High Resources?

tedcambron · Apr 27, 2010

https://x10hosting.com/control/?hosting&suspension&u=cambron

My account has been suspended due to high resources but I can't tell what the issue is. Can you please help me understand.

Derek · Apr 27, 2010

Your reason is: High resource usage explanation needed indexcgi.

I think they need you to explain how come indexcgi was taking so much resource.

Corey · Apr 27, 2010

I have seen your account doing this multiple times, please explain what index.cgi is and does.

tedcambron · Apr 28, 2010

index.cgi is a very clean and simple Perl program that controls the whole CMS. It is designed using the best coding practices and uses very little resources. I'm very surprised that it would use enough to be noticed at all. Programs such as this have been tested on multiple server configurations and have proven to be extremely server friendly as compared to their PHP counterparts.

I do notice a little change I could make to check for an empty $action but the code should automatically load the default page without it as it should and does. I must mention that I have, used this very same script on a few different free hosts without an issue.

Code:

#!/usr/bin/perl
###############################################################################
# DSBapp v0.5.1                                                               #
#-----------------------------------------------------------------------------#
# index.cgi                                                                   #
#                                                                             #
# This program is free software; you can redistribute it and/or               #
# modify it under the terms of the GNU General Public License                 #
# as published by the Free Software Foundation.                               #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# File: Last modified: 08/26/07                                               #
###############################################################################
$| = 1;

# always
use strict;

# dsbapp modules directory
use lib "./modules";

use CGI::Carp qw(fatalsToBrowser);
use CGI;
use Detoxifier qw<detoxify>;

# shut up compile-time errors
use vars qw($scriptname $pageurl $sourcedir);

# loads config.dat into a hash then saves each key value as a scalar :p
require "config.pl";

# the OOP %input by CGI.pm
use HTML::Entities ();
our %input = ();
our $query = new CGI;
our @names = $query->param;
foreach my $parameter (@names) {
    $_ = HTML::Entities::decode( $query->param($parameter) );
	$input{$parameter} = $_;
}

# untaint $action and $op before we go any further
our ($action) = $input{'action'} =~ /^(|[a-zA-Z0-9_]+)$/ or die "bad action\n";
our ($op) = $input{'op'} =~ /^(|[a-zA-Z0-9_]+)$/ or die "bad op\n";

# untaint $sourcedir (from config.pl) before we use it with require
if ($sourcedir =~ /^((?:\/[a-zA-Z0-9]+(?:(?:_|\-|\.)[a-zA-Z0-9]+)*)+)$/) {
	$sourcedir = $1
}
else {
	die "invalid source directory\n"
}

# now require the files that make dsbapp work
require "$sourcedir/dsbapp.pl";
require "$sourcedir/subs.pl";
require "$sourcedir/theme.pl";

# and away we go...
if ($action) {
	$action = lc $action;
	if (-e "$sourcedir/$action.pl") {
		require "$sourcedir/$action.pl";
	}
}
elsif (!$action && $op) {
	$op->();
} else {
	print_main();
}
exit;
1;

tedcambron · Apr 29, 2010

Is the any resolve in this matter? I was wondering if this is a sever configuration issue. From my own research my program takes less resources than most Perl programs available on the internet and far less than any PHP code.

descalzo · Apr 29, 2010

tedcambron said:
index.cgi is a very clean and simple Perl program that controls the whole CMS.

As is index.php which controls a PHP driven CMS.

The code posted shows nothing about what is really going on, which is

require "$sourcedir/$action.pl"

tedcambron · Apr 29, 2010

descalzo said:
As is index.php which controls a PHP driven CMS.

The code posted shows nothing about what is really going on, which is

require "$sourcedir/$action.pl"

I'm definitely not one to give a tutorial on Perl but $sourcedir and $action are variables. Variables are used here to make the script more portable. $sourcedir is the variable for the path to the directory where the files are located. Commonly known as the source directory (sourcedir for short). As commented in the code it comes from a configuration file. $action comes from an "argument". This argument can either come from a form input or query string. So here the script is "requiring" that a certain file be used according to the variables. This is a "modular" approach. It allows one to drop a file in the source directory and use it.

I could probably copy write the code but this is pretty straight forward Perl coding. Nothing real special going on here. I must add that many people use "else if" statements to get the same effect but that requires more system resources. I can also add that this is the least resource intensive solution known.

tedcambron · Apr 29, 2010

I just thought of something.

Having to explain basic Perl coding because of a server resource issue seems very peculiar to me. With all due respect I have doubts that this code is causing any server issues. This code is extremely server friendly and I have used it on 4 different hosts without a single problem. Not knowing Perl can not possibly be the reason of this suspension.

descalzo · Apr 30, 2010

tedcambron said:
I'm definitely not one to give a tutorial on Perl but $sourcedir and $action are variables. Variables are used here to make the script more portable. $sourcedir is the variable for the path to the directory where the files are located. Commonly known as the source directory (sourcedir for short). As commented in the code it comes from a configuration file. $action comes from an "argument". This argument can either come from a form input or query string. So here the script is "requiring" that a certain file be used according to the variables. This is a "modular" approach. It allows one to drop a file in the source directory and use it.

I could probably copy write the code but this is pretty straight forward Perl coding. Nothing real special going on here. I must add that many people use "else if" statements to get the same effect but that requires more system resources. I can also add that this is the least resource intensive solution known.

You don't get it, do you?
Really.
Are you saying that the Perl code you posted is all that the script does? Please.
Let me explain.
Your index file calls another file.
That other file does the heavy lifting.
That other file is causing the suspension.
You do not post the other file, we have no way of pointing out any problems.
To just post your index file and say "Look! It is so simple, it can't possibly cause problems" makes me wonder what your modules really do.

tedcambron · Apr 30, 2010

descalzo said:
You don't get it, do you?
Really.
Are you saying that the Perl code you posted is all that the script does? Please.
Let me explain.
Your index file calls another file.
That other file does the heavy lifting.
That other file is causing the suspension.
You do not post the other file, we have no way of pointing out any problems.
To just post your index file and say "Look! It is so simple, it can't possibly cause problems" makes me wonder what your modules really do.

Umm, I guess you're right. I really don't get it. I'm responding to the questions as they are asked the best I can.

I was suspended due to resource usage.
I asked why because I have no idea what could possible be using too much resources.
I was told it's index.cgi.
I responded with a brief explanation of what index.cgi is and what it does. I even posted the entire code for index.cgi as I thought it would help explain.
You asked specifically what a line in the file did and I thought I gave a pretty good explanation of that.
I don't understand why you would ask:
"Are you saying that the Perl code you posted is all that the script does?"
I stated that:
"index.cgi is a very clean and simple Perl program that controls the whole CMS."
There's simply no other way to explain it. That's what it does.

When you say:
"Your index file calls another file."
"That other file does the heavy lifting."
"That other file is causing the suspension."

I'm not sure what kind of heavy lifting you're talking about but if someone would let me know which file is causing the issue I would be more than happy to get rid of it. I was asked about the index.cgi and I think I gave good clean honest answers about it.

I'm not sure what you mean by this:
"You do not post the other file, we have no way of pointing out any problems."
"To just post your index file and say "Look! It is so simple, it can't possibly cause problems" makes me wonder what your modules really do."

I'll post and discuss any file you wish but I'm not sure what you're looking for. I have nothing to hide. All my code is very clean, honest, and simple. Your response makes me think that there will be no resolve because of a lack of understanding. Why not work with me on the issue instead of making feel stupid.

luck31 · May 1, 2010

I'm posting here instead of your new thread (http://x10hosting.com/forums/free-hosting/120067-high-resource-suspension.html#post676000), since you've got the code listing here. [BTW: Can a mod please merge these two threads?]

Delcalzo was trying to help in his first post about:

require "$sourcedir/$action.pl"

, but I think you both got off on the wrong foot (because he was probably expecting you to tell him what possible actions it runs, which your reply by explaining the literal basics of that line was probably mistaken as you making fun of him).

Anyway what I want to add to this is that your "index.cgi" seems open to exploitation if I'm reading this code right. All you do is check that $action is empty or alphanumeric (with underscores permitted). For example, if an attacker injected "theme" as the action, then it looks like your script would happily run the "theme.pl" script twice. I would recommend either:

checking $action against a whitelist (i.e. known to be ok) of scripts (but you loose some of that modular elegance); OR
making sure only valid action scripts exist in your $sourcedir and nothing else (preferable if you like your modular elegance, but doesn't prevent scripts like "theme.pl" from being run twice unless you move them elsewhere - e.g. $sourcedir/core/theme.pl should prevent it from being allowed as an action).

Consider this scenario where under $sourcedir you had a "index.pl" that is copy of the "index.cgi": If someone injected "index" as the $action, then "index.cgi" would require "index.pl" and then potentially require itself, requiring itself .... recursively until the server died. If this was the case (I hope not for the sake of you and anyone else sitting on the same server), then this may explain your High Resource Usage problem.

Assuming the above exploitation isn't the explanation for your High Resource Usage, then perhaps it would help if you listed all the *.pl files that exist under your $sourcedir. It may also help if you indicate which $action.pl file gets used most often. This is what I think Delcalzo was expecting as a reply.

tedcambron · May 1, 2010

I understand the concern of exploitation as I am always concerned of that also but I assure you that any alphanumeric $action will be rendered harmless. I understand the use of white-lists, otherwise known as dispatch tables in Perl. I use them throughout the script.

The file will not be included twice under the same specified name. That is to say Perl will simply ignore the second require of the same file.
See Perl "Require"

If an identical index.cgi file named index.pl was in $sourcedir it should just run the index.pl which in turn will render the home page and end. I would have to run a test to truly see if anything else would happen but I would have to wonder how that file got in there in the first place. I actually ran this script a few years back and challenged some black hats to hack in. All attempts failed. They gave up and congratulated me.

I guess I could build a dispatch table to check against valid $actions and I could list the contents of $sourcedir but at this moment I feel that I'm better off giving up. This is a first for me and I have been using free-hosts for about 10 years now.

Feel free to browse my files on the server all you wish. It's open source and I'm proud of the coding techniques used in them. I don't believe I was using too much server resources and it's not my place to explain the wonders of Perl.

I will say, before the server move, this was the best service on the net.

Thanks luck31 for trying to help.

luck31 · May 2, 2010

Well I guess there goes my theory :redface:.

I don't think it'll be possible for me to actually look at your source code (and admittedly it will probably be out of my league anyway

), so I'll leave that up to the admins.

Good luck with it all (noticed your other thread was raised with the admins).

tedcambron · May 4, 2010

Looks like Jarryd saved my site here. I so glad because I really think this is a great free-host service.

High Resources?

tedcambron

New Member

Derek

Community Support Force

Corey

I Break Things

tedcambron

New Member

tedcambron

New Member

descalzo

Grim Squeaker

tedcambron

New Member

tedcambron

New Member

descalzo

Grim Squeaker

tedcambron

New Member

luck31

New Member

tedcambron

New Member

luck31

New Member

tedcambron

New Member

Free Web Hosting

Our Community

Legal