Re: [mp2] CGI redirects incorrectly handled?
The cause of the problem was my perl code calling flush.pl and flushing STDOUT at a point prior to it printing the response headers. Under mp2, flushing STDOUT calls mpxs_output_flush in xs/Apache/RequestIO/Apache__RequestIO.h, which in turn calls ap_rflush, which triggers creation of the HTTP header, which at this stage, prior to my script printing its 302 header, uses a 200 OK status. Meaning no offence to the mp2 developpers, I find this observed behaviour inappropriate - I recently have to develop a reverse-proxy and got bitten by undocumented semantics of this sort every so often, I had to resort to reading the source with pencil paper like the original poster apparently did. What is the architectural justification for not choosing one of those two behaviours about header output, and erring on the middle side: * headers are out-of-band, and the first call to print() prepends whatever headers were set using the appropriate API (e.g. print_header() should have no effect afterwards, or maybe should set HTTP/1.1 trailers); * headers are regular flow, and Apache / mp2 never tries to add its own ones (almost impossible to ensure under Apache / mp1). Thanks for any insight on this topic - maybe there is a FAQ somewhere about MP2 architecture ? -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 08 IDEALX
Re: sftp
hi everybody Do someone know how to connect to a distant host with perl (via sftp) and copy file from the host ? You could just launch the sftp command using system(), or better, the IPC::Run module from CPAN that was discussed here some time ago. I would be surprised to hear that there be support for doing this in pure Perl. -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Off-topic-ness
This is a diverse list with many different levels of Internet experience represented, and one off-topic post is not a big enough problem to merit banning people. (my 0.02 Euros...) I have to say that beyond the technical competence of people on this list (which is excellent), I'm very impressed by the kind mindset and helpfulness here. I lurk on the *BSD groups from time to time, and I happen to know that some people do enjoy much of the former, and very few of the latter... So thank to you Perl mongers for being responsive even when *way* off-topic, *** BUT *** for those newbies who feel inclined to asking some random, unrelated question on *any* techie discussion group: *PLEASE* do your homework, and prefer bothering a few thousand computers (http://www.google.com/) rather than just one human. This will take the same time or less once you get used to it, and it is a matter of politeness, and maybe of resource management too. What if the list suddenly becomes filled up with such requests, forcing members to read thousands of messages a day of which a fraction of a percent is of interest to them? Obviously they'll unsubscribe and go for another, more on-topic (read: controlled, moderated and inamical to newbies) place to discuss Perl things amongst them. And the off-topic-acceptance will be gone when you really need it, e.g. for a question that is really difficult to solve by looking up the Internet. Think of it! -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: sed error in perl Makefile.pl
I have to rebuild my perl and go through the Configure process to tell it to ignore `hostname`, unless you know a trick for that, too! Well, what about creating a custom shell script named hostname, turn it executable, and put it somewhere in your PATH ? #!/bin/sh echo darkstar.frop.org -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: Database Pooling
Well, it's going to be a pretty strange environment that doesn't have a database connection in every process. Sure. And beware of connections that are returned to the pool without being rollbacked, too - the app then deadlocks itself because it holds locks in the database and doesn't know it does. I get bitten by this under JDBC every so often, when an exception is thrown at the wrong time. From the app perspective, I tend to prefer viewing database connections as singletons rather than pooled objects. This avoids lots of problems like the two above, and enables fancy extensions. For example I can simulate nested transactions even on databases that do not support them: I can say If a transaction is open in the (unique) database connection we have, don't start a new one and just up the (app-internal) nesting counter. -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: Database Pooling
Sounds like you should have some more code in your finally blocks. :) Well I don't quite like having to do that everywhere, especially in code I did not write. In Perl I only need one of them using some AUTOLOAD trickery :-). -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: Accessing configuration information
Hi All I know I can use $r-dir_config() to access parameter values set in the config file with PerlSetVar, but is it possible to access the value of generic Apache configuration directives? This is described in the [EagleBook] (worth your money, IMHO), and this particular chapter is available on-line: http://modperl.com:9000/book/chapters/ch8.html !DOCTYPE biblioentry PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN biblioentry abbrevEagleBook/abbrev titleWriting Apache modules in Perl and C/title authorgroup author firstnameLincoln/firstname surnameStein/surname /author author firstnameDoug/firstname surnameMacEachern/surname /author /authorgroup publishernameO'Reilly/publishername isbn1-56592-567-X/isbn pagenums724/pagenums authorblurb paraThis is the quoteeagle book/quote, named after the beast chosen by O'Reilly to decorate the cover of the book (the cover page outlines are turquoise/light green). There is a ulink url=http://modperl.com:9000/;companion website/ulink too. /para /authorblurb /biblioentry -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: evil scripts kill the server...
although it never happened to me i have to fight some rumours. Is it true that you can kill the whole server, not just the script if you do something wrong with mod_perl? (I doubt it) It depends on what wrong thing you do. In fact the worse you can do is to kill one of the mod_perl processes, not the whole server (which is multiprocess) - at least not under Unix. A new server will be spawned automatically and the clients will only notice some slowdown (and maybe the document contains no data message, if the server died too early). -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: asynchronous downloads
How do I send a file asynchronously? The classic example is download sites. You click on the file you want and it generates a thankyou page for your browser and also sends the file. So what's the correct way to do this? Use a refresh META tag on the thank-you page, that points to the requested file. Look at any download page at SourceForge to see how it is done. Alternatively, you can return a multipart/mixed MIME message with both documents as the result of the HTTP request. -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 27 IDEALX
Re: I can see Apache.pm, why can't he?
Line 199 checks for Apache.pm and Apache::Status, thus: if ($INC('Apache.pm') and Apache-module('Apache::Status')); I have both Apache.pm and Apache::Status installed. Yes but Apache::module (which called by Apache-module('Apache::Status')) is an XS function defined by libperl.so - it only exists when running under mod_perl. As a rule, Apache::* packages don't work outside mod_perl. -- Dominique QUATRAVAUX Ingénieur développeur senior 01 44 42 00 35 IDEALX
Re: how to pass data in internal redirects?
I suppose that controllers would use internal redirects to call the views, is there a way to pass Perl data this way? For the project I work on (a WWW-enabled PKI), we simply use CGI-encoded URLs. This way, we can do the controllers in Perl and the views in PHP, which is great for security (PHP is easier to sandbox) besides all other engineering advantages of MVC. There are quite a lot of Perl modules on CPAN that are convenient for turning structured Perl data into strings and back - please read the last two weeks' worth of list archives. -- Dominique QUATRAVAUX Ingénieur développeur sénior 01 44 42 00 35 IDEALX
Re: [OT-ish] Session refresh philosophy
You've addressed the issue of someone submitting a form with altered fields to attack the server, and pointed out some more advantages, but I don't think you've addressed the issue of protecting the hidden cleartext data from others on the client side. True. But to tackle these concerns, SSL looks like a better approach to me. If the client doesn't do any math/crypto/secret stuff at all, an attacker that is on the same subnet can both spy on secrets (egress passwords or private data, ingress session IDs or cookies) and take over sessions (just by changing IPs - no need to even hijack TCP connections since they are short-lived in HTTP) - and then there is nothing that the victim could do that the attacker cannot. The point is, secrets pass over the wire in the clear at a moment or another, so encrypting them for all transfers but the first one only earns a marginal amount of security. This is not to say I don't enjoy using the various state storage mechanisms described in the thread. They are highly useful but I think that the encryption part of them only addresses problems on the server side and are useless under certain forms of site design. -- Dominique QUATRAVAUX Ingénieur développeur sénior 01 44 42 00 35 IDEALX
Re: [OT-ish] Session refresh philosophy
The usual objection I've heard to using form fields is the security risk of people changing hidden fields in ways unforseen before submitting the form back, or of other people finding confidential data hidden in form fields if the user walks away and leaves their browser open, or the web page info gets hijacked somehow. Does your module address this, or is this yet another tradeoff between security and functionality/convenience? No, this just means that input must be validated once again when the last «really, really sure ?» button is depressed. Conceptually, this divides the pages of your site into two categories (not unlike the view vs. controller distinction in Model-View-Controller paradigm for GUIs): those that just interact with the user and do the navigation, and those that actually have side effects such as writing data into your database, sending e-mails, placing orders etc. Both page types may have form input validation code on the server side, but in the first case this is just convenience for the user (warn early and don't say woops after 9 pages and 10 minutes of typing). The latter MUST have validation for security to hold (even if this means validating twice). This way, changing hidden fields gains an attacker nothing, since he will be blocked at the final submit anyway. Doing things this way also has other advantages e.g. interfacing: one can write automatisms with wget or LWP::UserAgent to trigger actions in the database without any further programming needed on the server side. -- Dominique QUATRAVAUX Ingénieur développeur sénior 01 44 42 00 35 IDEALX
Re: Dynamically serving an .htaccess file with mod_perl
Does anyone know of a way that I can server the contents of an .htaccess file dynamically? Make the .htacess file in question a FIFO, with a script on the backend that Does The Right Thing. Whoops, you would loose big when two concurrent Apache processes attempt to access the .htaccess simultaneously... Why not rewrite AuthenHandler instead (we are on mod_perl list right ?) -- Dominique QUATRAVAUX Ingénieur développeur sénior 01 44 42 00 35 IDEALX
Re: Mason vs embperl
So I installed and compared. I preferred the syntax of Mason, the flexible way to build components, the caching ... it have to be said here that I choose Mason ... I agree, the caching is very good and one gets up and running in no time with Mason. However, I find it imposes too much of a coding style to the programmer : for example, all pages are evaluated inside the same package and thus one cannot define two normal subroutines with the same name in two different pages. -- Tout n'y est pas parfait, mais on y honore certainement les jardiniers Dominique Quatravaux [EMAIL PROTECTED]