Disabling Perl*Handlers in .htaccess?
Hello!
How to enable only PerlSetVar/PerlAddVar directives in .htaccess files?
More specific:
We are building an multiuser environment with mod_perl to our
campus. Mod_perl handlers contain especially PerlHandlers configured in
httpd.conf. The .htaccess files are used for authorization (require
user/group) and some tailoring (PerlSetVar/PerlAddVar) allowed for all
users at their home directories.
However, the security risks are quite obvious when .htaccess contains
directives like PerlHandler:
PerlHandler sub {`touch /tmp/xxx`}
How to enable only PerlSetVar/PerlAddVar directives in .htaccess files?
--
Kari Nurmela,
[EMAIL PROTECTED], (02) 333 8847 / (0400) 786 547
Making perl handlers handle non-Perl
How can I get mod_perl to handle all Apache output, whether or not it
originates with mod_perl?
I'm writing a module that needs to analyze all output generated by Apache.
That's easy enough with stacked handlers, but I'm goofing something up
with, say, static HTML.
If I do this:
Location /test
PerlHandler MyFilter
/Location
Then static HTML gets served up OK, but MyFilter doesn't seem to get
called. Or is it, and I'm screwing something up in the filter?
And of course if I do this:
Location /test
SetHandler perl-script
PerlHandler MyFilter
/Location
Then I get no output because the .html files that I'm trying to serve up
out of /test aren't Perl.
Pointers please? I've got both the Cookbook and the Eagle book if you
want to just point to a page.
Thanks,
Andy
--
%_=split/;/,.;;n;u;e;ot;t;her;c; . # Andy Lester
'Perl ;@; a;a;j;m;er;y;t;p;n;d;s;o;'. # http://petdance.com
hack;print map delete$_{$_},split//,q [EMAIL PROTECTED]
Re: Making perl handlers handle non-Perl
Andy Lester wrote: How can I get mod_perl to handle all Apache output, whether or not it originates with mod_perl? I'm writing a module that needs to analyze all output generated by Apache. That's easy enough with stacked handlers, but I'm goofing something up with, say, static HTML. If I do this: Location /test PerlHandler MyFilter /Location Then static HTML gets served up OK, but MyFilter doesn't seem to get called. Or is it, and I'm screwing something up in the filter? And of course if I do this: Location /test SetHandler perl-script PerlHandler MyFilter /Location Then I get no output because the .html files that I'm trying to serve up out of /test aren't Perl. Pointers please? I've got both the Cookbook and the Eagle book if you want to just point to a page. ok, SetHandler sets a content handler for a given Location - it supersededs everything else. unlike with normal Apache, mod_perl needs two things in order for your handler to be called: the content hander to be perl-script (for Apache) and the name of your handler with PerlHandler (for mod_perl) you probably want to do something with AddHandler instead of SetHandler AddHandler .pl perl-script you can also use Files sections instead of Location see the later part of Recipe 14.2 gets into this somewhat. Apache::MIMEMapper might also be of help since, among other things, integrates with Apache::Filter easily... HTH --Geoff
Re: Making perl handlers handle non-Perl
ok, SetHandler sets a content handler for a given Location - it supersededs
everything else.
unlike with normal Apache, mod_perl needs two things in order for your handler to be
called:
the content hander to be perl-script (for Apache) and the name of your handler with
PerlHandler (for
mod_perl)
So what we're saying is that with static .html files, there's no way for
me to get mod_perl to interject itself into Apache's chain? Or PHP for
that matter?
I want my MyFilter to process EVERYTHING that Apache spits out, whether
with mod_perl, mod_php or just reading a .html file from the filesystem,
especially the mod_php stuff.
Should I be looking at one of the later phases (cleanup?) instead of
content generation?
Thanks,
Andy
--
%_=split/;/,.;;n;u;e;ot;t;her;c; . # Andy Lester
'Perl ;@; a;a;j;m;er;y;t;p;n;d;s;o;'. # http://petdance.com
hack;print map delete$_{$_},split//,q [EMAIL PROTECTED]
Re: Making perl handlers handle non-Perl
Andy Lester wrote: ok, SetHandler sets a content handler for a given Location - it supersededs everything else. unlike with normal Apache, mod_perl needs two things in order for your handler to be called: the content hander to be perl-script (for Apache) and the name of your handler with PerlHandler (for mod_perl) So what we're saying is that with static .html files, there's no way for me to get mod_perl to interject itself into Apache's chain? Or PHP for that matter? oh, no. if you want to intercept absolutely _everything_ I suspect that SetHandler perl-script at the server level will do the trick (outside of any Location or other container directive). just make sure you have a PerlHandler My::Foo somewhere to fill in the mod_perl part, since mod_perl needs both directives to work. typically, folks don't want to intercept all requests - it's generally better to let Apache serve static files itself so that it handles stuff like HTTP/1.1 conditional headers and the like. I want my MyFilter to process EVERYTHING that Apache spits out, whether with mod_perl, mod_php or just reading a .html file from the filesystem, especially the mod_php stuff. Should I be looking at one of the later phases (cleanup?) instead of content generation? the content-generation phase should be fine. HTH --Geoff
Re: Making perl handlers handle non-Perl
Andy Lester wrote: I want my MyFilter to process EVERYTHING that Apache spits out, whether with mod_perl, mod_php or just reading a .html file from the filesystem, especially the mod_php stuff. Assuming you mean you want to look at the generated content from non-mod_perl handlers and do something with it, apache doesn't work that way. Apache 2.0 does, but that won't help you right now. You might try using a proxy server setup to do this instead. - Perrin
Re: Making perl handlers handle non-Perl
Assuming you mean you want to look at the generated content from
non-mod_perl handlers and do something with it, apache doesn't work that
way. Apache 2.0 does, but that won't help you right now. You might try
using a proxy server setup to do this instead.
THAT'S the answer I was looking for. Not what I wnated, but at least it
answers my question. :-)
So, my HTML::Lint checking is only going to work on output from the
mod_perl chain. I guess that's better than nothing, but I've got plenty
of PHP code that I'd like to filter thru it as well.
Thanks, all.
Andy
--
%_=split/;/,.;;n;u;e;ot;t;her;c; . # Andy Lester
'Perl ;@; a;a;j;m;er;y;t;p;n;d;s;o;'. # http://petdance.com
hack;print map delete$_{$_},split//,q [EMAIL PROTECTED]
Re: Making perl handlers handle non-Perl
Perrin Harkins wrote: Andy Lester wrote: I want my MyFilter to process EVERYTHING that Apache spits out, whether with mod_perl, mod_php or just reading a .html file from the filesystem, especially the mod_php stuff. Assuming you mean you want to look at the generated content from non-mod_perl handlers and do something with it, apache doesn't work that way. Apache 2.0 does, but that won't help you right now. You might try using a proxy server setup to do this instead. ah, yes. right, you can't intercept the output of other content handlers, like mod_php or mod_cgi. you can get to stuff handled by mod_perl via Apache::Filter, or stuff that would be handled by core Apache by manipulating the resource on disk directly (using $r-filename), but that's about it. at least for 1.3 (though I've always been curious how mod_gzip works with 1.3) seems I had my brain in the wrong place - thanks Perrin. --Geoff
Re: Making perl handlers handle non-Perl
Andy Lester wrote: So, my HTML::Lint checking is only going to work on output from the mod_perl chain. If you aren't terribly concerned about performance, there are several Apache::Proxy modules which should be easy to modify to put your lint checking in. Do a search for proxy on CPAN to see what's out there. - Perrin
Re: Making perl handlers handle non-Perl
Andy Lester wrote: How can I get mod_perl to handle all Apache output, whether or not it originates with mod_perl? I'm writing a module that needs to analyze all output generated by Apache. That's easy enough with stacked handlers, but I'm goofing something up with, say, static HTML. If I do this: Location /test PerlHandler MyFilter /Location Then static HTML gets served up OK, but MyFilter doesn't seem to get called. Or is it, and I'm screwing something up in the filter? And of course if I do this: Location /test SetHandler perl-script PerlHandler MyFilter /Location Then I get no output because the .html files that I'm trying to serve up out of /test aren't Perl. Pointers please? I've got both the Cookbook and the Eagle book if you want to just point to a page. Just an idea Jou could try to set a location handler for LocationMatch /* SetHandler perl-script PerlHandler My::HandleEverything /LocationMatch your handler could tie the output-handle (is this possible?) and run a subrequest. Now it could intercept the output (written to the handle) and do changes, or tidy it up, whatever you want.. And at least, it should return DECLINE, if it isn't the main-request /Just an idea I'm not sure if this will work, because of the needed tie of the outputhandle and so on, maybe anyone else can give a better statement ;))) -- Mit freundlichen Grüßen - Nico Erfurth Headlight Housingfactory GmbH Email: [EMAIL PROTECTED] -
Re: Making perl handlers handle non-Perl
Nico Erfurth wrote: your handler could tie the output-handle (is this possible?) and run a subrequest. Nope, not possible. You can only do that for mod_perl requests. - Perrin
Location Directives and Perl Handlers...
Hi folks, Another newbie question: Does it make sense to create a Location directive with a Perl Handler for each and every web transaction? I suppose more information about what the pages are doing would be helpful but I'm really just looking for some rules of thumb. I've created a site which uses a Location directive and a Handler for almost all transactions. Of course, all the pages are requesting information from a database and the pages are being generated from a simple templating scheme. I just wanted to get a feel whether or not there's other approaches to this architecture. Thanks for the replies in advance... K
Re: Location Directives and Perl Handlers...
Hi there, On Sat, 2 Feb 2002, eCap wrote: Does it make sense to create a Location directive with a Perl Handler for each and every web transaction? Well of course it all depends on what the transactions are, but as a rule I'd say probably not. A mod_perl process can consume quite a lot of resources. If you are getting a load of straight requests for image files that need no intervention from Perl then you should probably just let Apache serve them. Under a light load, most of the time it won't really matter if you're using a mod_perl process to do something which could be done by plain Apache, but if the server load goes up it will start to make a difference. If you don't have a plain Apache running to serve the requests then you'll have to use a heavy process for all requests anyway, and when the server gets busy you might start to wish you had more memory... 73, Ged.
Perl Handlers
How to set location for perl on Apache Webserver 1.3.19 Location / $how to set it for perl$ SetHandler --- Order deny,allow Deny from all Allow from myisp-provider /Location Thanks in advance, Regards, Anand
Perl Handlers and namespaces.
I ran into this problem today. I am trying to develope a small application server with a few handlers and Apache/1.3.22 . So I have something that looks like this set up in the apache conf file: Location /somewhere Limit GET POST HEAD Allow from all /Limit PerlRequire startup.pl SetHandler perl-script PerlHandler AppServer AuthName AppServer AuthType Basic PerlAuthenHandler AppServer::Auth require valid-user PerlAccessHandler AppServer::Access /Location Now, you notice that these packages are all under the same namespace. This, somehow, causes an 'Undefined subroutine AppServer::handler called.' each time the server recieves a request from a client. However, if i move the main handler into another namespace or simply rename it to foo.pm ( and adjust the apache conf file of course ) the error magically disappears. If one of the access handler or authentification handler is under the same namespace as the main handler, i always get the undefined subroutine error msg. I'm not sure why or how apache handles this or if it's a bug or if i'm just too tired and missed something somewhere else. I would appreciate someone's insight on this. Is it a bug / limitation /... ? Thanks for your time, Guillaume
Re: Perl Handlers and namespaces.
Guillaume wrote: I ran into this problem today. I am trying to develope a small application server with a few handlers and Apache/1.3.22 . So I have something that looks like this set up in the apache conf file: Location /somewhere Limit GET POST HEAD Allow from all /Limit PerlRequire startup.pl SetHandler perl-script PerlHandler AppServer AuthName AppServer AuthType Basic PerlAuthenHandler AppServer::Auth require valid-user PerlAccessHandler AppServer::Access /Location Now, you notice that these packages are all under the same namespace. This, somehow, causes an 'Undefined subroutine AppServer::handler called.' each time the server recieves a request from a client. However, if i move the main handler into another namespace or simply rename it to foo.pm ( and adjust the apache conf file of course ) the error magically disappears. If one of the access handler or authentification handler is under the same namespace as the main handler, i always get the undefined subroutine error msg. I'm not sure why or how apache handles this or if it's a bug or if i'm just too tired and missed something somewhere else. I would appreciate someone's insight on this. Is it a bug / limitation /... ? Thanks for your time, Guillaume It's a known kludge/bug: http://perl.apache.org/guide/porting.html#More_package_name_related_issues -- _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://ticketmaster.com http://apacheweek.com http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
