I'm relatively inexperienced at using this module as I've always preferred coding my own cgi functions. A question:
If one were to use the CGI::Safe CGI subclass to turn-off uploads, does this shut off uploads in general for the cgi session or is it required that one use CGI form objects to take advantage of this security feature?
Thanks.
How do you mean "for the cgi session"?? Because we are just talking about a request that is really just some well formatted content being sent down a pipe, and then being handled by something that has the ability to handle such content on the other end, there are multiple places where this can and may be handled. So the important thing is to understand where in the processing of an HTTP request the CGI.pm fits, and hence what kind of "security" this provides. So having said that,....
The client can make any kind of request it wants and send any amount of data, as long as something on the other side will listen to it. In *most* cases, assuming we are dealing with normal CGI, and no one has thown any mod_perl or one of his cousins in the mix, then the server will pass control to the cgi script, at which point it is up to it to wrangle the request into something meaningful. Part of CGI.pm does this automagically when you first use one of its methods or instantiate the object, part of this magic is to store uploaded file content to a temporary location, unless it is told not to (which is really CGI::Safe's goal). If you have shut off the feature then the data is simply ignored and may either be dropped all together or eaten up by the next handler in the request chain (if there is another, after the CGI, which there usually isn't in a normal CGI session) then presumably it would have access to this data (although this isn't likely as it has been read from STDIN which you can't seek back to, at least in *most* cases).
All of this depends somewhat on the features and protocol version of the client, the server, and how the request/response model is handled.
Also note that at no time did I mention across multiple requests if *that* is what you mean by "session". I speak of "session" as one request/response cycle.
So does this help? This type of question is the reason why I suggest everyone should read (at least skim) the ORA mod_perl book, regardless of whether you intend to use mod_perl, it *will* improve your understanding of CGI, HTTP, and the web, regardless if you develop for Apache, IIS, PoCo::HTTP...
http://danconia.org
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
