[conspire] Web spam and yandex forms

Rick Moen rick at linuxmafia.com
Wed Dec 8 09:20:51 PST 2021


Quoting Ivan Sergio Borgonovo (ivan at webthatworks.it):

> On 12/8/21 03:37, Rick Moen wrote:
> 
> >If I ever study it to learn how, I'll probably send the creator a
> >shipment of homemade cookies, even if I never otherwise use it.
> 
> The more restrictions, the more you're willing to offer.

I'm not saying that.  I'm saying giving me something for free (knowledge
of a working example) that's less than the ideal something is
benevolence that's worthy of gratitude, in a situation where I cannot (so
far) find the ideal something anywhere.

> What about cookies for open source developers?

Is there an open source implementation of what I'm seeking (lightweight,
simple, arithmatic or word-problem solving as in Bruce Schneier's blog,
but without resort to hideous bloatware like JQuery, that can be used on
any simple HTML form)?  On a couple of quick searches, I didn't find
one, only overblown CMS plugins for things like WordPress.  If I _had_
found one, I might indeed send the author _two_ batches of cookies as a
gesture of gratitude.

But, just to put this in perspective, I never spent more than a few
minutes on the problem -- because it was not a _significant_ problem,
and I had better uses of my limited time on this planet.  At the time
(quite a few years ago), the Linuxmafia.com Knowledgebase
(linuxmafia.com/kb/) still relied on PerlHoo
(http://linuxmafia.com/pub/linux/apps/) as its engine.  PerlHoo was
Jonathan Eisenzopf's academic exercise in Perl hacking, "to build a
complete Yahoo-like Web directory" in less than 100 lines of Perl.  See:
https://web.archive.org/web/20171027102131/http://www.webreference.com/perl/tutorial/index.html

Early on, I noticed a nagging if minor problem:  The PerlHoo CGI's
feature to accept from the public suggested future additions was getting
overwhelmed with comment spam.  Jonathan added that ability in part 2 of
his 3-part tutorial, as you'll see in the revised code here:
https://web.archive.org/web/20171202161957/http://www.webreference.com/perl/tutorial/3/index.html
https://web.archive.org/web/20171219082726/http://www.webreference.com/perl/tutorial/3/perlhoo.pl

Random members of the public can submit additions, and the CGI registers
them to comma-separated-values (local to the Web site) file
perlhoo_new.csv, rather than to the CGI's own data file, perlhoo.csv --
thus holding submissions for admin review.  As with spam everywhere, what
resulted was a vast accumulation of sludge in perlhoo_new.csv for me to
periodically empty out, and only maybe once in ten years did a real
human submit something non-inane.  _That_ problem was easily ended by
just setting perlhoo_new.csv unwritable, ending public submissions.  But
for a few minutes before I did that, I looked around briefly to see if
anything, open source or proprietary, existed to teach me how to do the
Schneier-like "ask a simple arithmetic or word problem" thing without
unjustifiable complexity.  I didn't find it.  Maybe it's there, but I
didn't look for very long -- as the problem didn't merit much of my
time.  (But I remain idly curious.)

The core functions of PerlHoo remained in use on my site until a few
years ago, when a security researcher kindly informed me of a much more
daunting problem:  Jonathan Eisenzopf never bothered to do input
validation in his CGI, with the result that the Linuxmafia.com
Knowledgebase could be used as an XSS (cross-site scripting) engine to
attack arbitrary other sites on the Internet.

As my knowledge of Perl CGI coding remains basic, I asked, twice, the San
Francisco Perl Mongers if any of the resident experts were willing to
coach or help me in rewriting relevant parts of PerlHoo to do input
validation on the URL processing it does.  I heard only absolute, total
silence -- as the saying goes, "crickets".  So, pondering the situation,
and wanting to end the security threat absolutely immediately, I did so
by converting Linuxmafia.com Knowledgebase to flat HTML and yanking out
the CGI.  Problem solved.




More information about the conspire mailing list