Re: header woes
Sorry, forgot the error message: Use of uninitialized value in join or string at (eval 9) line 16. [ = my $type = $table->{'Content-type'}; ] On Thu, 13 Jun 2002, Arnold van Kampen wrote: > > > > Hi > > > Why do I have have so much trouble doing some header parsing? > I am doing header parsing because I wanted to check out cookie behaviour > on relocation/redirection by browser. > I get stuck when I cannot get with the basic stuff. Clues appreciated.. > > > I tried to go back to basics with a small script but that also seems to > refuse to work as I would expect. > > package Alfass::Reloc; > > use strict; > use Apache::Constants; > use Apache::Reload; > use CGI qw(:standard :html3 :netscape); > use Apache::Table; > > sub handler { > my $r = shift; > my $reason = $r->subprocess_env("AuthCookieReason"); > my $cookie = $r->header_in('Cookie'); > my $table = $r->headers_in; > my $bla ="sdadsadadadasdadadadadad"; > my $type = $table->{'Content-type'}; > > print header,start_html, > h2($bla), > h2($type), > end_html; > > } > > 1; > __END__ > > > > Arnold van Kampen > >
header woes
Hi Why do I have have so much trouble doing some header parsing? I am doing header parsing because I wanted to check out cookie behaviour on relocation/redirection by browser. I get stuck when I cannot get with the basic stuff. Clues appreciated.. I tried to go back to basics with a small script but that also seems to refuse to work as I would expect. package Alfass::Reloc; use strict; use Apache::Constants; use Apache::Reload; use CGI qw(:standard :html3 :netscape); use Apache::Table; sub handler { my $r = shift; my $reason = $r->subprocess_env("AuthCookieReason"); my $cookie = $r->header_in('Cookie'); my $table = $r->headers_in; my $bla ="sdadsadadadasdadadadadad"; my $type = $table->{'Content-type'}; print header,start_html, h2($bla), h2($type), end_html; } 1; __END__ Arnold van Kampen
Apache::TicketAccess
Hi Where did it go? Arnold
PerlWarn/AxKit - insecure dependency
Hi I have been going through the code example on www.perl.com (XSP, Taglibs and Pipelines) I noticed I get a problem with PerlWarn On PerlTaintCheck On in httpd.conf. So, when I turn PerlWarn Off and PerlTaintCheck Off it works. Main error message: [AxKit] [Error] Insecure dependency in eval while running with -T switch at /usr/lib/perl5/site_perl/5.6.1/i586-linux/Apache/AxKit/Language/XSP.pm line 109. For testing I used these lynx -source localhost/axkit/weather1.xsp?zip=15206 | xmllint --format - lynx -source localhost/axkit/weather1.xsp?zip=15206 Arnold I am using Apache 1.3.23 mod_perl 1.26 AxKit 1.52 linux 2.4.10 i686 (SuSE) Below are - config files - code example files - error message CONFIG FILES # startup.pl #!/usr/bin/perl use lib qw(/usr/local/apache/lib/modperl); #use lib qw("/home/kampen/lib/modperl"); use Apache::Constants; use Apache::Registry; use Apache::RegistryLoader; use DBI; use CGI qw(:all); use DirHandle; use strict; $Apache::Registry::NameWithVirtualHost = 0; my $rl = Apache::RegistryLoader->new; my $dh = DirHandle->new("/usr/local/apache/perl") or die $!; foreach my $file ($dh->read) { next unless $file =~ /\.(pl|cgi)$/; #print $STDOUT "pre-loading $file\n"; $rl->handler("/perl/$file","/usr/local/apache/perl/$file"); } 1; __END__ # perl.conf PerlRequire conf/startup.pl PerlInitHandler Apache::Reload PerlSetVar ReloadAll Off PerlSetVar ReloadTouchFile /tmp/reload_modules #PerlWarn On #PerlTaintCheck On PerlModule AxKit Alias /axkit/ /usr/local/apache/axkit/ SetHandler perl-script PerlHandler AxKit AxDebugLevel 10 AxCacheDir /tmp/axkit_cache AxStackTraceOn AxGzipOutputOff AxAddXSPTaglib AxKit::XSP::Util AxAddXSPTaglib AxKit::XSP::Param AxAddXSPTaglib MyTaglibs::WeatherTaglib AxAddStyleMap application/x-xsp Apache::AxKit::Language::XSP AxAddStyleMap application/x-xpathscript Apache::AxKit::Language::XPathScript AxAddStyleMap text/xsl Apache::AxKit::Language::Sablot SetHandler perl-script PerlHandler MyTaglibs::WeatherTaglibs SetHandler perl-script PerlHandler Test::Test PerlModule Apache::PerlSections push @Alias, [ qw(/perl/ /usr/local/apache/perl/) ]; $Location{"/perl/"} = { SetHandler => "perl-script", PerlHandler => "Apache::Registry", Options => "+ExecCGI", PerlSendHeader => "On", PerlSetupEnv=> "On" }; $PerlSetVar = "Filter On" if Apache->module('Apache::Filter'); print STDERR Apache::PerlSections->dump; ## CODE SAMPLES weather1.xsp: http://www.apache.org/1999/XSP/Core"; xmlns:util="http://apache.org/xsp/util/v1"; xmlns:param="http://axkit.org/NS/xsp/param/v1"; xmlns:weather="http://olddog.acon.nl/axkit_articles/weather/"; > Mijn weer rapportage weather.xsl: --- http://www.w3.org/1999/XSL/Transform"; > Hi! It's The weather in , is and F (courtesy of The Weather Channel). as_html.xsl --- http://www.w3.org/1999/XSL/Transform"; version="1.0"> ERROR MESSAGE form logs [notice] Apache/1.3.23 (Unix) AxKit/1.52 mod_perl/1.26 configured -- resuming normal operations [notice] Accept mutex: sysvsem (Default: sysvsem) [warn] [client 127.0.0.1] [AxKit] handler called for /axkit/weather1.xsp [AxKit] checking if we process this resource [AxKit] media: screen, preferred style: #default Use of uninitialized value in join or string at /usr/lib/perl5/site_perl/5.6.1/i586-linux/Apache/AxKit/Cache.pm line 25. [AxKit] Cache: key = f1e3924e8ebc61f378d51b84cb5dfec0 [AxKit] getting styles and external entities from the XML [AxKit] styles not cached - calling $provider->get_styles() [AxKit] using XS get_styles (libxml2) [AxKit] calling xs_get_styles_fh() [AxKit] calling xs_get_styles_str() [AxKit] parse_pi: href = NULL [AxKit] parse_pi: type = application/x-xsp [AxKit] parse_pi: href = weather.xsl [AxKit] parse_pi: type = text/xsl [AxKit] parse_pi: href = as_html.xsl [AxKit] parse_pi: type = text/xsl Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.6.1/i586-linux/Apache/AxKit/Provider.pm line 256. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.6
dso
Hi Some messages ago, someone still mentioned that modperl had been - compiled in -, when describing his configuration, that he was having trouble with. Does this mean it is still better to compile it in instead of using mod_perl as a dso? Arnold
Re: oddities
Only thing I my self find sofar is that I should be using the sticky tag under textfield: textfield(-name=>'fieldsname', -override=>1); or use force in stead of override.. Ok I did not see that right away but I find the differences in behaviour quite puzzling. Arnold van Kampen On Sat, 12 Jan 2002, Arnold van Kampen wrote: > > Hi > > What could be wrong in this few lines: > It is supposed to add 10 to the value in the textfield after each > submission. > I tried it on another pc too, same result. > (one I leave alone most of the time; no messing around) > I also tried it under the perl directory (Apache::Registry) > I tried using CGI 2.80 in stead of the old 2.56 > I tried using hidden field, same result. > I tried more oo like with my $q = new CGI > The textfield entry does not work(or only 2 times!??). > h1($bla) always shows the proper value, yet it does not appear in the > textfield) > The outcommented string does work repetitively as expected! > I have been using these cgi functions for quite a while. > This is so stupid it hurts. > Does this look familiar to anyone? > > > > package Test::Test; > use strict; > use CGI qw(:standard :html3); > use Apache::Reload; > > sub handler { > my $bla= param('position') + 10; > print header,start_html,h1('aa'), > startform, > textfield(-name=>'position',-value=>$bla, -maxlength=>10), > #"", > h1($bla), > submit(), > endform, > end_html; > } > > 1; > __END__ > >
Re: Cross-site Scripting prevention with Apache::TaintRequest
Does anybody have an example(s) of how this kind of abuse is actually working? All the time I have just been lucky then I guess. Arnold van Kampen On Tue, 22 Jan 2002, Perrin Harkins wrote: > > Yes and no. XSS attacks are possible on old browsers, when the charset is > not > > set (something which is often the case with modperl apps) and when the > > HTML-escaping bit does not match what certain browsers accept as markup. > > Of course I set the charset, but I didn't know that might not be enough. > Does anyone know if Apache::Util::escape_html() and HTML::Entities::encode() > are safe? > > - Perrin >
Re: oddities
Ok, that works! But I never realized this before. Quite contra intuitive. And what about the /per/ dir... So if you could still be so kind as to look at the code sample below: On Sat, 12 Jan 2002, Ged Haywood wrote: > Hi again, > > On Sat, 12 Jan 2002, Arnold van Kampen wrote: > > > (only the plain string works, not the function textfield() after > > several submissions) > > Try this instead of the first line in your handler: > > my $r=shift; > my %params = ($r->method eq 'POST') ? $r->content : $r->args; > my $bla = $params{'position'} + 10; > > I think you'll find the second line there in the Guide somewhere. > [ I tried this with ./httpd -X ] So it is possible to create a textfield with another name and show it with the new value. The textfield with the same name will remain unchanged! So textfield(-name=>position, -value=>$bla) will not accept submission value from field with name position. But textfield(-name=>position2, -value=>$bla) will accept the value from field position! When using the string code the 'position' field will accept the new data after submission. I did not find these among the misteries before.. Very Strange. Is this a well known pittfall? Arnold #!/usr/bin/perl # file bla.cgi use strict; use CGI qw(:standard :html3 :netscape ); CASE: { if (defined(param('forward'))) { $_ = param('forward'); /^first/i and do {second_show();last CASE;}; /^second/i and do {first_show();last CASE;}; } first_show(); } exit 0; sub first_show() { my @deel_display =(); my $position = param('position'); my $ref = ref($position); my $somename_data = param('somename'); push @deel_display, td('param: '.param('position')); my $bla = $position + 10; push @deel_display, td('param + 10: '.$bla); push @deel_display, td('hidden value: '.$bla); push @deel_display, td(textfield(-name=>'position', -value=>$bla)); push @deel_display, td(textfield(-name=>'position2', -value=>$bla)); push @deel_display, td(textfield(-name=>'position3', -value=>$ref)); push @deel_display, td(hidden(-name=>'somename', -value=>$bla)); # push @deel_display, ""; my $button_value='first'; push @deel_display, td(submit(-name=>'forward', -value=>$button_value)); print header(-pragma=>'no-cache'), start_html(-title => 'visualise'), start_multipart_form(-method=>'post'), table({-valign=>'top',border=>'1'},Tr(\@deel_display)), endform, end_html(); } sub second_show { my @deel_display =(); my $position = param('position'); push @deel_display, td('param: '.param('position')); my $bla = $position + 10; push @deel_display, td('param + 10: '.$bla); push @deel_display, td(textfield(-name=>'position', -value=>$bla)); # push @deel_display, ""; push @deel_display, td(submit(-name=>'forward', -value=>'second')); print header(-pragma=>'no-cache'), start_html(-title => 'visualise'), start_multipart_form(-method=>'post'), table({-valign=>'top',border=>'1'},Tr(\@deel_display)), endform, end_html(); } > 73, > Ged. >
Re: oddities
[Sat Jan 12 17:06:19 2002] [notice] Apache/1.3.20 (Unix) AxKit/1.4 mod_perl/1.26 configured -- resuming normal operations [Sat Jan 12 17:06:19 2002] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec) linux on regular pc kernel 2.2.18 I tried the httpd -X to make sure only one child replies. I tried another pc which I really did not touch for a long time, same result. (no interering from suexec or axkit) (only the plain string works, not the function textfield() after several submissions) Also I had a slightly longer program, in which the push button would change after submission, which it did; so no caching stuff: if the button and the h1() changes, then the textfield should change too. I checked the env{gateway_interface} and it said CGI-Perl/1.1 which means it is actually handled by the apache perl interface. Arnold On Sat, 12 Jan 2002, Ged Haywood wrote: > Hi there, > > On Sat, 12 Jan 2002, Arnold van Kampen wrote: > > > What could be wrong in this few lines: > > It is supposed to add 10 to the value in the textfield after each > > submission. > > Sounds supiciously like you're using Apache on a system which allows > Apache to have many child processes, and you haven't read the Guide: > > http://perl.apache.org/guide > > There's a file called SUPPORT in the mod_perl distribution which gives > you the information about what is needed in a post to the mod_perl List, > knowing things like what OS you are using will help us a lot. > > 73, > Ged. > >
oddities
Hi What could be wrong in this few lines: It is supposed to add 10 to the value in the textfield after each submission. I tried it on another pc too, same result. (one I leave alone most of the time; no messing around) I also tried it under the perl directory (Apache::Registry) I tried using CGI 2.80 in stead of the old 2.56 I tried using hidden field, same result. I tried more oo like with my $q = new CGI The textfield entry does not work(or only 2 times!??). h1($bla) always shows the proper value, yet it does not appear in the textfield) The outcommented string does work repetitively as expected! I have been using these cgi functions for quite a while. This is so stupid it hurts. Does this look familiar to anyone? package Test::Test; use strict; use CGI qw(:standard :html3); use Apache::Reload; sub handler { my $bla= param('position') + 10; print header,start_html,h1('aa'), startform, textfield(-name=>'position',-value=>$bla, -maxlength=>10), #"", h1($bla), submit(), endform, end_html; } 1; __END__