You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Jonas Nordström <Jo...@ei.sigma.se> on 2001/05/03 12:54:46 UTC
HTTP::Cookies problem
How can I copy cookies from an incoming request to a LWP-request and also
add a custom cookie? Can I use HTTP::Cookies?
I use:
$request->header('Cookie' => $r->header_in("Cookie"));
and it works fine, but now I want to add a cookie that the client didn't
send.
Can I use $cookie_jar->set_cookie() and then
$cookie_jar->add_cookie_header($request);? But what happens with the
original cookies?
/Jonas
RE: Insecure dependency errors
Posted by Barry Veinotte <ba...@veinotte.com>.
> -----Original Message-----
> From: Stas Bekman [mailto:stas@stason.org]
> Sent: Thursday, May 03, 2001 11:56 PM
> To: Cees Hek
> Cc: Barry Veinotte; modperl@apache.org
> Subject: Re: Insecure dependency errors
>
>
> On Fri, 4 May 2001, Cees Hek wrote:
>
> > On Thu, 3 May 2001, Barry Veinotte wrote:
> >
> > > [Thu May 3 15:06:57 2001] [error] Insecure dependency in open while
> > > running with -T switch at /usr/local/www/vhosts/ad-eagle.com/cgi-bin/ad-eagle/lib/AdEagle.pm line 472.
>
> > > The scripts using the .pm are running under Apache::Registry and have been running
> > > fine. Then last night a "major" upgrade was done to the servers. Now the scripts are
> > > dying with this error. None of them are running -T I don't think any on the server are,
> > > and know none under Apache::Registry are.
>
> > > Only Apache::Registry scripts are being affected. Anyone have any ideas as to
> > > where I could start looking?
>
> % perldoc perlsec
>
> > Check your Apache config files for PerlTaintCheck On, and check all your
> > registry scripts for the -T switch. Also, taint checking is automatically
> > turned on when scripts are run setuid (I don't know if that can affect
> > Registry scripts, but it's probably worth checking the file permissions on
> > all your scripts and modules)
>
> -T doesn't affect mod_perl scripts, only PerlTaintCheck. The same goes for
> setuid, Apache::Registry scripts aren't executed as plain perl scripts.
> Instead they are being read as plain files, placed into the handler()
> function (and the package) and only then executed.
>
> See: http://perl.apache.org/guide/porting.html#Taint_Mode
> _____________________________________________________________________
> Stas Bekman JAm_pH -- Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide http://perl.apache.org/guide
> mailto:stas@stason.org http://apachetoday.com http://eXtropia.com/
> http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
>
Thanks for the words of wisdom Gents. These errors were not occuring before the
admins did their "major upgrade" so I knew the code was okay. However, after verifying a
few times that there was nothing setuid or containg a -T switch, and wasting a day and a
half on searching for the cause of these senseless errors, I found a fix. REBOOT
I still don't know why mod_perl thought I was throwing a -T at it, but rebooting the
box shook it loose.
Doh!
Barry
Re: Insecure dependency errors
Posted by Stas Bekman <st...@stason.org>.
On Fri, 4 May 2001, Cees Hek wrote:
> On Thu, 3 May 2001, Barry Veinotte wrote:
>
> > [Thu May 3 15:06:57 2001] [error] Insecure dependency in open while
> > running with -T switch at /usr/local/www/vhosts/ad-eagle.com/cgi-bin/ad-eagle/lib/AdEagle.pm line 472.
> > The scripts using the .pm are running under Apache::Registry and have been running
> > fine. Then last night a "major" upgrade was done to the servers. Now the scripts are
> > dying with this error. None of them are running -T I don't think any on the server are,
> > and know none under Apache::Registry are.
> > Only Apache::Registry scripts are being affected. Anyone have any ideas as to
> > where I could start looking?
% perldoc perlsec
> Check your Apache config files for PerlTaintCheck On, and check all your
> registry scripts for the -T switch. Also, taint checking is automatically
> turned on when scripts are run setuid (I don't know if that can affect
> Registry scripts, but it's probably worth checking the file permissions on
> all your scripts and modules)
-T doesn't affect mod_perl scripts, only PerlTaintCheck. The same goes for
setuid, Apache::Registry scripts aren't executed as plain perl scripts.
Instead they are being read as plain files, placed into the handler()
function (and the package) and only then executed.
See: http://perl.apache.org/guide/porting.html#Taint_Mode
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://apachetoday.com http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
Re: Insecure dependency errors
Posted by Cees Hek <ce...@sitesuite.net>.
On Thu, 3 May 2001, Barry Veinotte wrote:
> [Thu May 3 15:06:57 2001] [error] Insecure dependency in open while
> running with -T switch at /usr/local/www/vhosts/ad-eagle.com/cgi-bin/ad-eagle/lib/AdEagle.pm line 472.
>
> The scripts using the .pm are running under Apache::Registry and have been running
> fine. Then last night a "major" upgrade was done to the servers. Now the scripts are
> dying with this error. None of them are running -T I don't think any on the server are,
> and know none under Apache::Registry are.
>
> Only Apache::Registry scripts are being affected. Anyone have any ideas as to
> where I could start looking?
Check your Apache config files for PerlTaintCheck On, and check all your
registry scripts for the -T switch. Also, taint checking is automatically
turned on when scripts are run setuid (I don't know if that can affect
Registry scripts, but it's probably worth checking the file permissions on
all your scripts and modules)
Cees
Insecure dependency errors
Posted by Barry Veinotte <ba...@veinotte.com>.
Hi People.
This is a strange problem, and I am not even sure if it is directly related
to mod_perl or not, but since there has been a couple guys on this for a
couple of hours now with no answers, I thought I woud check to see if
anyone has seen such errors:
[Thu May 3 15:06:57 2001] [error] Insecure dependency in open while
running with -T switch at /usr/local/www/vhosts/ad-eagle.com/cgi-bin/ad-eagle/lib/AdEagle.pm line 472.
The scripts using the .pm are running under Apache::Registry and have been running
fine. Then last night a "major" upgrade was done to the servers. Now the scripts are
dying with this error. None of them are running -T I don't think any on the server are,
and know none under Apache::Registry are.
Only Apache::Registry scripts are being affected. Anyone have any ideas as to
where I could start looking?
Thanks, and if it turns out to not be related to mod_perl, I apologize :-)
I am about to suggest reinstalling Perl ...
Barry
_________________________________________________________
Barry Veinotte
Veinotte.com International, Inc.
E-Mail: Barry@veinotte.com
Phone: 709.282.3233
http://www.veinotte.com http://ad-eagle.com http://pass-iton.com
Software isn't released,
it's allowed to escape.
_________________________________________________________
Re: HTTP::Cookies problem
Posted by will trillich <wi...@serensoft.com>.
On Thu, May 03, 2001 at 12:54:46PM +0200, Jonas Nordstr?m wrote:
> How can I copy cookies from an incoming request to a LWP-request and also
> add a custom cookie? Can I use HTTP::Cookies?
>
> I use:
> $request->header('Cookie' => $r->header_in("Cookie"));
> and it works fine, but now I want to add a cookie that the client didn't
> send.
> Can I use $cookie_jar->set_cookie() and then
> $cookie_jar->add_cookie_header($request);? But what happens with the
> original cookies?
so you just wanna forward a cookie? i'm not a cookie expert
(and how, look at my recent desperate posts) but i'd say
you can send whatever cookie you want, for whatever nefarious
purposes you'd like.
$req->header('Cookie' => $r->header_in('Cookie'));
$req->header('Cookie' => &my_new_cookie_monster( $something ));
as far as 'what happens with the original cookies' they stay with
the user's browser, until they expire (if an expire date was
given) or end-of-session (when browser is quit, if no expire was
given).
i think the answer to your question is, you can chain several
cookie headers on via the same ->header('Cookie' => ...) call.
--
don't visit this page. it's bad for you. take my expert word for it.
http://www.salon.com/people/col/pagl/2001/03/21/spring/index1.html
will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!
Re: HTTP::Cookies problem
Posted by Gisle Aas <gi...@ActiveState.com>.
Jonas Nordström <Jo...@ei.sigma.se> writes:
> How can I copy cookies from an incoming request to a LWP-request and also
> add a custom cookie? Can I use HTTP::Cookies?
>
> I use:
> $request->header('Cookie' => $r->header_in("Cookie"));
> and it works fine, but now I want to add a cookie that the client didn't
> send.
> Can I use $cookie_jar->set_cookie() and then
> $cookie_jar->add_cookie_header($request);? But what happens with the
> original cookies?
It goes away if any cookies from the $cookie_jar applies.
$cookie_jar->add_cookie_header() currently overrides the cookie header
by calling:
$request->header(Cookie => join("; ", @cval)) if @cval;
If we change this to:
$request->push_header(...)
then you get two header lines. Don't know if most server apps can
deal with it. Still anoter alternative would be to do something like:
if (my $old_cookie = $request->header('Cookie')) {
unshift(@cval, $old_cookie);
}
$request->header(Cookie => join("; ", @cval)) if @cval;
That should append to the current value if it was set.
Do you want this?
Regards,
Gisle