You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@perl.apache.org by Vivek Khera <kh...@kcilink.com> on 2005/09/30 22:33:39 UTC
minor issue with Apache2::AuthCookie
Hi,
I just converted my site from modperl1 to modperl2 and in the process
(actually after deployment) discovered that AuthCookie is handling
the retrieval of the credentials just slightly differently.
It turns out in modperl1, that if a credential had a space in it,
when it was passed to the authen_cred() method, it had a space in
it. However, for modperl2, Apache2::AuthCookie has converted the
space to a + (which is a shorthand encoding).
However, a ligitimate "+" in the credential is also being sent along
as a + to the authen_cred() method, so you can't distinguish the two
cases.
The AuthCookie implementations for getting the credentials out of a
POST are very different between modperl1 (uses $r->content) and
modperl2 (which uses what looks like and old version of the "compat"
routine to fetch POST data). I'm sure the difference lies somewhere
in there.
It looks like it is calling Apache2::URI::unescape_url() as it should
but it just isn't unescaping the +.
The credentials are as submitted by Firefox 1.5 if that matters.
Any clues on how to fix this? I have some customers who will
probably have problems logging in :-(
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: minor issue with Apache2::AuthCookie
Posted by Vivek Khera <kh...@kcilink.com>.
Thanks!!!!! I just did a fresh perl install on my prod server and got
whatever was the default. I'll pull the dev version now.
On Sep 30, 2005, at 4:39 PM, Michael Schout wrote:
> You can get it from CPAN. Get version 3.09_01 and you will not have
> this problem anymore :).
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: minor issue with Apache2::AuthCookie
Posted by Vivek Khera <kh...@kcilink.com>.
On Sep 30, 2005, at 4:56 PM, Philip M. Gollucci wrote:
> Vivek Khera wrote:
>
>> Well..... *almost* fixed. It fixes the credentials with spaces
>> in them, but it also strips the + out of credentials that have
>> them for real. ie, it converts the credential 'joe+bob' to 'joe
>> bob'.
>>
> As +(plus) is special, you can't just have it.. You have to encode
> it. I forget offhand what it encodes to.
>
Yes, but somewhere it is not getting properly decoded, or is being
doubly decoded. Ie, on the CGI form, a user enters 'joe+bob' but by
the time it gets thru AuthCookie, it is 'joe bob' as passed to the
method that uses the form values. in modperl1, it worked :-(
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: minor issue with Apache2::AuthCookie
Posted by "Philip M. Gollucci" <pg...@p6m7g8.com>.
Vivek Khera wrote:
> Well..... *almost* fixed. It fixes the credentials with spaces in
> them, but it also strips the + out of credentials that have them for
> real. ie, it converts the credential 'joe+bob' to 'joe bob'.
As +(plus) is special, you can't just have it.. You have to encode it. I forget offhand what it encodes to.
--
END
------------------------------------------------------------
What doesn't kill us can only make us stronger.
Nothing is impossible.
Philip M. Gollucci (pgollucci@p6m7g8.com) 301.254.5198
Consultant / http://p6m7g8.net/Resume/
Senior Developer / Liquidity Services, Inc.
http://www.liquidityservicesinc.com
http://www.liquidation.com
http://www.uksurplus.com
http://www.govliquidation.com
http://www.gowholesale.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: minor issue with Apache2::AuthCookie
Posted by Michael Schout <ms...@gkg.net>.
Vivek Khera wrote:
> Well..... *almost* fixed. It fixes the credentials with spaces in
> them, but it also strips the + out of credentials that have them for
> real. ie, it converts the credential 'joe+bob' to 'joe bob'.
I'll have to look into this case.
It will be fixed in 3.09_02 hopefully :).
Regards,
Michael Schout
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: minor issue with Apache2::AuthCookie
Posted by Vivek Khera <kh...@kcilink.com>.
On Sep 30, 2005, at 4:39 PM, Michael Schout wrote:
> You can get it from CPAN. Get version 3.09_01 and you will not have
> this problem anymore :).
Well..... *almost* fixed. It fixes the credentials with spaces in
them, but it also strips the + out of credentials that have them for
real. ie, it converts the credential 'joe+bob' to 'joe bob'.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: minor issue with Apache2::AuthCookie
Posted by Michael Schout <ms...@gkg.net>.
Vivek Khera wrote:
> The credentials are as submitted by Firefox 1.5 if that matters.
>
> Any clues on how to fix this? I have some customers who will probably
> have problems logging in :-(
This issue was fixed in the 3.09 pre-release
You can get it from CPAN. Get version 3.09_01 and you will not have
this problem anymore :).
Regards,
Michael Schout
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org