Re: Stupid question about pools

2003-12-03 Thread Cliff Woolley 
On Wed, 3 Dec 2003, Brian Akins wrote:

> I assume the same is true for connections?  Every time a connection is
> closed, the registered cleanups would get ran.

Yep.  c->pool.

--Cliff

Re: Stupid question about pools

2003-12-03 Thread Brian Akins 
Cliff Woolley wrote:
On Wed, 3 Dec 2003, Cliff Woolley wrote:

Okay hang on, just to be clear... you have to register it on every
request, and THEN it will get run after every request.  
Right.  Or more correctly, register it on every request on which I want 
to run the cleanup.

Just wanted to make sure.

I assume the same is true for connections?  Every time a connection is 
closed, the registered cleanups would get ran.

--
Brian Akins
Senior Systems Engineer
CNN Internet Technologies

Re: Stupid question about pools

2003-12-03 Thread Cliff Woolley 
On Wed, 3 Dec 2003, Cliff Woolley wrote:

> On Wed, 3 Dec 2003, Brian Akins wrote:
>
> > Does the request pool get "cleaned up" after every request?  IE, If I
> > register a cleanup on r->pool, will it get ran after every request?

Okay hang on, just to be clear... you have to register it on every
request, and THEN it will get run after every request.  You can't just
register it once and then have it run after every request, because r->pool
is different for every request (and because the act of running a cleanup
also deregisters that cleanup).  You probably knew that... I just wanted
to be extra clear.

Re: Stupid question about pools

2003-12-03 Thread Cliff Woolley 
On Wed, 3 Dec 2003, Brian Akins wrote:

> Does the request pool get "cleaned up" after every request?  IE, If I
> register a cleanup on r->pool, will it get ran after every request?

Yep, exactly right.

Stupid question about pools

2003-12-03 Thread Brian Akins 
Does the request pool get "cleaned up" after every request?  IE, If I 
register a cleanup on r->pool, will it get ran after every request?



--
Brian Akins
Senior Systems Engineer
CNN Internet Technologies

Re: stupid question?

2002-09-24 Thread David Burry 

You cannot be 100% certain that any server served the form when you receive
the form data, from information in the request itself.  The HTTP protocol
does not support that kind of thing, what you're wanting is the referrer not
the request_uri and yes indeed it can be faked, that's the problem.

Best way is to validate the data that it's 100% ok and not care what form it
came from.  Or use some form of user authentication or session system, etc.
it depends on your situation.

Dave
- Original Message -
From: "Günter Knauf" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 24, 2002 6:49 AM
Subject: Re: stupid question?


> Hi Thomas,
> >> are the server-side vars generated by the server or only echoed vars
> >> which where provided by the browser??
> >> specially REQUEST_URI is of interest for me for security purposes in
> >> scripts, so is it generated from Apache self or can it be faked by the
> >> client?
>
> > In 1.3 it looks like it's set from the original request, but to be able
> > to fake it they can't call your script (right?)
> f.e. I have a perl mailscript which should only accept formdata from a
form which was served by my host, so I want to check in the script if
REQUEST_URI is from my own host or probably comes from a locally stored and
modified form...
> so any other ideas what I can check to be 100% sure that the form was
served by my server?
>
> Guenter.
>

Re: stupid question?

2002-09-24 Thread Thomas Eibner 

On Tue, Sep 24, 2002 at 03:49:40PM +0200, Günter Knauf wrote:
> Hi Thomas,
> >> are the server-side vars generated by the server or only echoed vars
> >> which where provided by the browser??
> >> specially REQUEST_URI is of interest for me for security purposes in
> >> scripts, so is it generated from Apache self or can it be faked by the
> >> client?
> 
> > In 1.3 it looks like it's set from the original request, but to be able
> > to fake it they can't call your script (right?)
> f.e. I have a perl mailscript which should only accept formdata from a form which 
>was served by my host, so I want to check in the script if REQUEST_URI is from my own 
>host or probably comes from a locally stored and modified form...
> so any other ideas what I can check to be 100% sure that the form was served by my 
>server?

Probably not the right list for this, but you can't really be 100% sure
that the form is being submitted from your server. But what you are
looking for is really the referer. (still not 100% sure though)

-- 
  Thomas Eibner  DnsZone 
  mod_pointer  
  !(C)  
  Putting the HEST in .COM

Re: stupid question?

2002-09-24 Thread Günter Knauf 

Hi Thomas,
>> are the server-side vars generated by the server or only echoed vars
>> which where provided by the browser??
>> specially REQUEST_URI is of interest for me for security purposes in
>> scripts, so is it generated from Apache self or can it be faked by the
>> client?

> In 1.3 it looks like it's set from the original request, but to be able
> to fake it they can't call your script (right?)
f.e. I have a perl mailscript which should only accept formdata from a form which was 
served by my host, so I want to check in the script if REQUEST_URI is from my own host 
or probably comes from a locally stored and modified form...
so any other ideas what I can check to be 100% sure that the form was served by my 
server?

Guenter.

Re: stupid question?

2002-09-12 Thread Thomas Eibner 

On Thu, Sep 12, 2002 at 10:31:50PM +0200, Günter Knauf wrote:
> Hi,
> probably a stupid question, but I'm too lazy to look through the source; 
> and I'm sure many of you here can answere this question at once:
> are the server-side vars generated by the server or only echoed vars which where 
>provided by the browser??
> specially REQUEST_URI is of interest for me for security purposes in scripts, so is 
>it generated from Apache self or can it be faked by the client?

In 1.3 it looks like it's set from the original request, but to be able
to fake it they can't call your script (right?)

./src/main/util_script.c:ap_table_setn(e, "REQUEST_URI", original_uri(r));

static char *original_uri(request_rec *r)
{
char *first, *last;

if (r->the_request == NULL) {
return (char *) ap_pcalloc(r->pool, 1);
}

first = r->the_request; /* use the request-line */

while (*first && !ap_isspace(*first)) {
++first; /* skip over the method */
}
while (ap_isspace(*first)) {
++first;/*   and the space(s)   */
}

last = first;
while (*last && !ap_isspace(*last)) {
++last; /* end at next whitespace */
}

return ap_pstrndup(r->pool, first, last - first);
}

-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer> <http://photos.eibner.dk/>
  !(C)<http://copywrong.dk/>  <http://apachegallery.dk/>
  Putting the HEST in .COM <http://www.hestdesign.com/>

stupid question?

2002-09-12 Thread Günter Knauf 

Hi,
probably a stupid question, but I'm too lazy to look through the source; 
and I'm sure many of you here can answere this question at once:
are the server-side vars generated by the server or only echoed vars which where 
provided by the browser??
specially REQUEST_URI is of interest for me for security purposes in scripts, so is it 
generated from Apache self or can it be faked by the client?

Guenter.