Re: syntax and sanity check?

[Geoffrey Young]

Paul wrote:

I'm doing a 45 minute seminar at UAB tomorrow on mod_perl, and would be
very grateful if anyone would point out holes in this code before I try
to show it to a roomful of attendees:


#~~
# module for Apache/mod_perl PerlPostReadRequestHandler to redirect
#  users on the nonsecure port over to SSL (hopefully saving bookmarks)
#__
 
package Apache::PortCorrect;  # define the package space

use strict;   # pragma for clean code
use Apache::Constants qw( :response );# installed with mod_perl
 
sub handler {# default methodname
my($r) = _; # the request object
return OK if 443 == $r-get_server_port; # ok if already SSL

the best way to check for whether you're using SSL is by checking 
$r-subprocess_env('HTTPS') rather than the port.  see the archives 
for why.

my $uri = https://myserver.com; # DNS literal *
. (split /\s+/, $r-the_request)[1]; # requested page


how about $r-uri instead of $r-the_request?  actually, since there's 
sometimes more involved in the request, like the port and query 
string, the right way to change a URI scheme is really

my $uri = Apache::URI-parse($r);
$uri-scheme('https');
my $new_uri = $uri-unparse;

you can see
http://www.modperlcookbook.org/code/ch04/Cookbook/SSLStatus.pm
or recipes 5.3 and 5.4 in the cookbook for a few more examples of 
Apache::URI, and 5.4 shows $r-subprocess_env('HTTPS') (with some 
errata in the code in the first edition, unfortunately).


$r-custom_response(MOVED,$uri); # for re-request
return MOVED;# page moved!


you can certainly do that, but most people just use a redirect here.

so... i'd probably end up with something like

package Apache::RedirectToSSL;

use strict;
use Apache::Constants qw( OK REDIRECT );
use Apache::URI;

sub handler {

  my $r = shift;

  return OK if $r-subprocess_env('HTTPS');

  my $uri = Apache::URI-parse($r);
  $uri-scheme('https');

  $r-headers_out-set(Location = $uri-unparse);
  return REDIRECT;
}
1;

but that's just me :)



If someone is interested in seeing the rest of the presentation, I've
posted it at http://thesilentbard.com/ACM%20Seminar.ppt -- if you'd
care to post it online anywhere else, please let me know first, but
that's cool, too. Any corrections are welcome.


I didn't have the chance to take a look, but it's nice to see people 
promoting mod_perl in as many places as possible :)


I know it isn't clean (I tried to make sure it fit on one slide and
didn't get too complicated for the topic, hence such non-portable
features as the DNS literal, etc), but suggestions are still very
welcome.



right, that's always the problem with presentations, and it usually 
comes down to a decision between overwhelming your audience with 
details and getting the main point across (even if that point isn't 
the whole truth, best way, etc...).

good luck.

--Geoff

RE: Using Perl END{} with Apache::Registry

[Justin Luster]

After doing some additional testing it appears that this problem only
occurs on my Windows machine with Apache 2.0.  I tried it on my Linux
box Apache 1.3 and things worked fine.  Since I am not using Windows in
a production environment I will be OK.

Thanks anyway.



-Original Message-
From: Jim Schueler [mailto:jschueler;tqis.com] 
Sent: Tuesday, November 12, 2002 9:02 PM
To: Justin Luster
Subject: RE: Using Perl END{} with Apache::Registry


Pity that the module doesn't help.

I spent many hours testing END {} block behavior in Apache::Registry and
relied heavily on logged error messages.  I cannot confirm your
hypothesis
that END {} blocks affect error reporting.

When testing code, reliable failures are important.  If it won't fail
predictably, it won't run predictably.  I recommend you double check
your assumption that It seems to be working fine.

Apache::Registry is tricky because it's there's so much uncertainty
about
the state of a process.  For example, it's impossible to determine which
sequence various scripts will run in.  One of the reasons I recommend my
Apache::ChildExit module is because otherwise, all of a process's
encountered END {} blocks are run at the end of a request, including END
{} blocks from other scripts and all modules that have been imported
over
the lifetime of the process.  Apache::ChildExit eliminates the
possibility
that unexpected or unknown END {} blocks will impact the process state
because it ensures that END {} blocks are only run when the process
terminates.

 -Jim


On Tue, 12 Nov 2002, Justin Luster wrote:

 Thanks for the reply.  Unfortunately I need the END block to run for
 every request.  I just was wondering why it altered the way error
 messages were logged.
 
 Thanks.
 
 -Original Message-
 From: Jim Schueler [mailto:jschueler;tqis.com] 
 Sent: Tuesday, November 12, 2002 2:41 PM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: RE: Using Perl END{} with Apache::Registry
 
 Hello Justin.
 
 I've done a little work on a similar problem due to Apache::Registry's
 unusual treatment of END {} blocks.  You may want to take a look at
 the module I recently submitted:
 
 http://www.cpan.org/authors/id/T/TQ/TQISJIM/ChildExit_0-1.tar.gz
 
  -Jim
 
  Hi, I'm trying to use the END{ } block in my Perl Scripts to do some
  code clean up (making sure files are not locked) at the end of each
  request.  It seems to be working fine.  I'm using Apache::Registry
to
  run a regular Perl script.  I'm having a problem with error
messages.
 
  
   
  
  I have an included file that I'm requiring:
  
   
  
  require test.pl;
  
   
  
  Without the END { } block if the script cannot find test.pl I get a
  Server error 500 and an appropriate error message in the log file.
 When
  I include the END{ } block I get no Server Error and no message in
the
  log file.  It is almost as if the END{ } is overwriting the
  ModPerlRegistry error system.  
  
   
  
  Any ideas?
  
   
  
  Thanks.
 
 
 

Stylistically : To inherit, or to contain

[Clinton Gormley]

Re: Using Perl END{} with Apache::Registry

[Perrin Harkins]

Justin Luster wrote:


After doing some additional testing it appears that this problem only
occurs on my Windows machine with Apache 2.0.  I tried it on my Linux
box Apache 1.3 and things worked fine.



That's a key distinction.  Please make sure you say mod_perl 2 when 
that's what you are using.  There is actually no module called 
Apache::Registry in mod_perl 2, so I assumed you meant the 1.x series.

- Perrin

problem with session ids

[Minas]

Recently I installed the Apache::Session module on my server in order 
to give a kind of identity to my e-shop visitors, seems to work but 
generates different session ids when I reload the bellow test cgi. 
What can I do in order to have my visitor the same session id, up to 
close his web browser.

   #!/usr/bin/perl

   use CGI;
   use Apache::Session::File;

   my $query = new CGI;
   my %session;
   my $id = undef;

   $id = $query-cookie(-name=SID01);

   tie %session, 'Apache::Session::File', $id,
   { Directory = /tmp/,
   LockDirectory = /tmp/};

   if ($id == undef) {
   $cookie = $query-cookie( -name='SID01',
   -value=$session{_session_id},
   -expires='+1y',
   -path='/session');
   print $query-header(-cookie=$cookie);
   print Assigned session IDbrn;
   } else {
   print $query-header();
   print Not assigned session IDbrn;
   };

   $id = $session{_session_id};

   print htmln;
   print  headtitleSession ID/title/headn;
   print  body bgcolor=#ffn;
   print  Your session ID is $idn;
   print  /bodyn;
   print /htmln; 

thank you in advance
Minas

Re: problem with session ids

[Perrin Harkins]

Minas wrote:


Recently I installed the Apache::Session module on my server in order
to give a kind of identity to my e-shop visitors, seems to work but
generates different session ids when I reload the bellow test cgi.
What can I do in order to have my visitor the same session id, up to
close his web browser.



You're going to have to do some debugging to find out why your script 
isn't working.  You use of Apache::Session::File looks okay, except that 
you don't handle possible errors.  Check if the cookie is being set, if 
the files are being created in /tmp, etc.

- Perrin

Cleanup question

[Jan Theofel]

Hello,

I have a shop system wirtten in Perl which I now must switch to mod_perl
bevor going live. The code is written with use strict and I think it
is in biggest parts a good source. ;-)

The question I have now is, that I have to switch the error handling.
Until now, I display an error message to the users web browser and then
die(). As I know, this is not a good idea unter mod_perl, especially
because I use references on lager data structures and some objects in my
code.

I searched the web for a documentation about that topic and found some
things wwhich are somehow confusing to me. Perhaps someone of you knows
a documentation which explains who to do this properly?

Thanks for your help,
Jan Theofel

-- 
Jan Theofel  Fon: +49 (7 11) 48 90 83 - 0 
ETES - EDV-Systemhaus GbRFax: +49 (7 11) 48 90 83 - 50 
Libanonstrasse 58 A * D-70184 Stuttgart  Web: http://www.etes.de


__
Inflex - eMail Scanning and Protection
Queries to: [EMAIL PROTECTED]

Stacking ErrorDocuments OR multilevel PerlAccessHandler

[Brett Sanger]

Once upon a time there was a project that required a PerlAccessHandler
and form-based login.  This project lived in the land of mod_perl, so it
lived a happy life, with a setup something like:

Location /not-protected
  PerlHandler Apache::Registry
  SetHandler perl-script
  Options +ExecCGI
/Location
Location /requireslogin
  PerlAccessHandler My::EnforceLogin
  ErrorDocument 403 /not-protected/login.pl?rm=Bounce
  PerlHandler Apache::Registry
  SetHandler perl-script
  Options +ExecCGI
/Location

(/not-protected/login.pl is a CGI::Application-based script, which is
why I'm using Apache::Registry)

This solution worked fine, and the project was a happy creature.

Then one day the project decided to expand to include a second layer of
authorization.  Now users fell into three groups:
No requirements, login required, and logged-in-as-confirmed user.  (Any
logged in user can become a confirmed user (a one time process) by going
through a series of steps, held at, say, /requireslogin/confirm.pl.
Thus, you must be logged in before I can check that you are confirmed,
but a logged in user may or may not be a confirmed user)

I, as caretaker for the innocent little (if growing) project, wanted to
add a second access handler.  The thought was that /requiresconfirm/
could use the same My::EnforceLogin as /requireslogin/ as well as
My::EnforceConfirm.  The ErrorDocument would bounce the user to
/requireslogin/confirm.pl, and if they weren't logged in, it in turn
would bounce them to /not-protected/login.pl  

I thought this a solid and clever answer, with nice modular little bits,
and full code reuse.  Sadly, I am not as clever as I thought (again),
because a 403 on a 403 (as happens if a non-logged-in user tries to
access /requiresconfirm/) doesn't bounce twice but drops to the generic
handler. 

So now I have a few options, and I'm not sure what is the best way to go
about this.  

I've tried using an AuthenHandler with a different ErrorDocument to
handle it, but AUTH_REQUIRED began negotiations with th e browser --
undesirable.  I could make my handlers do internal redirects (a new task
for me).  I could do external redirects.  I could ask you folks if what
I originally intended can work just fine with some minor magic change. 
OR I  could just toss code reuse out and make
My::BloatedandRepetativeHandler to check for both.  The Cookbook and the
Eagle book, so far as I've discovered, don't cover cascading
errordocuments.  (at least in the Auth* chapters)

So I thought I'd check -- I can't be the first (or 1000th) to have this
issue, how is it normally handled?

Unicode and URI escaping

[Narins, Josh]

Hello wise guys.

heh.

I'm trying to URI encode UTF-8 and it's killing URI::Escape (uri_escape) and
CGI::Util (called by CGI.pm, and does _seem_ to fix itself when I put use
utf8; in the main script.

Darn, this is NOT the right list.

I've subscribed to perl-unicode.

Does Apache::Util already handle this?

Danke.


--
This message is intended only for the personal and confidential use of the designated 
recipient(s) named above.  If you are not the intended recipient of this message you 
are hereby notified that any review, dissemination, distribution or copying of this 
message is strictly prohibited.  This communication is for information purposes only 
and should not be regarded as an offer to sell or as a solicitation of an offer to buy 
any financial product, an official confirmation of any transaction, or as an official 
statement of Lehman Brothers.  Email transmission cannot be guaranteed to be secure or 
error-free.  Therefore, we do not represent that this information is complete or 
accurate and it should not be relied upon as such.  All information is subject to 
change without notice.

ANNOUNCE: Bricolage 1.4.5

[David Wheeler]

The Bricolage team is pleased to announce the release of Bricolage
1.4.5. This maintenance release fixes over 25 bugs in version 1.4.4 and,
as a bonus, makes a few significant changes that affect how it works, to
whit:

*   Categories are now displayed by their URIs instead of their 
names
wherever possible.

*   Improved error handling by the SOAP server. Full errors will now
be printed to the Apache error log, error messages sent back to
the client are properly escaped, and all database transactions
for a single request will be rolled back in the event of an
error.

Among the more important bug fixes are the following:

*   The Bricolage SOAP interface will no longer allow the creation
of stories and media with duplicate URIs.

*   The burner no longer fails when it publishes an asset that's not
on a desk.

*   SOAP now does the proper thing when deleting assets, removing
them from desks and workflow only if they're on desks and in
workflow.

*   Setting permissions on the assets in a category works again.

*   Stories, media, and templates created but not saved no longer
disappear into the void. They are instead moved into workflow,
put on a desk, and saved as soon as they were created.

*   The SOAP interface now properly logs events for its activities.

All users of earlier versions of Bricolage are encouraged to upgrade.
For a complete list of the changes, see the changes file at
https://sourceforge.net/project/shownotes.php?release_id=122230.

ABOUT BRICOLAGE

Bricolage is a full-featured, enterprise-class content management and
publishing system. It offers a browser-based interface for ease-of use,
a full-fledged templating system with complete programming language
support for flexibility, and many other features. It operates in an
Apache/mod_perl environment, and uses the PostgreSQL RDBMS for its
repository.

Learn more about Bricolage and download it from the Bricolage home page,
http://bricolage.cc/.

Enjoy!

--The Bricolage Team

Re: Cleanup question

[Stas Bekman]

Jan Theofel wrote:

Hello,

I have a shop system wirtten in Perl which I now must switch to mod_perl
bevor going live. The code is written with use strict and I think it
is in biggest parts a good source. ;-)

The question I have now is, that I have to switch the error handling.
Until now, I display an error message to the users web browser and then
die(). As I know, this is not a good idea unter mod_perl, especially
because I use references on lager data structures and some objects in my
code.

I searched the web for a documentation about that topic and found some
things wwhich are somehow confusing to me. Perhaps someone of you knows
a documentation which explains who to do this properly?


You can die() under mod_perl. See:
http://perl.apache.org/docs/1.0/guide/porting.html#die___and_mod_perl

Other relevant pages to read:
http://perl.apache.org/docs/1.0/guide/snippets.html#Redirecting_Errors_to_the_Client_Instead_of_error_log
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#Exception_Handling_for_mod_perl
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#Customized___DIE___hanlder


__
Stas BekmanJAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide --- http://perl.apache.org
mailto:stas;stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com