-type: text/html Use of uninitialized value in concatenation (.) at foo.cgi line 5. Value of $x is But that’s not the order the output goes to the Web server! Because we’re outputting to the terminal, STDOUT is by default line buffered, which means that its output is flushed on every newline. However, if output is not going to the terminal, STDOUT is fully buffered (unless the Web server decides otherwise), and won’t come out until after the output to STDERR. Upshot: try this on a server that sends STDERR to the browser as well, and you’ll get a 500 ServerError. As far as the server was concerned, you sent Use of uninitialized value in concatenation (.) at foo.cgi line 5. Content-type: text/html Value of $x is The first line does not look like a header. Whew! Is this a lot to remember or what? That’s why we reiterate: Test your program from the command line first and follow Perl of Wisdom #17 Eliminate all warnings before proceeding with development. In addition, add the line
Note: If you are looking for cheap and inexpensive provider to host and run your tomcat application check Actions tomcat hosting services

The only way to derive untainted data from tainted data is to perform a regular expression match with capturing parentheses on it and use the resulting $1, $2, etc. It is assumed that if you have gone to this much trouble, you have constructed a regular expression that will result in safe data. Perl does not and cannot check that you have really done so. If you simply do ($untainted) = $tainted =~ /(.*)/s; then this is the equivalent of putting a gun to your head and pulling the trigger without looking in the chamber first. Create CGI programs with taint checking from the beginning. Retrofitting -Tonto existing programs is tedious and frustrating. Taint mode is utterly paranoid. One of the consequences of environment variables being tainted is that your path is tainted, so any attempt to run an external program fails with an insecuredependencyinpath unless you untaint $ENV{PATH}, which usually means setting it explicitly to a (colon- or semicolon-separated) list of directories you trust. 13.5.2 Debugging in Taint Mode If you syntax check a program that has -Tin its #! line, you’ll see something like this: $ perl -c foo.cgi Too late for “-T” option at foo.cgi line 1. This is caused by an obscure feature of Perl’s implementation that requires taint mode to be turned on really early in its startup process. (If you remembered Perl of Wisdom #10 Use use diagnostics to explain error messages you would have seen the explanation.) Just add -T: $ perl -cT foo.cgi 13.6 Heading Off Errors The output of your program is usually parsed through the Web server (unless you use the increasingly rare nph feature), which adds headers like a status line (unless you provide one yourself), a server identification line, and a date. The essential header for you to remember is Content-type: you must output this one. (Weeell the complete truth is more complicated, but of little use. You can output any number of lines that look like headers [any line containing a colon with at least one nonspace character on either side, based on experimentation], and these lines are faithfully passed on by the server as though they actually mean something. As long as you output a blank line before your content, it’ll make it through; if you don’t output a Content-type header, some servers will put one on for you [set to text/plain]; some browsers interpret the absence of a Content-type header to mean it is of type text/html. This is of academic interest at best.)
Note: If you are looking for cheap and inexpensive provider to host and run your tomcat application check Actions tomcat hosting services

sent a customer a Barbie doll instead of the Sony PlayStation he ordered, and rather than praise, this soon-to-be-former customer has a different message for you. In the e-mail address field, he types ‘rm *’. Your script, after reading the user input into a variable $email, reasonably enough sends a response: open MAIL, “|$SENDMAIL $email” or die $!; (We’ll talk about better ways of signaling errors shortly.) Net result: Chaos. If you’re running on DOS instead, don’t think you’re safe; that user could have entered ;erase*.*. What you need to do is check the e-mail address that’s been entered and make sure it won’t cause that kind of problem. Now, suppose we assume for a moment that valid e-mail addresses match the pattern w[w*%.:-]*@w[w.-]*w (That’s not quite true, but it’ll do for our example.) After setting $email from the user input, we could massage it: ($email) = $email =~ /(w[w*%.:-]*@w[w.-]*w)/; unless ($email) { # Code to handle no valid email being entered } From the user’s input, we extracted an e-mail address that won’t cause any nasty side effects when passed to our mail program. If we don’t find anything in the input matching that, we can treat it as if nothing at all was entered. You might also choose to compare the result of the match with what they entered, and if they differ, grumble about a “nonstandard” address being entered. Before you use that language, however, consider this caveat: the preceding pattern is a grossly simplified version of what it really takes to match a valid e-mail address. The RFC 822 standard (http://www.ietf.org/rfc/rfc0822.txt) specifies a complicated syntax that includes several ways of embedding comments that are arguably not part of the address at all and unlikely to be entered by a user in a Web form. A regular expression to match it is more than 6K in length and is the tour de force conclusion of Jeffrey Friedl’s seminal book, Mastering Regular Expressions (O’Reilly, 1997). A slighly shorter and somewhat more practical approach is contained in Chapter 9 of the second edition of CGI Programmming with Perl by Scott Guelich, Shishir Gundavaram, and Gunther Birznieks (O’Reilly, 2000), but even this book acknowledges that its algorithm’s value is principally instructional. (It doesn’t confirm that the address can receive e-mail; only an attempt to send mail there can do that.) What taint mode does is force you to launder input data as we just described. Any data that comes from outside your program including even environment variables or directory listings has associated with it a special flag that marks it as tainted. Any attempt to use tainted data to affect something outside of your program such as input to an external program results in a run-time exception before that can happen. (The error will mention an “insecure dependency.”) And if you use a tainted variable in an expression that is assigned to another variable, that variable becomes tainted too.
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

LOG=/var/log/httpd/error_log TAIL=10 echo “Content-type: text/plain” echo echo “Total number of lines = ‘wc -l $LOG’” echo tail -$TAIL $LOG 13.4 Basics To avoid those “Doh!” moments, make sure that Your program has the execute bit set on Unix systems. The penalty for missing this one isa 403Forbidden error, which is likely to make you think that the Web server can’t get into the enclosing directory instead. Your program has the correct #! line at the beginning. Getting it wrong will earn you a 500ServerError. Both of these problems are instantly detected by running the program from the command line on the Web server itself. If that works but you still get an error when coming through a Web browser, the permissions for the Web server user are set up incorrectly; contact the Web server administrator. 13.5 Security Not long ago, security was still considered optional by many people. Today that attitude is widely recognized as dangerous to others as well as oneself. The issue of security on the Internet has garnered universal attention, and one of the ways a host can be broken into is through a poorly written CGI program. Don’t let yours be one of them. 13.5.1 Taint mode Perl provides a powerful mechanism for securing your CGI programs. It’s called taint mode, and no program you put on the Web should be without it. You invoke it with the -T flag, making the first line of your scripts #!/usr/bin/perl -wT (Of course, the path to your perlmay differ.) Taint mode doesn’t actually do anything by itself to secure your program. What it does is force you to address every place where a security hole could occur. You see, the chief cause of security holes in CGI programs is malicious user inputs being used to affect things outside of your program. If you’ve never seen how easy this is, you’re in for a shock. Let’s say that your e-commerce Web site contains a feedback form for a user to input their e- mail address and a message of praise. Unfortunately, let’s say that your shipping department
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

[1] edwas written by Ken Thompson. It was suggested that his car sported a single indicator on the dashboard: a giant ‘?’ which would light up when anything was wrong, and the experienced driver would usually know what it meant. Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. It usually goes on to suggest that you look in the server error log, but unfortunately it doesn’t go to the trouble of including the part that might be relevant. If at all possible, get an interactive login on the Web server for which you are developing. If you can’t, consider using a different service. There are several reasons for this, starting with the fact that it is a lot easier to look at the error log file if we can look at it with programs like tailor less than if we have to view the whole thing through a Web page. If you can’t get an interactive login, you may nevertheless be able to figure out where your Web server keeps its log files (the defaults are well known and commonly used) and you then can use a CGI program like the following to look at the last ten (say) lines: #!/usr/bin/perl -Tw use strict; use CGI qw(:standard); my $TAIL = 10; print header, start_html; my @lines; # Change next line as needed my $file = “/usr/local/apache/logs/error_log”; open (IN, $file) or die p(b(”Unable to open $file: $!”)); while () { push @lines, $_; shift @lines if @lines > $TAIL; } print p(”Total number of lines = $.nLast $TAIL lines:n”); close IN; print pre(@lines), end_html; Little tools like this populate the black bag carried by CGI programmers from job to job. In fact, if you can’t even get Perl working on a (Unix) site that you can’t log in to, here’s a Bourne shell version: #!/usr/bin/sh
Note: If you are looking for high quality webhost to host and run your jsp application check Vision jsp hosting services

format that turns many characters into a hexadecimal representation), and what the program has to send in addition to the browser-visible content of its output (HTTP headers specifying the type of that content). Nothing in the CGI specification specifies a particular language for CGI programs. This is why people who ask questions about CGI get attacked for asking them in a Perl newsgroup. The answer would be the same no matter what language the program was written in, and it wouldn’t have anything to do with Perl. The newsgroup the attackers want those questions taken to is comp.infosystems.www.authoring.cgi. So how can you tell whether your question or problem is Perl related or CGI related? If your program produces apparently correct output when run from the command line, but the Web browser displays a 500 - Server Errormessage, it’s a CGI problem. If you can’t run the program from the command line on the Web server, see our tips that follow. If your program is not picking up form inputs and you’re using CGI.pm, the Web server has a problem. Test it with our cgi-testprogram that follows. If you’re not using CGI.pm, few people are likely to assist you because you’re making the task unnecessarily difficult. If your program takes too long to produce any output, the browser will give up and display a “Document contained no data” message. You may need to use a nonparsed header (nph) script if your Web server otherwise buffers your output, or else figure out how to produce output before the browser times out. See http://hoohoo.ncsa.uiuc.edu/cgi/interface.html for reference information on CGI. 13.2 Web Servers There are many combinations of types and versions of Web servers, platforms and operating systems on the World Wide Web. Their differences in behavior are outside the scope of this book. We aim to make our advice applicable to the widest range of such combinations, but when we fail, unless otherwise noted, what we say has been tested against a recent version of Apache on Linux. References on Apache: Apache: The Definitive Guide, 2nd edition, by Ben & Peter Laurie (O’Reilly, 1999) http://www.apache.org/ 13.3 500 Server Error The primal ededitor for Unix has one and only one response to any kind of error condition: it prints ‘?’.[1] Although user interface design has generally matured from this minimalist approach since then, it took a giant leap backwards with the introduction of Web servers whose only response to virtually any error is something close to
Note: If you are looking for high quality webhost to host and run your jsp application check Vision jsp hosting services

“Would you tell me, please, which way I ought to go from here?” “That depends a good deal on where you want to get to,” said the Cat. Alice in Alice’s Adventures in Wonderland by Lewis Carroll The Cheshire Cat was renowned for oblique comments and a propensity to vanish partially or completely at inconvenient times. Running Common Gateway Interface (CGI) programs through a Web server can leave one feeling a lot like Alice (including stretched thin and squashed). 13.1 CGI A glance at comp.lang.perl.misc reveals that many people don’t understand the difference between the CGI protocol and the Perl scripts that use it. We therefore consider it our civic duty to take the time to explain it here, even though we’re talking about something that is not Perl. (That’s the Perl connection that it has nothing to do with Perl. It’s all very G del-like.) The Common Gateway Interface is a specification for how a Web server can deliver dynamic content. It says that you can have a URL that points not to a static file but to a program whose output will be sent to the browser. The user of the browser cannot tell the difference between a CGI program and a static file by looking at what the server returns; the only clue is that the URL usually looks different. (Instead of ending in .html, it probably ends in .cgior contains /cgi-bin/. There’s nothing hard and fast about this rule though. It’s easy to configure a Web server to return static pages whose URLs look like CGI programs, and vice- versa.) The point, however, is that they shouldn’t care what produced the output. The CGI specification spells out how a program invoked in this way can have inputs sent by a browser (as part of the URL using an HTTP GET command or in HTTP content with a POST command), how the program can see those inputs (in the QUERY_STRINGenvironment variable or in their standard input respectively), how the inputs are encoded (a

Hint: This post is supported by Gama besplatan domen provider