I still got the blues for you

Friday, 11 January 2008

Been a week since I posted. I've not done much, though I did complete most of the migration of my planet-searching code to gluck.debian.org.

This is now logging to a local SQLite database, and available online.

I've updated the blog software so that I can restrict comments to posts made within the past N days - which has helped with spam.

My other comment-spam system is the use of the crm114 mail filter. I have a separate database now for comments (distinct from that I use for email), and after a training on previous comments all is good.

Other than being a little busy over the past week life is good. Especially when I got to tell a recruitment agent that I didn't consider London to be within "Edinburgh & Surrounding Region". Muppets.

The biggest downside of the week was "discovering" a security problem in Java, which had been reported in 2003 and is still unfixed. Grr. (CVE-2003-1156 for those playing along at home).

Heres the code:

#!/bin/sh
#
#  Grep for potentially unsafe /tmp usage in shared libraries
#


find /lib -name '*.so' -type f -print > /tmp/$$
find /usr/lib -name '*.so' -type f -print >> /tmp/$$
for i in $(cat /tmp/$$ ); do
    out=$(strings $i | grep '/tmp')
    if [ ! -z "$out" ]; then
        echo "$i"
        echo "$out"
    fi
done
rm /tmp/$$

| 4 comments.

 

Comments On This Entry

[gravitar] Justin

Submitted at 01:08:58 on 12 january 2008

heh, isn't that script technically using /tmp in an unsafe way? :)
[author] Steve

Submitted at 12:43:51 on 13 january 2008

Noted.

Still it was executed upon a machine with myself as the only user so it's not too bad!

[gravitar] Alex

Submitted at 20:15:08 on 13 january 2008

So now Steve's on the case we can expect that Java bug to get nailed, after almost 5 years of being open? :P
[gravitar] Anonymous

Submitted at 00:25:42 on 15 january 2008

Steve: Still, you have to appreciate the irony. :) I personally think many temp file vulnerabilities arise this way: someone writes a script with bad temp file usage, figuring it doesn't matter, then nobody fixes it when the script becomes more popular and widely used.

By the way, your comment form has an annoying feature: if you submit without filling out the email field, it removes the form, replaces it with a note saying "missing fields", and provides no way to get the form back to correct it. If my browser did not keep form data around when I refreshed (or if your site broke that as many sites do), I would have lost the text of my comment.

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags