Wikipedia:Reference desk/Archives/Computing/2011 October 1

Computing desk
< September 30	<< Sep | October | Nov >>	October 2 >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

October 1

Vulnerabilities in find and workarounds

I'm aware of the inherent vulnerability using find and -exec, as it's discussed ([1]) elsewhere. So for a workaround, a few questions. 1) Is there a convenient list of all bash tokens that could be used for escaping and exploits like this? In other words, can someone point me either to some regexes that sterilize things for the command line or at least the list so I can write them myself? and 2) Is there a simple way for me to call an abitrary command-line program without dealing with the shell. Like in perl for instance I seem to remember hearing that this was possible. Any other practical workarounds would be useful too. Shadowjams (talk) 00:32, 1 October 2011 (UTC)

At the shell prompt, (in bash), type man builtins to get a complete listing of all shell built-ins, special-characters, and commands.

The safest thing to do is to use file-permissions to deny a script from accessing, executing, editing, deleting, or copying files that it doesn't have permission for. Often, this means creating a separate user-account with the minimum permissions you need for the script; this allows Unix to sandbox the script-process for you (automatically eliminating an entire class of security-risks).

Perl can execute shell commands in several ways; the easiest is to use the ` character, documented here (as PERLOP `STRING`); or the similar system and exec commands. Perl isn't necessarily safer - if you don't know what the script is doing, translating it to another language sure doesn't help. Nimur (talk) 01:15, 1 October 2011 (UTC)

No, you shouldn't use backticks (`) for this because it invokes shell command parsing, which is precisely what the OP wants to avoid. You should use system with more than one argument.

I'm not sure I understand the question, though, because find -exec doesn't use shell parsing either. If you look at the linked page, the problems are (1) filenames that begin with - being interpreted as options, which has nothing to do with the shell, and (2) explicitly executing the shell with -exec sh -c "...". To avoid the first problem you have to read the documentation for the particular utility you're using, since the exact treatment of command-line arguments is program-specific. Many (not all) utilities accept -- as a signal that all later arguments are file names, not options. To avoid the second problem, just don't explicitly invoke the shell.

I would strongly suggest avoiding shell utilities in favor of a decent programming language with a large selection of library routines. Perl is okay, but ever since I learned Python I've stopped using Perl for this kind of thing. In Python you can get find-like functionality with os.walk:

      import os

      size = 0

      for dirpath, dirnames, filenames in os.walk('.'):
          for filename in filenames:
              if filename.endswith('.zip'):
                  size += os.stat(os.path.join(dirpath, filename)).st_size

      print(size)

This prints the total size in bytes of all files with names ending in .zip below the current directory. (Not that that's what you wanted to do, but I wanted a nontrivial example.) The point is that you can do a lot of things without invoking command-line utilities at all, and thus you avoid having to stringify the command arguments and parse the output, and all of the security risks and bugs associated with that process. -- BenRG (talk) 03:37, 1 October 2011 (UTC)

Both excellent answers, thank you. That covers pretty much all the issues I was wondering about. Shadowjams (talk) 03:53, 3 October 2011 (UTC)

Torrents - are these just pure leechers?

When you're seeding a torrent and you see peers downloading lots of data from you, but their completed percentage never rises above 0.0% - are these typically users who have modified their client (or are using a hacked client) to make it report incorrect stats to avoid having to upload anything? i.e. being pretty much a textbook leech (I'm using uTorrent, btw)? I've noticed a few of these on my torrents recently and have considered blocking those specific IPs. --Kurt Shaped Box (talk) 01:30, 1 October 2011 (UTC)

Not necessarily. At least some clients, as a bandwidth optimization, don't report the acquisition of a block to a peer that is known to already have that block. (See "HAVE suppression" in the spec here.) -- BenRG (talk) 03:40, 1 October 2011 (UTC)

You can modify how much you upload by right clicking the torrent and choosing how much you can upload, it's not a hack. Bluefist ^talk 17:10, 6 October 2011 (UTC)

Looking for spam

Hello. I'm doing an assignment for which I need a fairly large sample of junk email. Viagra ads, enlarge your manhood, Nigerian scam... everything is fine. Is there some service from which I could retrieve such sample? 88.112.55.242 (talk) 07:57, 1 October 2011 (UTC)

Simply register a domain name (and get your ISP to host it and forward any emails), sign up for some (free?) porn, join a warez forum, and express an interest in buying drugs over the internet. It won't be long before your mailbox will be flooded with more than enough spam to keep you busy for years. Responding to any of the spam will almost certainly increase the amount and variety of spam. In case it is not obvious, never actually give anyone information about your bank account and use a disposable email account for your research. Astronaut (talk) 09:36, 1 October 2011 (UTC)

There are dozens of spam collections on the internet for testing algorithms. [2], [3], [4], to give just a few examples. gnfnrf (talk) 14:28, 1 October 2011 (UTC)

Turning off Search Indexer

Microsoft's Search Indexer appears to be quite a resource hog on my Windows Vista laptop, and I almost never need to search for things - I'm quite organised and I have a good memory. I'm hoping I can free up some resources by stopping the indexer, without it breaking something else. Older versions of Windows had a way to turn off the Search Indexer, but I cannot find the control in Vista. So where has it been moved to?

Type services.msc into the start menu search box or command prompt, find the entry called "Windows Search" and double click it, set "Startup type" to disabled and click "stop". AvrillirvA (talk) 10:27, 1 October 2011 (UTC)

Learning PHP

After half a year of learning XHTML, CSS and JavaScript, it is time to pick up PHP. For files on localhost, can I use my own computer as a server? Do I need to install extra software, such as a PHP interpreter? — Preceding unsigned comment added by 59.189.219.114 (talk) 13:53, 1 October 2011 (UTC)

Yes, you'll need to install server software. When I did this (five years ago) I chose XAMPP, or in fact xampplite which is smaller. (It's Apache, really.) You can start the server, test some PHP locally, and stop the server when you're finished.  Card Zero  (talk) 14:15, 1 October 2011 (UTC)

Depending on what your operating system is, you'll need to install LAMP, WAMP, or XAMPP. Then, you start the webserver on your computer and access the PHP pages with a web browser connecting to localhost. -- kainaw™ 14:25, 1 October 2011 (UTC)

(edit conflict) There are lots of bundled packages of Apache, MySQL, and PHP. Depending on your OS, they are called WAMPs, LAMPs, or MAMPs. (Why we have three separate articles for what are essentially the same concepts, but on different OSes, I do not really know.) There are oodles to choose from. On my Mac I use XAMPP and have never had troubles with it. On my work PC I use EasyPHP and it works fine. --Mr.98 (talk) 14:27, 1 October 2011 (UTC)

making a film

So, I wanted to fit a bunch of pictures together to create a short film, like a slide show, but a bit quicker than I expect they could manage, and whilst experimenting with my video editor (avidemux), I found that I could open pictures in that and stitch them together into just such a film. However, if I try to add a picture that is not the only one in the folder, it adds the whole contents of that folder, but with all but the first in the wrong colours, all bright and jumbled up instead. if I move things in and out of the folder one by one, it can only find the last one, so no easy way around that. And now it turns out, if I save it and load it again, it all comes up in the wrong colours anyway, and with all coloured dots over the pictures as well. Meanwhile, even the right colour images are of a rather lower quality than they were originally.

So, firstly, is there any way I can stop it doing all of these, and actually put the film together like this? If not, is there anything else I can get that would do a better job?

148.197.81.179 (talk) 19:31, 1 October 2011 (UTC)

http://electron.mit.edu/~gsteele/ffmpeg/ ¦ Reisio (talk) 19:50, 1 October 2011 (UTC)

I'm afraid that just looks like a long string of random letters and words to me, I have no idea what I am supposed to do with this, or even if it is something that can do what I want or merely a description of a program that exists elsewhere. 148.197.81.179 (talk) 12:14, 2 October 2011 (UTC)

How to view .TIF (.tif) files?

I downloaded the 25,000*16,000 resolution wallpapers for the Rage video game. I'm wondering what software can open these pics? Does anyone know? 65.66.126.217 (talk) 21:03, 1 October 2011 (UTC)

Assuming Windows XP / Vista / 7, MS Paint should be able to open them and convent them to jpg or something else more suitable. AvrillirvA (talk) 21:02, 1 October 2011 (UTC)

Well, I'm on Vista and MS Paint wasn't able to open them. Paint displays the following.

"Paint cannot open this file. This is not a valid bitmap file, or its format is not currently supported." 65.66.126.217 (talk) 21:09, 1 October 2011 (UTC)

Hmm. Try IrfanView, it should be able to open almost any image format AvrillirvA (talk) 21:17, 1 October 2011 (UTC)

Hey thanks AvrillirvA, that's an impressive software. CHRISTIANgamer97 (talk) 04:03, 2 October 2011 (UTC)

Download the smaller versions if you want smaller ones. There's one that's 2560x1600 and it's probably still bigger than you'll need. ¦ Reisio (talk) 23:30, 1 October 2011 (UTC)

Backing up/cloning a failing hard drive

A computer that I have is complaining of "imminent hard drive failure." I take it to mean that the hard drive is failing the BIOS's health checks. You can still make it boot to Windows but some files may not be reliably readable.

How do you back up or clone a failing hard drive before it fails completely? --71.185.179.174 (talk) 23:24, 1 October 2011 (UTC)

I'd use SystemRescueCD and ddrescue, but only if you're having trouble copying personal data — the OS files aren't worth it. ¦ Reisio (talk) 23:35, 1 October 2011 (UTC)