s l a m

Subscribe to "s l a m" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

© copyright 2004
by Marc Barrot.

Thursday, April 11, 2002

Potential Google SOAP API based Services

It looks as if I've been thinking along the same line as James Snell for some time:

Even better yet, allow me to create subscriptions to the google database.  When the entry for a given site is updated, google gives me a ping.  This could work for searches too.  I send a search query with a callback address.  Rather than getting results back right away, I get results back on an ongoing basis as sites are found that match the query.[Snell's Blog]
Well James, with the SOAP API, you don't have to send the subscription query to Google. I'm sure a third party provider would be able to get your query, and provide the service while using the SOAP API to check on Google regularly.

As a matter of fact, I remember designing a similar service based on CGI and HTML scraping about 6 years ago. Google's performance and web services sure put a new twist on these things.

9:39:51 PM  Permalink    Google It!  

Playing with the Google.Box Macro

s l a m follows the latest trend, its home page now sports a 'Google Box'. Nifty, I was even able to supply \"secure perl code\" as the first macro argument, to make sure that Google would search for the string as a whole, not for separate words.

7:16:06 PM  Permalink    Google It!  

French Speakers Only

Can you find out which part of my previous post Google translated into French :-))

Les problèmes aiment accepter des pipes comme entrée, qui est le tour préféré d'un biscuit pour gagner la connaissance d'une exploitation du système.
Right now, I can think of tons of fun ways to make use of Google's new SOAP API.

5:49:08 PM  Permalink    Google It!  

Securing SOAP::Lite - Addendum

In my far from expert opinion, securing the open() call in HTTP::Daemon::ClientConn::sendfile would make for a more secure SOAP::Lite module.

Paul Kulchenko, SOAP::Lite's author dropped me a line last night asking what I meant by the 'unprotected open() in HTTP::Daemon being less of a problem', and what he should do to fix it.

Well, first let me state the obvious: if Paul fixes the module name traversal exploit in SOAP::Lite, a malicious user will no longer be able to call any loaded (by require) module from his remote code. It's thus far less likely that he will gain access to HTTP::Daemon::ClientConn::sendfile.

So why worry ? Because security works in layers. Fixing 2 holes is always safer than fixing one, you never know where the next exploit will come from.

Second: sendfile, as part of HTTP::Daemon, was authored by Gisle Aas. Gisle was one of ActiveState senior developers the last time I checked. Maybe he should get involved, if he's not already. He is no doubt far better qualified than I am.

Now what's wrong with sendfile after all ? Our friend 'stealth' has noticed that it makes a straight call to Perl's open() function. Look at the code fragment he gives in his story :

$soap->call("X:HTTP::Daemon::ClientConn::send_file" => "|/bin/ps");
Scary. That's because, according to the Linux Secure-Programs-HOWTO,
The perl open() function comes with, frankly, "way too much magic" for most secure programs; it interprets text that, if not carefully filtered, can create lots of security problems.
Problems like accepting pipes as input, which is a cracker's favorite trick to gain knowledge of a system operation.

The traditional workaround for this is to use sysopen() instead of open(), which gives more fine grained control on what the open logic does, closer to a C library open actually.

There are probably other more clever / modern ways of doing this. That's for Paul and Gisle do decide.

3:35:07 PM  Permalink    Google It!  

Jon Udell Cuts Through RSS Description

scissors and cupHis latest hack removes everything but the first sentence from every new post before adding it to his weblog's RSS feed - the original post is still fully rendered in HTML on Jon's site.

I know that truncating RSS items has been on top of his wish list for some time. Publishing in a heads / decks / stories format is one of his memes. Jon, this last link possibly is an opmlRendered intrusion into your work, I'll remove it if you wish.

Heads and decks are also one of my pet subjects, so I think Jon's modification will soon find its way into s l a m.

Since I'm sometimes using titles to link to a different place than the post itself (Radio's default setting), I'll probably add a Read more... link at the end of the first sentence, a la Slashdot.

And of course, since Jon describes his hack as 'completely non-kosher', I'll wait for the Radio Beth Din to come up with the appropriate callback.

... Well, it didn't take long :-) Browsing s l a m 's home page in search of new reader comments, I ran into the latest extract from Dave's instant outline (opmlRender is sometimes surprising). Dave added some further observations in this morning's Scripting News.

10:55:32 AM  Permalink    Google It!  

About s l a m...

My original idea for developing this site was to keep well below radar coverage, that is until I was ready to launch. Dave made me modify my plans in a hurry yesterday morning.

Well, it's nice to have company :-) For readers who may be wondering what I'm up to, here is a short explanation. No doubt it will change over time, so I've placed a link in the home section of s l a m 's sidebar.

1:17:24 AM  Permalink    Google It!  

April 2002
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Mar   May

last updated: 3/20/04; 5:21:59 PM.