You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Michael <mi...@bizsystems.com> on 2000/09/15 21:56:27 UTC

I'm missing something in Apache::Cookie

Hmmmm.....

When I retrieve a cookie

%cookies = Apache::Cookie->fetch;

I get a hash that contains the name of the cookie as the key and a 
scalar reference as the value. 
Apache::Cookie=SCALAR(0xblah...)
Can't seem to unravel it to get at the 
value. Using

%xx = Apache::Cookie->parse($val);
gives an apparently empty hash, yet retrieving the headers via 
Apache::Table yields the correct results

Cookie=foo=bar

cook name val
       foo  bar


So what am I doing wrong with Apache::Cookie that keeps me from 
returning the cookie value.

Michael

Re: Security of PerlHandler directives

Posted by Matt Sergeant <ma...@sergeant.org>.

On Tue, 19 Sep 2000, Richard Goerwitz wrote:

> I can certainly understand why someone would want to keep Registry
> or Embperl-enabled scripts in directories reserved for trusted sys-
> tems people.
> 
> But it shouldn't be a tremendously big deal to allow people to use
> pre-written modules using directives like 'PerlHandler', right?
> 
> Trouble is that people can install malicious handlers:
> 
>   PerlAuthenHandler "sub { system('Do something bad'); return OK; }"
> 
> Is there a way to block this sort of thing without totally eliminat-
> ing the ability to do useful things like:
> 
>   PerlAuthenHandler Apache::Some::Local::Auth::Module

This is one of the things that mod_perl 2 has planned.

-- 
<Matt/>

Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org | AxKit: http://axkit.org

Security of PerlHandler directives

Posted by Richard Goerwitz <ri...@goon.stg.brown.edu>.

I can certainly understand why someone would want to keep Registry
or Embperl-enabled scripts in directories reserved for trusted sys-
tems people.

But it shouldn't be a tremendously big deal to allow people to use
pre-written modules using directives like 'PerlHandler', right?

Trouble is that people can install malicious handlers:

  PerlAuthenHandler "sub { system('Do something bad'); return OK; }"

Is there a way to block this sort of thing without totally eliminat-
ing the ability to do useful things like:

  PerlAuthenHandler Apache::Some::Local::Auth::Module

(I don't want to have to create <Directory> blocks for everyone who
wants to use a local auth module.)

Or is there at least a way to log what's going on in such a way
that if something bad does happen, it's easy enough to figure out
who the culprit was?

-- 

Richard Goerwitz
PGP key fingerprint:    C1 3E F4 23 7C 33 51 8D  3B 88 53 57 56 0D 38 A0
For more info (mail, phone, fax no.):  finger richard@goon.stg.brown.edu

Re: I'm missing something in Apache::Cookie

Posted by darren chamberlain <da...@boston.com>.

Michael (michael@bizsystems.com) said something to this effect:
> Hmmmm.....
> 
> When I retrieve a cookie
> 
> %cookies = Apache::Cookie->fetch;
> 
> I get a hash that contains the name of the cookie as the key and a 
> scalar reference as the value. 
> Apache::Cookie=SCALAR(0xblah...)
> Can't seem to unravel it to get at the 
> value. Using
> 
> %xx = Apache::Cookie->parse($val);
> gives an apparently empty hash, yet retrieving the headers via 
> Apache::Table yields the correct results
> 
> Cookie=foo=bar
> 
> cook name val
>        foo  bar
> 
> 
> So what am I doing wrong with Apache::Cookie that keeps me from 
> returning the cookie value.

This should do it:

    my $ac      = Apache::Cookie->new($r);
    my $cookies = $ac->fetch;
    my %cookies = ();
    for (keys %{$cookies}) {
        $cookies{$_} = $cookies->{$_}->value;
    }

However, I always find it easier to fetch cookies like this:

    my $cookies = { map  { $1 => $2 if (/([^=]+)=(.*)/) }
                    grep !/^$/, split /;\s*/, $r->header_in('cookie') };
    $r->pnotes('cookies', $cookies);

No messing with objects or any of that stuff. Putting it into pnotes makes
the hashref accessible to other phases or subroutines easily (you only have
to pass $r). (That's why I use a hashref and not a hash, so I can just put
it directly into pnotes.)

(darren)

-- 
If you wish to drown, do not torture yourself with shallow water.

Re: I'm missing something in Apache::Cookie

Posted by Chris Winters <cw...@intes.net>.

* Michael (michael@bizsystems.com) [000915 17:29]:
> Hmmmm.....
> 
> When I retrieve a cookie
> 
> %cookies = Apache::Cookie->fetch;
> 
> I get a hash that contains the name of the cookie as the key and a 
> scalar reference as the value. 
> Apache::Cookie=SCALAR(0xblah...)
> Can't seem to unravel it to get at the 
> value. Using
> 
> %xx = Apache::Cookie->parse($val);
> gives an apparently empty hash, yet retrieving the headers via 
> Apache::Table yields the correct results
> 
> Cookie=foo=bar
> 
> cook name val
>        foo  bar
> 
> 
> So what am I doing wrong with Apache::Cookie that keeps me from 
> returning the cookie value.
> 
> Michael

The following seems to work for me in nabbing all the cookies sent and
putting them into a hashref $cookies

   my $cookies = {};
   my $cookie_info = Apache::Cookie->fetch;
   foreach my $name ( keys %{ $cookie_info } ) {
     $cookies->{ $name } = $cookie_info->{ $name }->value;
   }

HTH

Chris

-- 
Chris Winters
Senior Internet Developer    intes.net
cwinters@intes.net           http://www.intes.net/
Integrated hardware/software solutions to make the Internet work for you.