You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Geoffrey Young <gy...@laserlink.net> on 2000/07/28 21:41:03 UTC
[ANNOUNCE] Apache::Dispatch
The URL
http://morpheus.laserlink.net/~gyoung/modules/Apache-Dispatch-0.01.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GE/GEOFF/Apache-Dispatch-0.01.tar.gz
size: 5170 bytes
md5: acee515fc8d19223f017c8380cae5b26
well, after the conference, I felt motivated to do some stuff. Then I got
on the red-eye and spent the early part of this week recovering :)
anyway, Apache::Dispatch is a module we've talked about before and that I've
been meaning to get to for a while, but just found the tuits this week.
Hopefully, it addresses some of the safety concerns expressed a few months
ago about such a concept. consider it REAL alphaware for the moment - it
works (at least for me), but until everyone pokes around it some and looks
for holes it may not be entirely safe.
that said, if people are listening beyond the template traffic, here is the
README...
--Geoff
NAME
Apache::Dispatch - call PerlHandlers with the ease of CGI
SYNOPSIS
httpd.conf:
PerlModule Apache::Dispatch
PerlFixupHandler Apache::Dispatch
DispatchMode Safe
DispatchMethod Handler
DispatchAllow Custom
DispatchDeny Apache Protected
DESCRIPTION
Apache::Dispatch translates $r->uri into a class and method and runs
it as a PerlHandler. Basically, this allows you to call PerlHandlers
as you would CGI scripts - from the browser - without having to load
your httpd.conf with a slurry of <Location> tags.
EXAMPLE
in httpd.conf:
PerlModule Apache::Dispatch
PerlFixupHandler Apache::Dispatch
DispatchMode Safe
DispatchMethod Handler
DispatchAllow Test
in browser:
http://localhost/Foo
the results are the same as if your httpd.conf looked like:
<Location /Foo>
SetHandler perl-script
PerlHandler Foo
</Location>
CONFIGURATION
All configuration directives apply on a per-server basis.
Virtual Hosts inherit any directives from the main server or can
delcare their own.
DispatchMode - Safe: allow only those methods whose
namespace is explitily allowed by
DispatchAllow and explitily not
denied by DispatchDeny
Brave: allow only those methods whose
namespace is explitily not denied by
DispatchDeny
Foolish: allow any method
DispatchMethod - Handler: assume the method name is handler(),
meaning that /Foo/Bar becomes
Foo::Bar->handler()
Subroutine: assume the method name is the last
part of the uri - /Foo/Bar becomes
Foo->Bar()
Determine: the method may either be handler() or
the last part of the uri. the last
part is checked first, so this has
the additional benefit of allowing
both /Foo/Bar/handler and /Foo/Bar to
to call Foo::Bar::handler().
of course, if Foo->Bar() exists, that
will be called since it would be found
first.
DispatchAllow - a list of namespaces allowed execution according
to the above rules
DispatchDeny - a list of namespaces denied execution according
to the above rules
NOTES
Apache::Dispatch tries to be a bit intelligent about things. If by
the time the uri reaches the fixup phase it can be mapped to a real
file, directory, or <Location> tag, Apache::Dispatch declines the
request.
DispatchDeny always includes the following namespaces:
AUTOLOAD
CORE
SUPER
UNIVERSAL
Like everything in perl, the package names are case sensitive relative
to $r->uri.
Verbose debugging is enabled by setting $Apache::Dispatch::DEBUG=1.
Very verbose debugging is enabled at 2. To turn off all debug
information set your apache LogLevel directive above info level.
This is alpha software, and as such has not been tested on multiple
platforms or environments. It requires PERL_INIT=1, PERL_LOG_API=1,
and maybe other hooks to function properly.
FEATURES/BUGS
DispatchDeny and DispatchAllow work, but not quite the way I want.
For instance, DispatchDeny Custom will deny to Customer:: methods,
while DispatchAllow Custom will allow Custom::Filter->handler() and
Custom->filter(), but deny Customer:: methods. I think DistpatchAllow
has the proper behavior, but DispatchDeny may need to be changed.
Input is welcome.
SEE ALSO
perl(1), mod_perl(1), Apache(3), Apache::ModuleConfig(3)
AUTHOR
Geoffrey Young <ge...@cpan.org>
COPYRIGHT
Copyright 2000 Geoffrey Young - all rights reserved.
This library is free software; you can redistribute it and/or
modify it under the same terms as Perl itself.
Re: [ANNOUNCE] Apache::Dispatch
Posted by Matt Sergeant <ma...@sergeant.org>.
On Fri, 28 Jul 2000, Geoffrey Young wrote:
> The URL
>
>
> http://morpheus.laserlink.net/~gyoung/modules/Apache-Dispatch-0.01.tar.gz
>
> has entered CPAN as
>
> file: $CPAN/authors/id/G/GE/GEOFF/Apache-Dispatch-0.01.tar.gz
> size: 5170 bytes
> md5: acee515fc8d19223f017c8380cae5b26
>
> well, after the conference, I felt motivated to do some stuff. Then I got
> on the red-eye and spent the early part of this week recovering :)
>
> anyway, Apache::Dispatch is a module we've talked about before and that I've
> been meaning to get to for a while, but just found the tuits this week.
>
> Hopefully, it addresses some of the safety concerns expressed a few months
> ago about such a concept. consider it REAL alphaware for the moment - it
> works (at least for me), but until everyone pokes around it some and looks
> for holes it may not be entirely safe.
>
> that said, if people are listening beyond the template traffic, here is the
> README...
Hmm... I'm not convinced of the security yet, although I'm tired so bear
with me if I missed something in my reading of this. I thought we'd agreed
that you needed at least two things: Namespace prefixes and method
prefixes. If you don't require namespace prefixes you're going to get
someone finding horrible exploits like using File/Find/find or something
horrid, and if you don't require function prefixes someone is likely to
find an exploit another way, and it doesn't allow you to have private
functions...
Let me know if I'm way off, or missed something in the docs.
--
<Matt/>
Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org | AxKit: http://axkit.org