Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #47751 > unrolled thread

Turnign greek-iso filenames => utf-8 iso

Back to article view | Back to comp.lang.python

Contents

  Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 08:02 +0000
    Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-12 08:31 +0000
      Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 12:00 +0300
        Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-12 09:17 +0000
          Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 12:24 +0300
            Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-12 09:37 +0000
              Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 14:32 +0300
                Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 15:42 +0300
                  Re: Turnign greek-iso filenames => utf-8 iso Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-06-12 15:42 +0100
                    Re: Turnign greek-iso filenames => utf-8 iso rusi <rustompmody@gmail.com> - 2013-06-12 09:14 -0700
                    Re: Turnign greek-iso filenames => utf-8 iso Neil Cerutti <neilc@norwich.edu> - 2013-06-12 16:18 +0000
                      Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 20:16 +0300
                      Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-13 00:22 +0000
                    Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 20:14 +0300
                      Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 20:20 +0300
                    Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-13 00:20 +0000
                  Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 20:27 +0300
                    Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 22:05 +0300
      Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 12:04 +0300
    Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-12 09:12 +0000
      Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-12 13:40 +0300
        Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-13 09:49 +0300
          Re: Turnign greek-iso filenames => utf-8 iso Chris Angelico <rosuav@gmail.com> - 2013-06-13 17:54 +1000
            Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-13 11:15 +0300
              Re: Turnign greek-iso filenames => utf-8 iso Chris Angelico <rosuav@gmail.com> - 2013-06-13 19:25 +1000
                Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-13 12:43 +0300
                  Re: Turnign greek-iso filenames => utf-8 iso Chris Angelico <rosuav@gmail.com> - 2013-06-14 00:05 +1000
          Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-13 17:28 +0300
          Re: Turnign greek-iso filenames => utf-8 iso Zero Piraeus <schesis@gmail.com> - 2013-06-13 10:16 -0400
            Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-13 19:20 +0300
              Re: Turnign greek-iso filenames => utf-8 iso Grant Edwards <invalid@invalid.invalid> - 2013-06-13 17:17 +0000
              Re: Turnign greek-iso filenames => utf-8 iso Zero Piraeus <schesis@gmail.com> - 2013-06-13 13:27 -0400
                Re: Turnign greek-iso filenames => utf-8 iso Νικόλαος Κούρας <support@superhost.gr> - 2013-06-13 20:48 +0300
                  Re: Turnign greek-iso filenames => utf-8 iso Grant Edwards <invalid@invalid.invalid> - 2013-06-13 17:53 +0000
                  Re: Turnign greek-iso filenames => utf-8 iso Chris Angelico <rosuav@gmail.com> - 2013-06-14 07:46 +1000
                  Re: Turnign greek-iso filenames => utf-8 iso Dave Angel <davea@davea.name> - 2013-06-13 18:20 -0400
              Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-14 03:05 +0000
            Re: Turnign greek-iso filenames => utf-8 iso Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-14 01:28 +0000

Page 2 of 2 — ← Prev page 1 [2]

#47773

Thanks Steven , i made some alternations to the variables names and at 
the end of the way that i check a database filename against and hdd 
filename. Here is the code:

# 
=================================================================================================================
# Convert wrongly encoded filenames to utf-8
# 
=================================================================================================================
path = b'/home/nikos/public_html/data/apps/'
filenames = os.listdir( path )

utf8_filenames = []

for filename in filenames:
	# Compute 'path/to/filename'
	filename_bytes = path + filename
	encoding = guess_encoding( filename_bytes )
	
	if encoding == 'utf-8':
		# File name is valid UTF-8, so we can skip to the next file.
		utf8_filenames.append( filename_bytes )
		continue
	elif encoding is None:
		# No idea what the encoding is. Hit it with a hammer until it stops 
moving.
		filename = filename_bytes.decode( 'utf-8', 'xmlcharrefreplace' )
	else:
		filename = filename_bytes.decode( encoding )

	# Rename the file to something which ought to be UTF-8 clean.
	newname_bytes = filename.encode('utf-8')
	os.rename( filename_bytes, newname_bytes )
	utf8_filenames.append( newname_bytes )
	
	# Once we get here, the file ought to be UTF-8 clean and the Unicode 
name ought to exist:
	assert os.path.exists( newname_bytes.decode('utf-8') )


# Switch filenames from utf8 bytestrings => unicode strings
filenames = []

for utf8_filename in utf8_filenames:
	filenames.append( utf8_filename.decode('utf-8') )

# Check the presence of a database file against the dir files and delete 
record if it doesn't exist
cur.execute('''SELECT url FROM files''')
data = cur.fetchall()

for url in data:
	if url not in filenames:
		# Delete spurious
		cur.execute('''DELETE FROM files WHERE url = %s''', url )
=========================

Now 'http://superhost.gr/?page=files.py' is not erring out at all but 
also it doesn't display the big filename table for users to download.

Here is how i try to print the filenames with button for the users:

=================================================================================================================
#Display ALL files, each with its own download button# 
=================================================================================================================
print('''<body background='/data/images/star.jpg'>
		 <center><img src='/data/images/download.gif'><br><br>
		 <table border=5 cellpadding=5 bgcolor=green>
''')

try:
	cur.execute( '''SELECT * FROM files ORDER BY lastvisit DESC''' )
	data = cur.fetchall()
	
	for row in data:
		(filename, hits, host, lastvisit) = row
		lastvisit = lastvisit.strftime('%A %e %b, %H:%M')
		
		print('''
		<form method="get" action="/cgi-bin/files.py">
			<tr>
				<td> <center> <input type="submit" name="filename" value="%s"> </td>
				<td> <center> <font color=yellow size=5> %s </td>
				<td> <center> <font color=orange size=4> %s </td>
				<td> <center> <font color=silver size=4> %s </td>
			</tr>
		</form>
		''' % (filename, hits, host, lastvisit) )
	print( '''</table><br><br>''' )
except pymysql.ProgrammingError as e:
	print( repr(e) )

[toc] | [prev] | [next] | [standalone]

#47911

On 12/6/2013 1:40 μμ, Νικόλαος Κούρας wrote:
> Thanks Steven , i made some alternations to the variables names and at
> the end of the way that i check a database filename against and hdd
> filename. Here is the code:
>
> #
> =================================================================================================================
>
> # Convert wrongly encoded filenames to utf-8
> #
> =================================================================================================================
>
> path = b'/home/nikos/public_html/data/apps/'
> filenames = os.listdir( path )
>
> utf8_filenames = []
>
> for filename in filenames:
>      # Compute 'path/to/filename'
>      filename_bytes = path + filename
>      encoding = guess_encoding( filename_bytes )
>
>      if encoding == 'utf-8':
>          # File name is valid UTF-8, so we can skip to the next file.
>          utf8_filenames.append( filename_bytes )
>          continue
>      elif encoding is None:
>          # No idea what the encoding is. Hit it with a hammer until it
> stops moving.
>          filename = filename_bytes.decode( 'utf-8', 'xmlcharrefreplace' )
>      else:
>          filename = filename_bytes.decode( encoding )
>
>      # Rename the file to something which ought to be UTF-8 clean.
>      newname_bytes = filename.encode('utf-8')
>      os.rename( filename_bytes, newname_bytes )
>      utf8_filenames.append( newname_bytes )
>
>      # Once we get here, the file ought to be UTF-8 clean and the
> Unicode name ought to exist:
>      assert os.path.exists( newname_bytes.decode('utf-8') )
>
>
> # Switch filenames from utf8 bytestrings => unicode strings
> filenames = []
>
> for utf8_filename in utf8_filenames:
>      filenames.append( utf8_filename.decode('utf-8') )
>
> # Check the presence of a database file against the dir files and delete
> record if it doesn't exist
> cur.execute('''SELECT url FROM files''')
> data = cur.fetchall()
>
> for url in data:
>      if url not in filenames:
>          # Delete spurious
>          cur.execute('''DELETE FROM files WHERE url = %s''', url )
> =========================
>
> Now 'http://superhost.gr/?page=files.py' is not erring out at all but
> also it doesn't display the big filename table for users to download.
>
> Here is how i try to print the filenames with button for the users:
>
> =================================================================================================================
>
> #Display ALL files, each with its own download button#
> =================================================================================================================
>
> print('''<body background='/data/images/star.jpg'>
>           <center><img src='/data/images/download.gif'><br><br>
>           <table border=5 cellpadding=5 bgcolor=green>
> ''')
>
> try:
>      cur.execute( '''SELECT * FROM files ORDER BY lastvisit DESC''' )
>      data = cur.fetchall()
>
>      for row in data:
>          (filename, hits, host, lastvisit) = row
>          lastvisit = lastvisit.strftime('%A %e %b, %H:%M')
>
>          print('''
>          <form method="get" action="/cgi-bin/files.py">
>              <tr>
>                  <td> <center> <input type="submit" name="filename"
> value="%s"> </td>
>                  <td> <center> <font color=yellow size=5> %s </td>
>                  <td> <center> <font color=orange size=4> %s </td>
>                  <td> <center> <font color=silver size=4> %s </td>
>              </tr>
>          </form>
>          ''' % (filename, hits, host, lastvisit) )
>      print( '''</table><br><br>''' )
> except pymysql.ProgrammingError as e:
>      print( repr(e) )

Steven, i can create a normal user account for you and copy files.py 
into your home folder if you want to take a look from within.

Since the code seems correct, cause its not erring out and you 've 
helped me write it, then i dont knwo what else to try.

Those files inside 'apps' dir ought to be printed in an html table fter 
their utf-8 conversion.

They still insist not to...

[toc] | [prev] | [next] | [standalone]

#47918

On Thu, Jun 13, 2013 at 4:49 PM, Νικόλαος Κούρας <support@superhost.gr> wrote:
> Steven, i can create a normal user account for you and copy files.py into
> your home folder if you want to take a look from within.

At least you're not offering root access any more. But are you aware
that most of your users' files are world-readable? And are you aware
of what that means?

ChrisA

[toc] | [prev] | [next] | [standalone]

#47922

On 13/6/2013 10:54 πμ, Chris Angelico wrote:
> On Thu, Jun 13, 2013 at 4:49 PM, �������� ������ <support@superhost.gr> wrote:
>> Steven, i can create a normal user account for you and copy files.py into
>> your home folder if you want to take a look from within.
>
> At least you're not offering root access any more. But are you aware
> that most of your users' files are world-readable? And are you aware
> of what that means?

I host no "e-shop" websites, hence into my system there is no credit 
card info stored, no id photos, no SSN, nothing.

Now i checked and most are Joomla files or sites made by DreamWeaver.
and they are 755, that would mean group and word readable, *not* 
writable, so no harm can possibly come out of this.

And even if something could happen, i strongly believe Steven would not 
do it as he is almost(there are others too bu not so frequent and 
detailed helpers) the only one that in fact helps me with my questions 
and i'm seriously considering of paying him to turn my cgi scripts to 
python web frameworks(perhaps 'webpy'), since Django must  be an 
overkill for my case, wouldn't do any harm.

[toc] | [prev] | [next] | [standalone]

#47926

On Thu, Jun 13, 2013 at 6:15 PM, Νικόλαος Κούρας <support@superhost.gr> wrote:
> I host no "e-shop" websites, hence into my system there is no credit card
> info stored, no id photos, no SSN, nothing.
>
> Now i checked and most are Joomla files or sites made by DreamWeaver.
> and they are 755, that would mean group and word readable, *not* writable,
> so no harm can possibly come out of this.

You really want to bet everything that not one of your clients has a
single bit of private information? Have you really learned nothing?

ChrisA

[toc] | [prev] | [next] | [standalone]

#47930

On 13/6/2013 12:25 μμ, Chris Angelico wrote:
> On Thu, Jun 13, 2013 at 6:15 PM, �������� ������ <support@superhost.gr> wrote:
>> I host no "e-shop" websites, hence into my system there is no credit card
>> info stored, no id photos, no SSN, nothing.
>>
>> Now i checked and most are Joomla files or sites made by DreamWeaver.
>> and they are 755, that would mean group and word readable, *not* writable,
>> so no harm can possibly come out of this.
>
> You really want to bet everything that not one of your clients has a
> single bit of private information? Have you really learned nothing?

Yes i can take that bet. All of clients ar also good friends and i know 
their websites and what they are storing, nothing else that each website 
representation, nothing personal.

[toc] | [prev] | [next] | [standalone]

#47979

On Thu, Jun 13, 2013 at 7:43 PM, Νικόλαος Κούρας <support@superhost.gr> wrote:
> On 13/6/2013 12:25 μμ, Chris Angelico wrote:
>>
>> On Thu, Jun 13, 2013 at 6:15 PM, �������� ������ <support@superhost.gr>
>> wrote:
>>>
>>> I host no "e-shop" websites, hence into my system there is no credit card
>>> info stored, no id photos, no SSN, nothing.
>>>
>>> Now i checked and most are Joomla files or sites made by DreamWeaver.
>>> and they are 755, that would mean group and word readable, *not*
>>> writable,
>>> so no harm can possibly come out of this.
>>
>>
>> You really want to bet everything that not one of your clients has a
>> single bit of private information? Have you really learned nothing?
>
>
> Yes i can take that bet. All of clients ar also good friends and i know
> their websites and what they are storing, nothing else that each website
> representation, nothing personal.

So you'd be okay with publishing their mail directories, their contact
emails, and everything else they have in their home directories?

ChrisA

[toc] | [prev] | [next] | [standalone]

#47971

On 13/6/2013 9:49 πμ, Νικόλαος Κούρας wrote:
> On 12/6/2013 1:40 μμ, Νικόλαος Κούρας wrote:
>> Thanks Steven , i made some alternations to the variables names and at
>> the end of the way that i check a database filename against and hdd
>> filename. Here is the code:
>>
>> #
>> =================================================================================================================
>>
>>
>> # Convert wrongly encoded filenames to utf-8
>> #
>> =================================================================================================================
>>
>>
>> path = b'/home/nikos/public_html/data/apps/'
>> filenames = os.listdir( path )
>>
>> utf8_filenames = []
>>
>> for filename in filenames:
>>      # Compute 'path/to/filename'
>>      filename_bytes = path + filename
>>      encoding = guess_encoding( filename_bytes )
>>
>>      if encoding == 'utf-8':
>>          # File name is valid UTF-8, so we can skip to the next file.
>>          utf8_filenames.append( filename_bytes )
>>          continue
>>      elif encoding is None:
>>          # No idea what the encoding is. Hit it with a hammer until it
>> stops moving.
>>          filename = filename_bytes.decode( 'utf-8', 'xmlcharrefreplace' )
>>      else:
>>          filename = filename_bytes.decode( encoding )
>>
>>      # Rename the file to something which ought to be UTF-8 clean.
>>      newname_bytes = filename.encode('utf-8')
>>      os.rename( filename_bytes, newname_bytes )
>>      utf8_filenames.append( newname_bytes )
>>
>>      # Once we get here, the file ought to be UTF-8 clean and the
>> Unicode name ought to exist:
>>      assert os.path.exists( newname_bytes.decode('utf-8') )
>>
>>
>> # Switch filenames from utf8 bytestrings => unicode strings
>> filenames = []
>>
>> for utf8_filename in utf8_filenames:
>>      filenames.append( utf8_filename.decode('utf-8') )
>>
>> # Check the presence of a database file against the dir files and delete
>> record if it doesn't exist
>> cur.execute('''SELECT url FROM files''')
>> data = cur.fetchall()
>>
>> for url in data:
>>      if url not in filenames:
>>          # Delete spurious
>>          cur.execute('''DELETE FROM files WHERE url = %s''', url )
>> =========================
>>
>> Now 'http://superhost.gr/?page=files.py' is not erring out at all but
>> also it doesn't display the big filename table for users to download.
>>
>> Here is how i try to print the filenames with button for the users:
>>
>> =================================================================================================================
>>
>>
>> #Display ALL files, each with its own download button#
>> =================================================================================================================
>>
>>
>> print('''<body background='/data/images/star.jpg'>
>>           <center><img src='/data/images/download.gif'><br><br>
>>           <table border=5 cellpadding=5 bgcolor=green>
>> ''')
>>
>> try:
>>      cur.execute( '''SELECT * FROM files ORDER BY lastvisit DESC''' )
>>      data = cur.fetchall()
>>
>>      for row in data:
>>          (filename, hits, host, lastvisit) = row
>>          lastvisit = lastvisit.strftime('%A %e %b, %H:%M')
>>
>>          print('''
>>          <form method="get" action="/cgi-bin/files.py">
>>              <tr>
>>                  <td> <center> <input type="submit" name="filename"
>> value="%s"> </td>
>>                  <td> <center> <font color=yellow size=5> %s </td>
>>                  <td> <center> <font color=orange size=4> %s </td>
>>                  <td> <center> <font color=silver size=4> %s </td>
>>              </tr>
>>          </form>
>>          ''' % (filename, hits, host, lastvisit) )
>>      print( '''</table><br><br>''' )
>> except pymysql.ProgrammingError as e:
>>      print( repr(e) )
>
> Steven, i can create a normal user account for you and copy files.py
> into your home folder if you want to take a look from within.
>
> Since the code seems correct, cause its not erring out and you 've
> helped me write it, then i dont knwo what else to try.
>
> Those files inside 'apps' dir ought to be printed in an html table fter
> their utf-8 conversion.
>
> They still insist not to...


Can you accept please? or suggest something i should try so for the 
files to be correctly viewed by my visitors?

[toc] | [prev] | [next] | [standalone]

#47978

:

> Steven, i can create a normal user account for you and copy files.py into
> your home folder if you want to take a look from within.

Nikos, please, DO NOT DO THIS.

It must be clear to you that Steven is *much* more experienced than
you. Your presumptions about what he can and can't do with the access
you give him are therefore not much more than uninformed guesswork.

You have already been give a lesson about trusting the care of your
(and by extension your clients) resources to people you don't know,
and Chris, who gave you that lesson, is telling you that the course of
action you propose is unwise.

Steven has given every impression, over a long period, of being one of
the good guys, but *you don't know him*, and *you don't have any kind
of legal agreement with him* that would protect you should he turn out
to be malicious[1].

Given what's already happened to you, it would be the height of
irresponsibility to continue as you propose. If I were one of your
clients and I found out about it, I'd be seriously considering legal
action against you for gross negligence.

 -[]z.

[1] Steven, I don't intend any insinuations about your character, as
I'm sure you realise.

[toc] | [prev] | [next] | [standalone]

#47983

On 13/6/2013 5:16 μμ, Zero Piraeus wrote:
> :
>
>> Steven, i can create a normal user account for you and copy files.py into
>> your home folder if you want to take a look from within.
>
> Nikos, please, DO NOT DO THIS.
>
> It must be clear to you that Steven is *much* more experienced than
> you. Your presumptions about what he can and can't do with the access
> you give him are therefore not much more than uninformed guesswork.

But iam not offering Steven full root access, but restricted user level 
access. Are you implying that for example one could elevate his 
privileges to root level access form within a normal restricted user 
account?

> You have already been give a lesson about trusting the care of your
> (and by extension your clients) resources to people you don't know,
> and Chris, who gave you that lesson, is telling you that the course of
> action you propose is unwise.
>
> Steven has given every impression, over a long period, of being one of
> the good guys, but *you don't know him*, and *you don't have any kind
> of legal agreement with him* that would protect you should he turn out
> to be malicious[1].

He is the only one helping me so far, to my hundreds of questiosn and in 
detail. He also the only one that didn't made fun of me because being 
inexperienced by making funny jokes at my expense.

I trust him.

Also there is no other way of me solving this, so i have no other 
alternative and i *must* solve this its over 15 days i'am trying with 
this encoding issues, let alone years of trouble in various other scripts.

[toc] | [prev] | [next] | [standalone]

#47992

On 2013-06-13, ???????????????? ???????????? <support@superhost.gr> wrote:
> On 13/6/2013 5:16 ????, Zero Piraeus wrote:
>> :
>>
>>> Steven, i can create a normal user account for you and copy files.py into
>>> your home folder if you want to take a look from within.
>>
>> Nikos, please, DO NOT DO THIS.
>>
>> It must be clear to you that Steven is *much* more experienced than
>> you. Your presumptions about what he can and can't do with the access
>> you give him are therefore not much more than uninformed guesswork.
>
> But iam not offering Steven full root access, but restricted user
> level access.

That's what you _think_ you're offering.

Unless you're are a very careful, very experienced system admin -- and
you're also lucky -- you're probably wrong.  If not now, then you'll
be wrong next week or next month when a new privelege elevation
exploit is discovered for your OS.

> Are you implying that for example one could elevate his privileges to
> root level access form within a normal restricted user account?

Yes, that's what he's implying.

-- 
Grant Edwards               grant.b.edwards        Yow! I'm thinking about
                                  at               DIGITAL READ-OUT systems
                              gmail.com            and computer-generated
                                                   IMAGE FORMATIONS ...

[toc] | [prev] | [next] | [standalone]

#47995

:

> But iam not offering Steven full root access, but restricted user level
> access. Are you implying that for example one could elevate his privileges
> to root level access form within a normal restricted user account?

I am implying that your demonstrated lack of ability means that *you
don't know* what Steven or anyone else could do with user-level
access. Elsewhere on this list, you've been shown that you're
publishing database passwords to the whole world in plaintext. Who
knows what other mistakes you've made? Who knows how
$STRANGER_YOU_TRUST_THIS_WEEK could exploit your (proven to be
insecure) setup if they had a mind to?

> I trust him.

And you have presumably informed all your clients that you're letting
the second complete stranger in a week into their data, passed on to
them the warnings you have received against doing exactly that,
reminded them that the last time you did so you were severely
embarrassed by the result (and that you're not skilled or experienced
enough to be sure that nothing worse happened), and secured their
go-ahead, right?

> Also there is no other way of me solving this, so i have no other
> alternative and i *must* solve this its over 15 days i'am trying with this
> encoding issues, let alone years of trouble in various other scripts.

Then you need to contract with paid, professional support to solve
your problems.

 -[]z.

[toc] | [prev] | [next] | [standalone]

#47998

On 13/6/2013 8:27 μμ, Zero Piraeus wrote:
> :
>
>> But iam not offering Steven full root access, but restricted user level
>> access. Are you implying that for example one could elevate his privileges
>> to root level access form within a normal restricted user account?
>
> I am implying that your demonstrated lack of ability means that *you
> don't know* what Steven or anyone else could do with user-level
> access. Elsewhere on this list, you've been shown that you're
> publishing database passwords to the whole world in plaintext. Who
> knows what other mistakes you've made? Who knows how
> $STRANGER_YOU_TRUST_THIS_WEEK could exploit your (proven to be
> insecure) setup if they had a mind to?
>
>> I trust him.

You are right, but i still believe Stevn would not act maliciously in 
the server.  He proved himself very helpfull already.


>> Also there is no other way of me solving this, so i have no other
>> alternative and i *must* solve this its over 15 days i'am trying with this
>> encoding issues, let alone years of trouble in various other scripts.
>
> Then you need to contract with paid, professional support to solve
> your problems.

Or receive some free help, to solve this single detail i'am missing.

[toc] | [prev] | [next] | [standalone]

#47999

On 2013-06-13, ???????????????? ???????????? <support@superhost.gr> wrote:
> On 13/6/2013 8:27 ????, Zero Piraeus wrote:
>
>> Then you need to contract with paid, professional support to solve
>> your problems.
>
> Or receive some free help, to solve this single detail i'am missing.

  "single detail I am missing"

Seriously?

-- 
Grant Edwards               grant.b.edwards        Yow! What I want to find
                                  at               out is -- do parrots know
                              gmail.com            much about Astro-Turf?

[toc] | [prev] | [next] | [standalone]

#48027

On Fri, Jun 14, 2013 at 3:48 AM, Νικόλαος Κούρας <support@superhost.gr> wrote:
> On 13/6/2013 8:27 μμ, Zero Piraeus wrote:
>>
>> :
>>
>>> But iam not offering Steven full root access, but restricted user level
>>> access. Are you implying that for example one could elevate his
>>> privileges
>>> to root level access form within a normal restricted user account?
>>
>>
>> I am implying that your demonstrated lack of ability means that *you
>> don't know* what Steven or anyone else could do with user-level
>> access. Elsewhere on this list, you've been shown that you're
>> publishing database passwords to the whole world in plaintext. Who
>> knows what other mistakes you've made? Who knows how
>> $STRANGER_YOU_TRUST_THIS_WEEK could exploit your (proven to be
>> insecure) setup if they had a mind to?
>>
>>> I trust him.
>
>
> You are right, but i still believe Stevn would not act maliciously in the
> server.  He proved himself very helpfull already.

You thought that about me, too. (And you were still correct. I did not
act maliciously, I just didn't do what you thought I'd do.) By the
time you know what someone will do with your server, it is too late.
And remember, I made it really obvious what I'd done; someone else may
well not.

Oh, and as to privilege escalation... there have been exploits found
in various applications, but the biggest one *ever* is the social
attack. It'd be VERY easy for Steven to get access, put a file in his
home directory, ask you to run it as root, and give himself full
access. And how would you know what that script does? You are
incompetent at managing a Linux system. You would be compromised
faster than an unpatched XP.

ChrisA

[toc] | [prev] | [next] | [standalone]

#48034

On 06/13/2013 05:46 PM, Chris Angelico wrote:
> On Fri, Jun 14, 2013 at 3:48 AM, Νικόλαος Κούρας <support@superhost.gr> wrote:
>>
>>     <SNIP>
>>
>> You are right, but i still believe Stevn would not act maliciously in the
>> server.  He proved himself very helpfull already.
>
> You thought that about me, too. (And you were still correct. I did not
> act maliciously, I just didn't do what you thought I'd do.) By the
> time you know what someone will do with your server, it is too late.
> And remember, I made it really obvious what I'd done; someone else may
> well not.
>
> Oh, and as to privilege escalation... there have been exploits found
> in various applications, but the biggest one *ever* is the social
> attack. It'd be VERY easy for Steven to get access, put a file in his
> home directory, ask you to run it as root, and give himself full
> access. And how would you know what that script does? You are
> incompetent at managing a Linux system. You would be compromised
> faster than an unpatched XP.
>
> ChrisA
>

Perhaps more relevant is changes that are made by mistake, or by side 
effect of software tools, or by virus or by adware.  When you unlock a 
door, you're never sure just what will happen.  This is why even with my 
own system, I use the least-privileged logon that lets me do what I need 
to do.

I was involved in cleaning up the mess left behind by some guys who 
installed an April-fools joke on their boss' machine.  They didn't mean 
any harm, but there code had bugs.

And when new to Unix, I once typed a very complicated command (involving 
the find program, but also invoking other code) which would have had the 
final effect of deleting our entire source tree, including the (RCS) 
source control.  I would have tested the operation first, except that 
some fool disabled the editor for csh when running as root.  Anyway, the 
only thing that saved me was that Unix (in that era) had such a slow 
file system that I was able to kill it before it deleted a half-dozen 
file.  Nothing volatile was lost, and the missing files were trivial to 
restore from the daily backup tapes.

-- 
DaveA

[toc] | [prev] | [next] | [standalone]

#48053

On Thu, 13 Jun 2013 19:20:06 +0300, Νικόλαος Κούρας wrote:

> But iam not offering Steven full root access, but restricted user level
> access. Are you implying that for example one could elevate his
> privileges to root level access form within a normal restricted user
> account?

Me personally? Probably not. (But if I could, would I admit it?) But in 
general, there may be ways for an expert to elevate privileges. It 
depends on how well configured your server is, it depends on any security 
holes in your operating system and applications.


>> You have already been give a lesson about trusting the care of your
>> (and by extension your clients) resources to people you don't know, and
>> Chris, who gave you that lesson, is telling you that the course of
>> action you propose is unwise.

This is correct.

Do you know where I live? Do you even know what country I am in? Do you 
have a phone number for me? Do we have an agreement in writing explaining 
what you want me to do and what you will pay me and what I will do in 
return. It doesn't even need to be a formal contract, even just a few 
emails explaining the details and where we agree on what I am to do. Then 
at least you have some recourse if I do something bad.

Although, given that you are in Greece and I am in Australia, you don't 
have *much* recourse.


>> Steven has given every impression, over a long period, of being one of
>> the good guys, but *you don't know him*, and *you don't have any kind
>> of legal agreement with him* that would protect you should he turn out
>> to be malicious[1].
> 
> He is the only one helping me so far, to my hundreds of questiosn and in
> detail. He also the only one that didn't made fun of me because being
> inexperienced by making funny jokes at my expense.
> 
> I trust him.

Thank you for the kind words, and the trust, but I am not the only person 
helping you. You have had a lot of help over the last few months that you 
have been asking questions. If people are making fun of you, it is out of 
frustration that so often when we give you advice or answer your 
questions, you do not seem to pay any attention to the answers.

Nikos, many people have tried very, very hard to help you. You have not 
been the easiest person to deal with. You flood this forum asking the 
same question over and over and over again, sometimes only waiting a few 
minutes between posts. You ignore our advice, you flood the forum with so 
many copies of your code that it is impossible to keep track of which one 
is current. You keep changing your email identity. You argue when people 
tell you what error you are making. Even when the error message is right 
in front of you, you refuse to believe it and argue that the problem must 
be elsewhere.

Your English seems to be very good, but even if we make allowances for 
English not being your native language, you are still behaving badly. It 
is really, really frustrating dealing with you.

I tell you this, not because I want to be cruel or to hurt you, but as 
constructive advice. Understand what you do that is annoying to others, 
and try to stop doing those things.

Remember: just because your site is important to YOU does not make it 
important to US. We have our own lives, our own jobs, our own websites to 
look after. We are volunteers, and you are not paying for support. You 
can spend money, or you can spend time. You get to pick which one you 
spend, but you will end up spending one or the other.

At this point, I do not wish to take responsibility for fixing your 
Python programming issues. I don't mind sending you public advice, where 
others can step in if they think I have made a mistake, and where you 
have final responsibility for deciding whether or not to take my advice. 
But I do not wish to accept that responsibility in full.


> Also there is no other way of me solving this, so i have no other
> alternative and i *must* solve this its over 15 days i'am trying with
> this encoding issues, let alone years of trouble in various other
> scripts.

I am sorry that you are having problems, but being a webmaster is a big, 
complicated job. You have to learn about HTML, about CGI, about Python 
(or some other language, PHP, Javascript, Perl, etc.), about permissions 
and encodings and many other things. You cannot expect us to teach you 
all these things overnight. You have to do your own study.

The internet is full of places you can learn. Don't just rely on us. Go 
read books -- do you have a public library you can go to? Instead of 
asking us over and over and over again about bytes, go spend a few hours 
reading books in Greek about computer basics. Maybe you can go do a one-
day course? Don't just ask us about Unicode and encodings, read the web 
pages we have linked to. Here are two good places to start:

www.joelonsoftware.com/articles/Unicode.html‎

http://nedbatchelder.com/text/unipain.html


If you have not read these two articles, STOP EVERYTHING AND GO READ 
THEM. Read every word, don't just skim them. Your English is very good, 
so you should have no problem with them.

There are probably other good sites to help you learn about security for 
CGI script. I have no idea about it. I can spell "cgi secuity", that's 
about all. Go do your own research. Be prepared that some websites will 
tell you bad advice, or incomplete advice, or obsolete advice. That's the 
cost of free advice. You can have it for free, and spend your own time, 
or pay for it, and spend someone else's time.

Good luck! This is not goodbye, because you are welcome to ask questions 
about *Python* here. But when you ask questions, try to make them *smart* 
questions that will be a pleasure for volunteers to answer:

http://sscce.org/‎

http://www.catb.org/esr/faqs/smart-questions.html‎

(I should not need to say this, but I will: read these websites too. If I 
send you a link, it is because you need to read it.)



-- 
Steven

[toc] | [prev] | [next] | [standalone]

#48048

On Thu, 13 Jun 2013 10:16:42 -0400, Zero Piraeus wrote:

> :
> 
>> Steven, i can create a normal user account for you and copy files.py
>> into your home folder if you want to take a look from within.
> 
> Nikos, please, DO NOT DO THIS.
> 
> It must be clear to you that Steven is *much* more experienced than you.
> Your presumptions about what he can and can't do with the access you
> give him are therefore not much more than uninformed guesswork.
> 
> You have already been give a lesson about trusting the care of your (and
> by extension your clients) resources to people you don't know, and
> Chris, who gave you that lesson, is telling you that the course of
> action you propose is unwise.
> 
> Steven has given every impression, over a long period, of being one of
> the good guys, but *you don't know him*, and *you don't have any kind of
> legal agreement with him* that would protect you should he turn out to
> be malicious[1].
> 
> Given what's already happened to you, it would be the height of
> irresponsibility to continue as you propose. If I were one of your
> clients and I found out about it, I'd be seriously considering legal
> action against you for gross negligence.
> 
>  -[]z.
> 
> [1] Steven, I don't intend any insinuations about your character, as I'm
> sure you realise.

Curses! My cunning plan has been discovered!

1. Spend about 10 years helping people learn Python for free.

2. Lull them into a false sense of security.

3. Get somebody in Greece to give me access to his web server.

5. Profit!


*wink*


No offence taken.



-- 
Steven

[toc] | [prev] | [standalone]

Page 2 of 2 — ← Prev page 1 [2]

Back to top | Article view | comp.lang.python

csiph-web