You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_dtcl-cvs@tcl.apache.org by da...@apache.org on 2002/06/26 15:01:59 UTC
cvs commit: tcl-moddtcl/docs commands.html examples.ttml
davidw 2002/06/26 06:01:59
Modified: . VERSION mod_dtcl.h tcl_commands.c
debian changelog
docs commands.html examples.ttml
Log:
* New array for client header information - CLIENT_ENVS. ENVS
variables could be overwritten by client headers, presenting a
possible security risk.
Revision Changes Path
1.9 +1 -1 tcl-moddtcl/VERSION
Index: VERSION
===================================================================
RCS file: /home/cvs/tcl-moddtcl/VERSION,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- VERSION 3 May 2002 14:05:11 -0000 1.8
+++ VERSION 26 Jun 2002 13:01:58 -0000 1.9
@@ -1 +1 @@
-0.11.8
+0.12.0
1.15 +9 -2 tcl-moddtcl/mod_dtcl.h
Index: mod_dtcl.h
===================================================================
RCS file: /home/cvs/tcl-moddtcl/mod_dtcl.h,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- mod_dtcl.h 15 Oct 2001 10:44:09 -0000 1.14
+++ mod_dtcl.h 26 Jun 2002 13:01:58 -0000 1.15
@@ -18,10 +18,17 @@
handler, instead of in child init handlers. */
#ifdef __MINGW32__
#define THREADED_TCL 1
-#else
+#else
#define THREADED_TCL 0 /* Unless you have MINGW32, modify this one! */
#endif
+/* If you want all 'environmental' variables to be accessed through
+ the ENVS array, set this to 1. Note that this could be a security
+ risk for scripts which depend on these values, as they could be
+ overwritten via client headers. */
+
+#define HEADERS_IN_ENVS 0
+
/* If you want to show the mod_dtcl version, you can define this to 0.
Otherwise, set this to 1 to hide the version from potential
troublemakers. */
@@ -30,7 +37,7 @@
/* Allow <+ +> tags for backwards compatibility. Use the
mod_dtcl/contrib/newtags.sh script to update your .ttml files to
use <? ?> tags. */
-#define USE_OLD_TAGS 0
+#define USE_OLD_TAGS 0
/* Turn off 'old-style' $VARS variable handling, and use only the
'var' command. */
1.24 +12 -0 tcl-moddtcl/tcl_commands.c
Index: tcl_commands.c
===================================================================
RCS file: /home/cvs/tcl-moddtcl/tcl_commands.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- tcl_commands.c 3 May 2002 14:05:11 -0000 1.23
+++ tcl_commands.c 26 Jun 2002 13:01:58 -0000 1.24
@@ -370,9 +370,16 @@
array_header *env_arr;
table_entry *env;
Tcl_Obj *EnvsObj = NULL;
+#if HEADERS_IN_ENVS == 0
+ Tcl_Obj *ClientEnvsObj = NULL;
+#endif
EnvsObj = Tcl_NewStringObj("::request::ENVS", -1);
Tcl_IncrRefCount(EnvsObj);
+#if HEADERS_IN_ENVS == 0
+ ClientEnvsObj = Tcl_NewStringObj("::request::CLIENT_ENVS", -1);
+ Tcl_IncrRefCount(ClientEnvsObj);
+#endif
date = globals->r->request_time;
/* ensure that the system area which holds the cgi variables is empty */
ap_clear_table(globals->r->subprocess_env);
@@ -455,8 +462,13 @@
if (!hdrs[i].key)
continue;
else {
+#if HEADERS_IN_ENVS == 0
+ Tcl_ObjSetVar2(interp, ClientEnvsObj, STRING_TO_UTF_TO_OBJ(hdrs[i].key, POOL),
+ STRING_TO_UTF_TO_OBJ(hdrs[i].val, POOL), 0);
+#else
Tcl_ObjSetVar2(interp, EnvsObj, STRING_TO_UTF_TO_OBJ(hdrs[i].key, POOL),
STRING_TO_UTF_TO_OBJ(hdrs[i].val, POOL), 0);
+#endif
}
}
1.21 +8 -0 tcl-moddtcl/debian/changelog
Index: changelog
===================================================================
RCS file: /home/cvs/tcl-moddtcl/debian/changelog,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- changelog 3 May 2002 14:05:11 -0000 1.20
+++ changelog 26 Jun 2002 13:01:59 -0000 1.21
@@ -1,3 +1,11 @@
+libapache-mod-dtcl (0.12.0-1) unstable; urgency=low
+
+ * New array for client header information - CLIENT_ENVS. ENVS variables
+ could be overwritten by client headers, presenting a possible security
+ risk.
+
+ -- David N. Welton <da...@debian.org> Wed, 26 Jun 2002 15:03:04 +0200
+
libapache-mod-dtcl (0.11.8-1) unstable; urgency=low
* Make sure to check the correct variable names with 'list' and
1.4 +6 -5 tcl-moddtcl/docs/commands.html
Index: commands.html
===================================================================
RCS file: /home/cvs/tcl-moddtcl/docs/commands.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- commands.html 30 Sep 2001 18:48:33 -0000 1.3
+++ commands.html 26 Jun 2002 13:01:59 -0000 1.4
@@ -91,11 +91,12 @@
<li>
<code><b>hgetvars</b></code><br> Get environmental, and Cookie
- variables. This is in a seperate command so as not to make the
- server do this every time you load a .ttml file. <code>ENVS</code> and
+ variables. This is in a separate command so as not to make the
+ server do this every time you load a .ttml file. <code>ENVS</code>, <code>CLIENT_ENVS</code> and
<code>COOKIES</code> are the associative arrays created. <code>ENVS</code> contains
- environmental variables, and <code>COOKIES</code> contains any cookies
- recieved from the client.
+ environmental variables. <code>CLIENT_ENVS</code> contains the headers received from the client.
+ <code>COOKIES</code> contains any cookies
+ received from the client.
</li>
<li>
<code><b>include <i>filename</i></b></code><br>
1.5 +18 -1 tcl-moddtcl/docs/examples.ttml
Index: examples.ttml
===================================================================
RCS file: /home/cvs/tcl-moddtcl/docs/examples.ttml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- examples.ttml 1 Mar 2001 18:31:59 -0000 1.4
+++ examples.ttml 26 Jun 2002 13:01:59 -0000 1.5
@@ -132,6 +132,15 @@
hputs "</ul>"
}
+if { [ array exists CLIENT_ENVS ] } {
+
+ hputs "<ul>"
+ foreach { vr } [ array names CLIENT_ENVS ] {
+ hputs "<li>(CLIENT_ENVS) $vr = $CLIENT_ENVS($vr)"
+ }
+ hputs "</ul>"
+}
+
if { [ array exists COOKIES ] } {
hputs "<ul>"
@@ -161,6 +170,14 @@
hputs "<ul>"
foreach { vr } [ array names ENVS ] {
hputs "<li>(ENVS) $vr = $ENVS($vr)"
+ }
+ hputs "</ul>"
+}
+
+if { [ array exists CLIENT_ENVS ] } {
+ hputs "<ul>"
+ foreach { vr } [ array names CLIENT_ENVS ] {
+ hputs "<li>(CLIENT_ENVS) $vr = $CLIENT_ENVS($vr)"
}
hputs "</ul>"
}
---------------------------------------------------------------------
To unsubscribe, e-mail: mod_dtcl-cvs-unsubscribe@tcl.apache.org
For additional commands, e-mail: mod_dtcl-cvs-help@tcl.apache.org