[Catalyst] Feature Request: Parameter Junctions
There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove
useful for Catalyst: allow junctions for request parameters. Consider the
following:
# ?sport=football
my $params = $c-request-query_parameters;
# { sport = 'football' }
But if there are multiple paramters:
# ?sport=football;sport=seal%20clubbing
my $params = $c-request-query_parameters;
# { sport = [ 'football', 'seal clubbing' ] }
Because multiple parameters are supplied, the data structure changes! All an
attacker needs to do is is tack on a duplicate parameter to a query string a
see if the code crashes. Worse, if there are already multiple parameters, the
attacker can restrict them to a single parameters and you'll likely fail when
you attempt to dereference:
@ {$params-{sport} }
I think this could be eliminated by using an 'any' junction:
my $sport = $c-request-get_param('sport');
if ( 'football' eq $sport ) { ... }
That works whether you have one parameter for 'sport' or multiple. Want to
iterate over them?
foreach my $sport ( $c-request-get_param('sport')-values ) { ... }
Again, that still works whether you have one parameter or several.
The developer no longer needs to write code to detect what data type is
returned and it's one less bug lurking.
Thoughts?
Cheers,
Ovid
--
Buy the book - http://www.oreilly.com/catalog/perlhks/
Tech blog- http://use.perl.org/~Ovid/journal/
Twitter - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Feature Request: Parameter Junctions
On Wed, Oct 22, 2008 at 2:34 AM, Ovid [EMAIL PROTECTED] wrote:
There's an idea I've toyed with for Perl 6's CGI.pm and I think it might
prove useful for Catalyst: allow junctions for request parameters. Consider
the following:
# ?sport=football
my $params = $c-request-query_parameters;
# { sport = 'football' }
But if there are multiple paramters:
# ?sport=football;sport=seal%20clubbing
my $params = $c-request-query_parameters;
# { sport = [ 'football', 'seal clubbing' ] }
Because multiple parameters are supplied, the data structure changes! All an
attacker needs to do is is tack on a duplicate parameter to a query string a
see if the code crashes. Worse, if there are already multiple parameters,
the attacker can restrict them to a single parameters and you'll likely fail
when you attempt to dereference:
@ {$params-{sport} }
I think this could be eliminated by using an 'any' junction:
my $sport = $c-request-get_param('sport');
if ( 'football' eq $sport ) { ... }
That works whether you have one parameter for 'sport' or multiple. Want to
iterate over them?
foreach my $sport ( $c-request-get_param('sport')-values ) { ... }
Again, that still works whether you have one parameter or several.
The developer no longer needs to write code to detect what data type is
returned and it's one less bug lurking.
Thoughts?
Cheers,
Ovid
Not a bad idea, and I tend to wrap this stuff anyway, but then
$c-request doesn't look like a CGI-compat object, which is immensely
helpful when dealing with other code. If it were still API
compatible, I'd be happy to see something like this get into 5.8
-J
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] PDF creation in Catalyst?
If you go to catalystframework.org, it says on the main page: And in case you want PNG or PDF output, you'll need just a few lines... Can someone give me those few lines? :-) Somewhat less snippishly, I've been trying to figure out the state of PDF generation from Catalyst. I don't need to do anything super fancy - mostly get a report so it can print on paper that's perforated into thirds, without worrying about browsers, telling users how to turn off browser print header/footer lines, and the like. I've seen several options: PDF::Template, based on HTML::Template. The reasons I'm not thrilled about this are: terrible lack of documentation, the original maintainers giving up on the project and calling it a mess, versions being rolled back - the google footprint of this project shows a lot of internal chaos. And I'm using Template Toolkit as my HTML generation template, so I'm not thrilled to mix in a different format. PDF::ReportWriter. This looks like it's maintained, under active development, and has excellent documentation. Anyone heard of this? It's not mentioned in the usual places like perlmonks. And the design really forces you to learn more about PDF than I ideally want to. Use something external. I found an old thread from this mailing list from 2006, where people mentioned htmldoc. However, with this approach I'm not sure I'll get the small level of control I want (to verify that page breaks are in the right place, really.) It does let me keep using TT, which I like. (Other people mentioned Latex, which I don't really want to learn in the time I have available. The thread is: http://www.gossamer-threads.com/lists/catalyst/users/8028, actually.) I'm a bit surprised that there's no Catalyst::View::Something::PDF by now, which makes me worry that it's hard. Most days I'd be happy to look into this, but I'm under the scheduling gun right now in a fairly panic-inducing way, so quick and dirty is unusually appealing. I don't need to create PDF files for distribution, just something printable with more layout control than HTML is willing to give me. Maybe PDF is a rabbit hole, and someone else has a bright idea? Thanks for any advice, Kirby Krueger, University of Washington ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
On Oct 22, 2008, at 11:08 AM, Kirby Krueger wrote: If you go to catalystframework.org, it says on the main page: And in case you want PNG or PDF output, you'll need just a few lines... Can someone give me those few lines? :-) I hope someone will have something more directly helpful with a code snippet (I'd love to see it too) but essentially this is a PDF question, not a Catalyst one excepting how to plug in another view in addition to your TT which is easy and in the docs. If no one ends up having any good fish to offer, this is a good set of places to start casting the old rod n'reel. http://www.perlfoundation.org/perl5/index.cgi?pdf http://www.google.com/search?as_q=pdf +createas_sitesearch=www.perlmonks.org (etc) http://search.cpan.org/perldoc?PDF::FromHTML (maybe? to take your current page output and run it into PDF though this might not give much control) If the stuff isn't dynamic and you really can't wait, it might be faster to create them yourself from the HTML you've got (print to PDF, manipulate in Acrobat or something) and serve them as static files. -Ashley ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
Le 22 oct. 08 à 20:25, Cory G Watson a écrit : On Oct 22, 2008, at 1:08 PM, Kirby Krueger wrote: If you go to catalystframework.org, it says on the main page: And in case you want PNG or PDF output, you'll need just a few lines... Can someone give me those few lines? :-) This is more than likely referring to the fact that Catalyst is output agnostic. I'm a bit surprised that there's no Catalyst::View::Something::PDF by now, which makes me worry that it's hard. Most days I'd be happy to look into this, but I'm under the scheduling gun right now in a fairly panic-inducing way, so quick and dirty is unusually appealing. I don't need to create PDF files for distribution, just something printable with more layout control than HTML is willing to give me. Maybe PDF is a rabbit hole, and someone else has a bright idea? Check webkit. I had a quick look there, seems promising: http://cutycapt.sourceforge.net/ David ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
On Wednesday 22 October 2008 01:08:45 pm Kirby Krueger wrote: Somewhat less snippishly, I've been trying to figure out the state of PDF generation from Catalyst. I don't need to do anything super fancy - mostly get a report so it can print on paper that's perforated into thirds, without worrying about browsers, telling users how to turn off browser print header/footer lines, and the like. I've seen several options: Yeah, PDF generation is just unpleasant IMO, Catalyst or not. None of the tools available in Perl are high-level enough to make me happy. $WORK has a system using Apache FOP for report generation. It works, and the output is good, but creating the templates is a grind, and the code to invoke fop is ugly (and it's Java)... and that's the best thing I know of ;) Andrew ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kirby Krueger wrote: And in case you want PNG or PDF output, you'll need just a few lines... We have a system doing PDF on the fly from Template::Toolkit, but you have to go via LaTeX - it's not so bad, do not be put off! http://www.catalystframework.org/calendar/2006/12 regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI/4MR2NPq7pwWBt4RAp/BAKCgInvlxAOu8w6zkjgOVwXZvp72IgCgv9Ip TUJ/S+yQVvvTE0drRnZ63q8= =QuqI -END PGP SIGNATURE- ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Re: PDF creation in Catalyst?
* Kirby Krueger [EMAIL PROTECTED] [2008-10-22 20:20]:
Can someone give me those few lines? :-)
sub MyApp::Controller::Root::renderview : ActionClass('RenderView') {}
sub MyApp::Controller::Root::end : Private {
my $self = shift;
my ( $c ) = @_;
$c-forward( '/renderview' );
if ( $c-req-param( 'pdf' ) ) {
my @pdf_cmd = Text::ParseWords::shellwords( $c-config-{ pdf_cmd }
);
$c-res-content_type( 'application/pdf' );
$c-res-body( IPC::Filter::filter( $c-res-body, @pdf_cmd ) );
}
}
And in `myapp.conf`:
pdf_cmd prince -i html -s prince.css -o - -
Yes, PrinceXML http://www.princexml.com/ costs $$$, *however*,
it renders HTML to PDF verbatim instead of requiring you to use
completely different stuff like FOP or LaTeX – which is an
especially big selling point if you’re looking to generate PDF
from a CMS-ish thing where users can enter HTML content. It also
supports pretty much all print-related CSS stuff, which includes
control over line breaks and the like, and also provides
proprietary CSS extensions to do things like page headers and
footers, page numbering, and so on. For us, the effort we avoided
of having to write PDF-specific code (the above lines are
literally the only PDF-related code in the app) and then maintain
it over more than made up for the price tag.
Regards,
--
Aristotle Pagaltzis // http://plasmasturm.org/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] Re: Feature Request: Parameter Junctions
* Ovid [EMAIL PROTECTED] [2008-10-22 11:40]: Because multiple parameters are supplied, the data structure changes! All an attacker needs to do is is tack on a duplicate parameter to a query string a see if the code crashes. And if it does then what? The problem is largely benign, actually, from a security perspective. (Of course, all types of bugs can cause an existing potential security hole to manifest.) The fact that the app crashes is still a problem, though. That shouldn’t happen. That said: There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove useful for Catalyst: allow junctions for request parameters. I don’t see the point of junctions here. Feel free to write Catalyst::Request::Junctional :-) but I don’t think that a junction-based API belongs in the Cat core. Maybe in Catasixt, but not in Cat-on-Perl 5. I outlined a proposal a long time ago of two different methods like the current `param`, one which always returned a single value (the last one if there are multiple) and one which always returned an arrayref. Then there could be no confusion and code would always get exactly what it was written to expect. Matt agreed but punted to volunteers, and none stepped up, me included, so it has yet to happen. Regards, -- Aristotle Pagaltzis // http://plasmasturm.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
In data 22 ottobre 2008 alle ore 20:08:45, Kirby Krueger [EMAIL PROTECTED] ha scritto: PDF::ReportWriter. Some time ago I did an evaluation of all different PDF creation Perl modules, to build our own internal solution, and I chose this one. Then I worked with the original author to extend it with some interesting (for me at least) features, like the (easy and quick) xml reports definition, and the page templating. With page templating you can create your own template page in PDF with a tool of your choice, and then let PDF::ReportWriter render the report data on top of it. This seems pretty much what you need. This looks like it's maintained Yes. under active development Yes. and has excellent documentation Mmh... I contributed to the docs as well, but I wouldn't say they are excellent. In particular, the xml format needs to be documented better, and all the groups/headers mechanism maybe needs a better explanation. Anyone heard of this? Try it. At least take a look at the examples and the pdf-template option (in the docs): http://search.cpan.org/src/DKASAK/PDF-ReportWriter-1.5/examples/ It's not mentioned in the usual places like perlmonks. And the design really forces you to learn more about PDF than I ideally want to. I'm not sure. -- Cosimo ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: PDF creation in Catalyst?
On 22 Oct 2008, at 20:50, Aristotle Pagaltzis wrote:
* Kirby Krueger [EMAIL PROTECTED] [2008-10-22 20:20]:
Can someone give me those few lines? :-)
sub MyApp::Controller::Root::renderview :
ActionClass('RenderView') {}
sub MyApp::Controller::Root::end : Private {
my $self = shift;
my ( $c ) = @_;
$c-forward( '/renderview' );
if ( $c-req-param( 'pdf' ) ) {
my @pdf_cmd = Text::ParseWords::shellwords( $c-config-
{ pdf_cmd } );
$c-res-content_type( 'application/pdf' );
$c-res-body( IPC::Filter::filter( $c-res-body,
@pdf_cmd ) );
}
}
And in `myapp.conf`:
pdf_cmd prince -i html -s prince.css -o - -
Yes, PrinceXML http://www.princexml.com/ costs $$$, *however*,
it renders HTML to PDF verbatim instead of requiring you to use
completely different stuff like FOP or LaTeX – which is an
especially big selling point if you’re looking to generate PDF
from a CMS-ish thing where users can enter HTML content. It also
supports pretty much all print-related CSS stuff, which includes
control over line breaks and the like, and also provides
proprietary CSS extensions to do things like page headers and
footers, page numbering, and so on. For us, the effort we avoided
of having to write PDF-specific code (the above lines are
literally the only PDF-related code in the app) and then maintain
it over more than made up for the price tag.
Sounds interesting - In fact so interesting i contemplated doing
something similar a few months ago before decided i didn't have time
due to major release in like 3 days time _
http://perlitist.com/static/talks/pdf_typesetting.pdf -- I even wrote
a talk about it :)
(No i've not really got anywhere with the code since. I've spent about
a total of 6 hours on it since I gave that talk)
-ash
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
2008/10/22 Kirby Krueger [EMAIL PROTECTED]: If you go to catalystframework.org, it says on the main page: And in case you want PNG or PDF output, you'll need just a few lines... Can someone give me those few lines? :-) Those few lines refer to choicing you view. PDF::Create is probably the simplest to use, but for me, PDF::API2 is the daddy. Dp. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Re: PDF creation in Catalyst?
* Aristotle Pagaltzis [EMAIL PROTECTED] [2008-10-22 21:55]: control over line breaks and the like Err, I meant page breaks of course. Regards, -- Aristotle Pagaltzis // http://plasmasturm.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] PDF creation in Catalyst?
On Wed, Oct 22, 2008 at 3:29 PM, Jesse Sheidlower [EMAIL PROTECTED] wrote:
On Wed, Oct 22, 2008 at 08:46:25PM +0100, Oliver Gorwits wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kirby Krueger wrote:
And in case you want PNG or PDF output, you'll need just a few
lines...
We have a system doing PDF on the fly from Template::Toolkit, but
you have to go via LaTeX - it's not so bad, do not be put off!
http://www.catalystframework.org/calendar/2006/12
Was the hack required in that Advent entry, necessitated by a
bug in the standalone server, ever fixed? If so, perhaps we
should re-edit this entry to remove that entire section. Right
now it's the sort of thing a lot of people would look at and
then run away from
Jesse Sheidlower
We used that entry as guidance to do PDF generation via LaTeX. Instead
of hacking at system, we patched Catalyst::Engine::HTTP (see
attachment). It has worked for us for awhile now.
For what it's worth, LaTeX worked out really well for us. It gives you
the control/expressiveness it sounds like the OP needs, without having
to learn the guts of PDF generation.
Regards,
Nate Green
sagrader.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Index: lib/perl5/Catalyst/Engine/HTTP.pm
===
--- lib/perl5/Catalyst/Engine/HTTP.pm (revision 2102)
+++ lib/perl5/Catalyst/Engine/HTTP.pm (working copy)
@@ -11,6 +11,7 @@
use Socket;
use IO::Socket::INET ();
use IO::Select ();
+use POSIX :sys_wait_h;
# For PAR
require Catalyst::Engine::HTTP::Restarter;
@@ -189,7 +190,6 @@
}
my $restart = 0;
-local $SIG{CHLD} = 'IGNORE';
my $allowed = $options-{allowed} || { '127.0.0.1' = '255.255.255.255' };
my $addr = $host ? inet_aton($host) : INADDR_ANY;
@@ -278,8 +278,22 @@
if ( $options-{fork} ) {
if ( $pid = fork ) {
DEBUG warn Forked child $pid\n;
+ # Wait for child to complete its fork
+ my $kid;
+ do {
+$kid = waitpid($pid, WNOHANG);
+ } until $kid 0;
next;
}
+else {
+ # child forks again
+ # double-fork avoids defining SIG{CHLD} in main process,
+ # which causes system() and backticks to return incorrect status
+ if ($pid = fork) {
+die Fork failed: $! if $pid 0;
+exit;
+ }
+}
}
$self-_handler( $class, $port, $method, $uri, $protocol );
@@ -324,7 +338,6 @@
DEBUG warn Shutting down\n;
if ($restart) {
-$SIG{CHLD} = 'DEFAULT';
wait;
### if the standalone server was invoked with perl -I .. we will loose
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Feature Request: Parameter Junctions
On Wed, Oct 22, 2008 at 02:34:19AM -0700, Ovid wrote:
Because multiple parameters are supplied, the data structure
changes! All an attacker needs to do is is tack on a duplicate
parameter to a query string a see if the code crashes.
Isn't that what validating input is all about?
Perhaps $c-req-parameters is too low-level to be using in your
controllers.
I do something like this:
sub foo : Local {
my ( $self, $c ) = @_;
# do something if validation fails.
die 'naughty user' unless $c-validate_form;
# Now safely use your validated input.
my $form = $c-stash-{form};
my $sport = $form-value( 'sport' );
...
}
Fields that accept only scalars only validate for single values, etc.
Parameter validation doesn't have to be just for posted forms.
--
Bill Moseley
[EMAIL PROTECTED]
Sent from my iMutt
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: PDF creation in Catalyst?
On Wed, Oct 22, 2008 at 09:50:25PM +0200, Aristotle Pagaltzis wrote: Yes, PrinceXML http://www.princexml.com/ costs $$$, *however*, it renders HTML to PDF verbatim instead of requiring you to use completely different stuff like FOP or LaTeX – which is an especially big selling point if you’re looking to generate PDF from a CMS-ish thing where users can enter HTML content. It also supports pretty much all print-related CSS stuff, which includes control over line breaks and the like, and also provides proprietary CSS extensions to do things like page headers and footers, page numbering, and so on. For us, the effort we avoided of having to write PDF-specific code (the above lines are literally the only PDF-related code in the app) and then maintain it over more than made up for the price tag. If your needs are simple, I've used this for invoices and simple documents: http://www.htmldoc.org/ But, css support doesn't exist -- but if you remember your creative days with tables you can do some fun things. I'm starting to reconsider what exactly needs to be in PDF. I've had a number of PDFs for various documents that probably could have been just as useful as HTML (with print style sheets). -- Bill Moseley [EMAIL PROTECTED] Sent from my iMutt ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
