{"id":428,"date":"2008-09-08T23:21:18","date_gmt":"2008-09-08T21:21:18","guid":{"rendered":"http:\/\/daniel.haxx.se\/blog\/?p=428"},"modified":"2008-09-09T10:19:15","modified_gmt":"2008-09-09T08:19:15","slug":"a-bad-move-a-really-bad-move","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2008\/09\/08\/a-bad-move-a-really-bad-move\/","title":{"rendered":"A bad move. A really bad move."},"content":{"rendered":"<p>So I wrote this little perl script to perform a lot of repeated binary Rockbox builds. It builds something like 35 builds and zips them up and gives them proper names in a dedicated output directory. Perfect to do things such as release builds.<\/p>\n<p>Then I wrote a similar one to build manuals and offer them too. I then made the results available on the <a href=\"http:\/\/daniel.haxx.se\/rockbox-3.0RC\/\">Rockbox 3.0RC<\/a> (release candidate) page of mine.<\/p>\n<p>Cool, me thinks, and since I&#8217;ll be away now for a week starting Wednesday I think I should make the scripts available in case someone else wants to play with them and possibly make a release while I&#8217;m gone.<\/p>\n<p>I did<\/p>\n<blockquote><p>mv buildall.pl webdirectory\/buildall.pl.txt<\/p><\/blockquote>\n<p>&#8230; thinking that I don&#8217;t want it to try to execute as a perl script on the server so I rename it to a .txt extension. But did this work? <strong>No<\/strong>. Did it cause total havoc? <strong>Yes<\/strong>.<\/p>\n<p>First, Apache apparently still thinks these files are perl scripts (== cgi scripts) on my server, even if they got <a href=\"http:\/\/httpd.apache.org\/docs\/2.0\/mod\/mod_mime.html#multipleext\">an additional extension<\/a>. I really really didn&#8217;t expect this.<\/p>\n<p>Then, my scripts are doing a command chain similar to &#8220;mkdir dir; cd dir; rm -rf *&#8221;. It works great when invoked in the correct directory. It works less fine when the web server invokes this because someone clicked on the file I just made available to the world.<\/p>\n<p>Recursive deletion of all files the web server user was allowed to erase.<\/p>\n<p>Did I immediately suspect foul play and evil doings by outsiders? <strong>Yes<\/strong>. Did it take quite a while to restore the damages from backups? <strong>Yes<\/strong>. Did it feel painful to realize that I myself was to blame for this entire incident and not at all any outside or evil perpetrator? <strong>Yes yes yes<\/strong>.<\/p>\n<p>But honestly, in the end I felt good that it wasn&#8217;t a security hole somewhere that caused it since I hate spending all that time to track it down and fix it. And thanks to a very fine backup system, I had most of the site and things back up and running after roughly one hour off-line time.<\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/www.rockbox.org\/\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-41\" title=\"Rockbox\" src=\"http:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2007\/09\/rockbox400.png\" alt=\"Rockbox\" width=\"400\" height=\"123\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I wrote this little perl script to perform a lot of repeated binary Rockbox builds. It builds something like 35 builds and zips them up and gives them proper names in a dedicated output directory. Perfect to do things such as release builds. Then I wrote a similar one to build manuals and offer &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2008\/09\/08\/a-bad-move-a-really-bad-move\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">A bad move. A really bad move.<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,133,45],"tags":[236,94,416,426],"class_list":["post-428","post","type-post","status-publish","format-standard","hentry","category-rockbox","category-security","category-web","tag-apache","tag-release-time","tag-rockbox","tag-web"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=428"}],"version-history":[{"count":0,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/428\/revisions"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}