Re: header woes
Sorry,
forgot the error message:
Use of uninitialized value in join or string at (eval 9) line 16.
[ = my $type = $table->{'Content-type'}; ]
On Thu, 13 Jun 2002, Arnold van Kampen wrote:
>
>
>
> Hi
>
>
> Why do I have have so much trouble doing some header parsing?
> I am doing header parsing because I wanted to check out cookie behaviour
> on relocation/redirection by browser.
> I get stuck when I cannot get with the basic stuff. Clues appreciated..
>
>
> I tried to go back to basics with a small script but that also seems to
> refuse to work as I would expect.
>
> package Alfass::Reloc;
>
> use strict;
> use Apache::Constants;
> use Apache::Reload;
> use CGI qw(:standard :html3 :netscape);
> use Apache::Table;
>
> sub handler {
> my $r = shift;
> my $reason = $r->subprocess_env("AuthCookieReason");
> my $cookie = $r->header_in('Cookie');
> my $table = $r->headers_in;
> my $bla ="sdadsadadadasdadadadadad";
> my $type = $table->{'Content-type'};
>
> print header,start_html,
> h2($bla),
> h2($type),
> end_html;
>
> }
>
> 1;
> __END__
>
>
>
> Arnold van Kampen
>
>
header woes
Hi
Why do I have have so much trouble doing some header parsing?
I am doing header parsing because I wanted to check out cookie behaviour
on relocation/redirection by browser.
I get stuck when I cannot get with the basic stuff. Clues appreciated..
I tried to go back to basics with a small script but that also seems to
refuse to work as I would expect.
package Alfass::Reloc;
use strict;
use Apache::Constants;
use Apache::Reload;
use CGI qw(:standard :html3 :netscape);
use Apache::Table;
sub handler {
my $r = shift;
my $reason = $r->subprocess_env("AuthCookieReason");
my $cookie = $r->header_in('Cookie');
my $table = $r->headers_in;
my $bla ="sdadsadadadasdadadadadad";
my $type = $table->{'Content-type'};
print header,start_html,
h2($bla),
h2($type),
end_html;
}
1;
__END__
Arnold van Kampen
Apache::TicketAccess
Hi Where did it go? Arnold
PerlWarn/AxKit - insecure dependency
Hi
I have been going through the code example on www.perl.com
(XSP, Taglibs and Pipelines)
I noticed I get a problem with
PerlWarn On
PerlTaintCheck On
in httpd.conf.
So, when I turn PerlWarn Off and PerlTaintCheck Off it works.
Main error message:
[AxKit] [Error] Insecure dependency in eval while running with -T switch
at /usr/lib/perl5/site_perl/5.6.1/i586-linux/Apache/AxKit/Language/XSP.pm
line 109.
For testing I used these
lynx -source localhost/axkit/weather1.xsp?zip=15206 | xmllint --format -
lynx -source localhost/axkit/weather1.xsp?zip=15206
Arnold
I am using
Apache 1.3.23
mod_perl 1.26
AxKit 1.52
linux 2.4.10 i686 (SuSE)
Below are
- config files
- code example files
- error message
CONFIG FILES
# startup.pl
#!/usr/bin/perl
use lib qw(/usr/local/apache/lib/modperl);
#use lib qw("/home/kampen/lib/modperl");
use Apache::Constants;
use Apache::Registry;
use Apache::RegistryLoader;
use DBI;
use CGI qw(:all);
use DirHandle;
use strict;
$Apache::Registry::NameWithVirtualHost = 0;
my $rl = Apache::RegistryLoader->new;
my $dh = DirHandle->new("/usr/local/apache/perl") or die $!;
foreach my $file ($dh->read) {
next unless $file =~ /\.(pl|cgi)$/;
#print $STDOUT "pre-loading $file\n";
$rl->handler("/perl/$file","/usr/local/apache/perl/$file");
}
1;
__END__
# perl.conf
PerlRequire conf/startup.pl
PerlInitHandler Apache::Reload
PerlSetVar ReloadAll Off
PerlSetVar ReloadTouchFile /tmp/reload_modules
#PerlWarn On
#PerlTaintCheck On
PerlModule AxKit
Alias /axkit/ /usr/local/apache/axkit/
SetHandler perl-script
PerlHandler AxKit
AxDebugLevel 10
AxCacheDir /tmp/axkit_cache
AxStackTraceOn
AxGzipOutputOff
AxAddXSPTaglib AxKit::XSP::Util
AxAddXSPTaglib AxKit::XSP::Param
AxAddXSPTaglib MyTaglibs::WeatherTaglib
AxAddStyleMap application/x-xsp Apache::AxKit::Language::XSP
AxAddStyleMap application/x-xpathscript Apache::AxKit::Language::XPathScript
AxAddStyleMap text/xsl Apache::AxKit::Language::Sablot
SetHandler perl-script
PerlHandler MyTaglibs::WeatherTaglibs
SetHandler perl-script
PerlHandler Test::Test
PerlModule Apache::PerlSections
push @Alias, [ qw(/perl/ /usr/local/apache/perl/) ];
$Location{"/perl/"} = { SetHandler => "perl-script",
PerlHandler => "Apache::Registry",
Options => "+ExecCGI",
PerlSendHeader => "On",
PerlSetupEnv=> "On"
};
$PerlSetVar = "Filter On" if Apache->module('Apache::Filter');
print STDERR Apache::PerlSections->dump;
##
CODE SAMPLES
weather1.xsp:
http://www.apache.org/1999/XSP/Core";
xmlns:util="http://apache.org/xsp/util/v1";
xmlns:param="http://axkit.org/NS/xsp/param/v1";
xmlns:weather="http://olddog.acon.nl/axkit_articles/weather/";
>
Mijn weer rapportage
weather.xsl:
---
http://www.w3.org/1999/XSL/Transform";
>
Hi! It's
The weather in
,
is
and
F
(courtesy of The
Weather Channel).
as_html.xsl
---
http://www.w3.org/1999/XSL/Transform";
version="1.0">
ERROR MESSAGE form logs
[notice] Apache/1.3.23 (Unix) AxKit/1.52 mod_perl/1.26 configured --
resuming normal operations
[notice] Accept mutex: sysvsem (Default: sysvsem)
[warn] [client 127.0.0.1] [AxKit] handler called for /axkit/weather1.xsp
[AxKit] checking if we process this resource
[AxKit] media: screen, preferred style: #default
Use of uninitialized value in join or string at
/usr/lib/perl5/site_perl/5.6.1/i586-linux/Apache/AxKit/Cache.pm line 25.
[AxKit] Cache: key = f1e3924e8ebc61f378d51b84cb5dfec0
[AxKit] getting styles and external entities from the XML
[AxKit] styles not cached - calling $provider->get_styles()
[AxKit] using XS get_styles (libxml2)
[AxKit] calling xs_get_styles_fh()
[AxKit] calling xs_get_styles_str()
[AxKit] parse_pi: href = NULL
[AxKit] parse_pi: type = application/x-xsp
[AxKit] parse_pi: href = weather.xsl
[AxKit] parse_pi: type = text/xsl
[AxKit] parse_pi: href = as_html.xsl
[AxKit] parse_pi: type = text/xsl
Use of uninitialized value in concatenation (.) or string at
/usr/lib/perl5/site_perl/5.6.1/i586-linux/Apache/AxKit/Provider.pm line
256.
Use of uninitialized value in concatenation (.) or string at
/usr/lib/perl5/site_perl/5.6
dso
Hi Some messages ago, someone still mentioned that modperl had been - compiled in -, when describing his configuration, that he was having trouble with. Does this mean it is still better to compile it in instead of using mod_perl as a dso? Arnold
Re: oddities
Only thing I my self find sofar is that I should be using the
sticky tag under textfield:
textfield(-name=>'fieldsname', -override=>1);
or use force in stead of override..
Ok I did not see that right away but I find the differences in behaviour
quite puzzling.
Arnold van Kampen
On Sat, 12 Jan 2002, Arnold van Kampen wrote:
>
> Hi
>
> What could be wrong in this few lines:
> It is supposed to add 10 to the value in the textfield after each
> submission.
> I tried it on another pc too, same result.
> (one I leave alone most of the time; no messing around)
> I also tried it under the perl directory (Apache::Registry)
> I tried using CGI 2.80 in stead of the old 2.56
> I tried using hidden field, same result.
> I tried more oo like with my $q = new CGI
> The textfield entry does not work(or only 2 times!??).
> h1($bla) always shows the proper value, yet it does not appear in the
> textfield)
> The outcommented string does work repetitively as expected!
> I have been using these cgi functions for quite a while.
> This is so stupid it hurts.
> Does this look familiar to anyone?
>
>
>
> package Test::Test;
> use strict;
> use CGI qw(:standard :html3);
> use Apache::Reload;
>
> sub handler {
> my $bla= param('position') + 10;
> print header,start_html,h1('aa'),
> startform,
> textfield(-name=>'position',-value=>$bla, -maxlength=>10),
> #"",
> h1($bla),
> submit(),
> endform,
> end_html;
> }
>
> 1;
> __END__
>
>
Re: Cross-site Scripting prevention with Apache::TaintRequest
Does anybody have an example(s) of how this kind of abuse is actually working? All the time I have just been lucky then I guess. Arnold van Kampen On Tue, 22 Jan 2002, Perrin Harkins wrote: > > Yes and no. XSS attacks are possible on old browsers, when the charset is > not > > set (something which is often the case with modperl apps) and when the > > HTML-escaping bit does not match what certain browsers accept as markup. > > Of course I set the charset, but I didn't know that might not be enough. > Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() > are safe? > > - Perrin >
Re: oddities
Ok, that works!
But I never realized this before.
Quite contra intuitive.
And what about the /per/ dir...
So if you could still be so kind as to look at the code sample below:
On Sat, 12 Jan 2002, Ged Haywood wrote:
> Hi again,
>
> On Sat, 12 Jan 2002, Arnold van Kampen wrote:
>
> > (only the plain string works, not the function textfield() after
> > several submissions)
>
> Try this instead of the first line in your handler:
>
> my $r=shift;
> my %params = ($r->method eq 'POST') ? $r->content : $r->args;
> my $bla = $params{'position'} + 10;
>
> I think you'll find the second line there in the Guide somewhere.
>
[ I tried this with ./httpd -X ]
So it is possible to create a textfield with another name and show it with
the new value. The textfield with the same name will remain unchanged!
So textfield(-name=>position, -value=>$bla) will not accept submission
value from field with name position.
But textfield(-name=>position2, -value=>$bla) will accept the value from
field position!
When using the string code the 'position' field will accept the new data
after submission.
I did not find these among the misteries before..
Very Strange. Is this a well known pittfall?
Arnold
#!/usr/bin/perl
# file bla.cgi
use strict;
use CGI qw(:standard :html3 :netscape );
CASE: {
if (defined(param('forward'))) {
$_ = param('forward');
/^first/i and do {second_show();last CASE;};
/^second/i and do {first_show();last CASE;};
}
first_show();
}
exit 0;
sub first_show() {
my @deel_display =();
my $position = param('position');
my $ref = ref($position);
my $somename_data = param('somename');
push @deel_display, td('param: '.param('position'));
my $bla = $position + 10;
push @deel_display, td('param + 10: '.$bla);
push @deel_display, td('hidden value: '.$bla);
push @deel_display, td(textfield(-name=>'position', -value=>$bla));
push @deel_display, td(textfield(-name=>'position2', -value=>$bla));
push @deel_display, td(textfield(-name=>'position3', -value=>$ref));
push @deel_display, td(hidden(-name=>'somename', -value=>$bla));
# push @deel_display, "";
my $button_value='first';
push @deel_display, td(submit(-name=>'forward', -value=>$button_value));
print header(-pragma=>'no-cache'),
start_html(-title => 'visualise'),
start_multipart_form(-method=>'post'),
table({-valign=>'top',border=>'1'},Tr(\@deel_display)),
endform,
end_html();
}
sub second_show {
my @deel_display =();
my $position = param('position');
push @deel_display, td('param: '.param('position'));
my $bla = $position + 10;
push @deel_display, td('param + 10: '.$bla);
push @deel_display, td(textfield(-name=>'position', -value=>$bla));
# push @deel_display, "";
push @deel_display, td(submit(-name=>'forward', -value=>'second'));
print header(-pragma=>'no-cache'),
start_html(-title => 'visualise'),
start_multipart_form(-method=>'post'),
table({-valign=>'top',border=>'1'},Tr(\@deel_display)),
endform,
end_html();
}
> 73,
> Ged.
>
Re: oddities
[Sat Jan 12 17:06:19 2002] [notice] Apache/1.3.20 (Unix) AxKit/1.4
mod_perl/1.26 configured -- resuming normal operations
[Sat Jan 12 17:06:19 2002] [notice] suEXEC mechanism enabled (wrapper:
/usr/local/apache/bin/suexec)
linux on regular pc kernel 2.2.18
I tried the httpd -X to make sure only one child replies.
I tried another pc which I really did not touch for a long time, same
result.
(no interering from suexec or axkit)
(only the plain string works, not the function textfield() after several
submissions)
Also I had a slightly longer program, in which the push button would
change after submission, which it did; so no caching stuff: if the button
and the h1() changes, then the textfield should change too.
I checked the env{gateway_interface} and it said CGI-Perl/1.1 which means
it is actually handled by the apache perl interface.
Arnold
On Sat, 12 Jan 2002, Ged Haywood wrote:
> Hi there,
>
> On Sat, 12 Jan 2002, Arnold van Kampen wrote:
>
> > What could be wrong in this few lines:
> > It is supposed to add 10 to the value in the textfield after each
> > submission.
>
> Sounds supiciously like you're using Apache on a system which allows
> Apache to have many child processes, and you haven't read the Guide:
>
> http://perl.apache.org/guide
>
> There's a file called SUPPORT in the mod_perl distribution which gives
> you the information about what is needed in a post to the mod_perl List,
> knowing things like what OS you are using will help us a lot.
>
> 73,
> Ged.
>
>
oddities
Hi
What could be wrong in this few lines:
It is supposed to add 10 to the value in the textfield after each
submission.
I tried it on another pc too, same result.
(one I leave alone most of the time; no messing around)
I also tried it under the perl directory (Apache::Registry)
I tried using CGI 2.80 in stead of the old 2.56
I tried using hidden field, same result.
I tried more oo like with my $q = new CGI
The textfield entry does not work(or only 2 times!??).
h1($bla) always shows the proper value, yet it does not appear in the
textfield)
The outcommented string does work repetitively as expected!
I have been using these cgi functions for quite a while.
This is so stupid it hurts.
Does this look familiar to anyone?
package Test::Test;
use strict;
use CGI qw(:standard :html3);
use Apache::Reload;
sub handler {
my $bla= param('position') + 10;
print header,start_html,h1('aa'),
startform,
textfield(-name=>'position',-value=>$bla, -maxlength=>10),
#"",
h1($bla),
submit(),
endform,
end_html;
}
1;
__END__
