CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
[Solved] Always use chomp!

 



nocare
Novice

May 16, 2010, 7:50 PM

Post #1 of 2 (902 views)
[Solved] Always use chomp! Can't Post

Been working with a login, and I plan on enabling a usb login device. Sounds fun.

Well with static input (file/variable login information) the login works perfectly as expected.

Now when user input is submitted the password checks out just fine, but the user name does not. By everything I can tell, the user name input is exactly the same in both cases, so it is really bugging the crap out of me.

I have a decently sized project size here, and to eliminate anything that may be missing I'm going to upload it here.

There are some inconsistencies, for instance the motd doesn't exit, but its not yet used. (exception handler).
Also I know my @gRoutine (database connect) variable split method is absolutely terrible. I've since learned how to handle arguments, so I just need to fix that, just wanting working code before I work my best to break it again. Unsure

user: root
pass: password

when UserLogin("bypass") in main.pl line 21,
user hash = c99bba0df305029d6880dfe71f332ed3
pass hash = 72a2c0c9bbbf5387467d0847de4ee483

when UserLogin is just called (user input thus required) in main.pl line 21,
user hash = 3a27b9088a59f77642343e006baef206
pass hash = 72a2c0c9bbbf5387467d0847de4ee483

As always any input, criticism, help, comments, and wake up calls are welcomed Smile
Thanks for your time


-------------------------------------------
Additional Thoughts:

I first suspected:

Code
if ($varlength < 8) { 
#Had to change this... Fishmonger's shorthand was too hard for me to grasp for now.
for ($varlength;$varlength<8;$varlength++) {
$var .= "\0";
}
}


However through testing and whatnot (god i'd love to be able to view those 0 terminators in windows command prompt) I determined it was not likely the cause. In addition both the user input and static variables pass Crypt::DES which throws an exception when input is not exactly 8 bytes long, so given that both output hash's for the username should be the same... right?



Code
my $username = <>;

I am thinking it is possible that more likely then not, perl is handling the user input at something lower level then ascii, which depending on how it passes to other functions could mess the hash up. This is backed by the fact the static login is a string sent directly to the functions without passing through the input handler.

However a flaw in this theory is that the password works exactly the same, and has no problems.

:/


(This post was edited by nocare on May 17, 2010, 3:42 PM)
Attachments: AiBot.rar (3.93 KB)


nocare
Novice

May 17, 2010, 3:41 PM

Post #2 of 2 (891 views)
Re: [nocare] Crypt::DES and Digest:MD5 strangeness [In reply to] Can't Post

I figured out the problem!
But I need help fixing it.

... reference this image, and i believe I can explain what is happening.

http://i225.photobucket.com/albums/dd317/deadlyp99/programming/nullonpass.png

My static variable "root\0\0\0\0" is eight bytes, but it is stored as a single solid variable string.

My input however is not static, and get's modified. I decided to send the variable directly after input, and directly after my CheckLength function.

Directly after input I had the user name and a NEW LINE.
Tested that against my password and there was no new line. wtf right?!

After passing through CheckLength, because the username had a "\n" char attached it only had 3 "\0" tagged onto the end as apposed to the static variable which has 4 "\0" and no "\n".

I'm so happy I found this bug, and that I have prior knowledge of how these unseen data are tagged onto strings in files.

Here are my thoughts on how this goes, and my first approach at fixing it.


Code
	} else { 
sysopen(my $handle, "usernamelog.txt", O_RDWR|O_EXCL|O_CREAT, 0755) || die "WTFFFFF";
print " FAILED";
print "\n\nIn order to continue you need authenticate yourself!\nUsername: ";
my $username = <STDIN>;

my $username_len = CheckLength($username);
print "\nPassword: ";
my $passwd = <STDIN>;
my $passwd_len = CheckLength($passwd);
printf $handle "Username: ".$passwd_len;close($handle);exit;
my ($username_md5, $passwd_md5) = EncryptAndHash($username_len, $passwd_len);
print "\n\nusername_len: ".$username_md5."\npasswd_len: ".$passwd_md5;
TryLogin($username_md5, $passwd_md5);
}


You'll notice that I did something very very bad, and that I've never encountered or needed to do before in a programming language.

Through some research I realized that STDIN collects everything untill the enter key is pressed, but in addition holds the newline char generated when you press return!!

BECAUSE my password input just so happens to be 8 bytes, the 9th byte is a newline, and because my function substrings that variable, it removes the newline!

The username which is 4 bytes+"\n", appends the nulls, as mentioned above.

After more research I learned I need to "chomp" my input, which is essentially substringing to 1 character lower then the total length of the input.

What a freaking coincidence, eh?

So people new to perl, make sure to take a big ol' bite out of your user input, using chomp Wink

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives