You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Christopher Lee <ch...@balliol.oxford.ac.uk> on 2000/06/05 19:24:30 UTC

Re: Apache::Dispatch

> [new module] Apache::Dispatch
> 	5129 by: Geoffrey Young <gy...@laserlink.net>
> 	5131 by: Stas Bekman <sb...@stason.org>
> 	5132 by: Matt Sergeant <ma...@sergeant.org>
> 	5133 by: Geoffrey Young <gy...@laserlink.net>
> 	5134 by: Geoffrey Young <gy...@laserlink.net>

There's a real live working example if anybody wants it, called "Wing", 
available from your local friendly CPAN.

The module is used as an IMAP interface but the main module handles everything
except logins, the url is used to pass commands around, the one I'm looking at
at the moment is

http://server1.herald.ox.ac.uk/wing/cmd/ball0000/x/compose

The "wing/cmd" tells the module that this is a call for the function called 
(in this case) "cmd_compose" with the parameters "ball0000" (a username) 
(x is a dummy used for other functions I think).

Internally the module takes 'compose' and prefixes it with 'cmd_', evals the
string as a soft reference to a function and returns an error code if the function
doesn't exist, or runs the function if it does.

It only lets a strict subset of functions run (it always appends a "cmd_" to 
the name) so internal functions are safe .

It was created by Malcolm Beattie (i.e Not me).

--
Christopher Lee.
(I'm only on the Digest list btw).


>hi all...
>
>I'm not sure if some you remember the idea Vivek and Matt had about creating
>a handler that mapped, say, http://localhost/Foo/doit to Foo->doit()
>
>anyway, the relevant part of the thread, including some code, can be seen
>here:
>http://marc.theaimsgroup.com/?l=apache-modperl&m=95598609306936&w=2
>
>I was thinking of officially implementing the idea and wanted to get some
>design feedback first...
>
>My thoughts so far:
>
>        * limit the response to content handling phase only (I'm not really
>sure of what utility other phases would be anyway)
>
>        * limit the top-level qualifier for the module that can be executed,
>but give this control to the user.
>          perhaps using PerlAddVar to allow only Apache::, Foo::, etc
>modules only is safe enough?
>
>        * if possible, I'd like to see it make some intelligent decisions
>about whether it should take over the request.
>          that is, perhaps move away from a <Location> restriction and try
>to call Foo->doit() if the normal resoltion  /Foo/doit results in a 404.
>I'm not sure how this would interact with mod_dir, but I guess it would also
>depend on how folks want to use it...
>
>       * do we want to default to handler()?  if so, what to try first:
>Foo::doit->handler() or Foo->doit()
>
>anyway, that's all for now...  feedback/thoughts welcome...

--Geoff

------------------------------

Re: Apache::Dispatch

Posted by Ken Williams <ke...@forum.swarthmore.edu>.

christopher.lee@balliol.oxford.ac.uk (Christopher Lee) wrote:
>There's a real live working example if anybody wants it, called "Wing", 
>available from your local friendly CPAN.
>
>The module is used as an IMAP interface but the main module handles everything
>except logins, the url is used to pass commands around, the one I'm looking at
>at the moment is
>
>http://server1.herald.ox.ac.uk/wing/cmd/ball0000/x/compose
>
>The "wing/cmd" tells the module that this is a call for the function called 
>(in this case) "cmd_compose" with the parameters "ball0000" (a username) 
>(x is a dummy used for other functions I think).
>
>Internally the module takes 'compose' and prefixes it with 'cmd_',
>evals the string as a soft reference to a function and returns an error
>code if the function doesn't exist, or runs the function if it does.
>
>It only lets a strict subset of functions run (it always appends a "cmd_" to 
>the name) so internal functions are safe .

That step is *crucial* to the security of the system.  Without it,
browsers could call any method in the module, including ones that aren't
meant to be called.  D, W.R.!  

By specifying the cmd_ prefix you're essentially adding a "public"
declaration to these subroutines, albeit a fairly ugly one.

In general, when accepting arbitrary user input you want to make sure
there are only a very few access points to the code, then make sure you
have very tight validation of the data in those access points.  Taint
mode comes to mind as one tool in the belt.

  -------------------                            -------------------
  Ken Williams                             Last Bastion of Euclidity
  ken@forum.swarthmore.edu                            The Math Forum