Re: [OT] SurfShopPRO Perl shopping cart system is now open source

Tue, 19 Nov 2013 08:42:04 -0800 

On Nov 18, 2013, at 2:02 PM, SSC_perl <p...@surfshopcart.com> wrote:

>> Surf.pm:65:             $cookie =~ Encode($cookie);
>> Surf.pm:66:             $value  =~ Encode($value);
>> Did you really mean to use the return value from Encode() as a regular 
>> expression?
> 
> 
>       Unfortunately, I can't answer this, as I wasn't the one who wrote that 
> code and I don't understand cookies.  If someone knows the answer to this, 
> I'd appreciate hearing it.


Here is the function from Surf.pm where those two lines occur:

sub SetCookies {
        my($cookie, $value, $exp_tickdate) = @_;

        if ($cookie) {
                $cookie =~ Encode($cookie);
                $value  =~ Encode($value);
                print 'Set-Cookie: ' . $cookie . '=' . $value . ';' ;
                if ($exp_tickdate) {
                        my $gmt_expdate = strftime "%a, %e-%b-%Y %H:%M:%S GMT", 
gmtime($exp_tickdate);
                        print " expires=$gmt_expdate;"
                }
                print "\n";
        }
}

And here is the Encode function:

sub Encode {
         my ($escape) = @_;
         my (%escapes);
         for (0..255) {
                $escapes{chr($_)} = sprintf("%%%02X", $_);
         }
         $escape =~ 
s/([\x00-\x20\"\&\+=#%;<>?{}|\\^~`\[\]\x7F-\xFF])/$escapes{$1}/g;
#        $escape =~ s/\s/+/g;
         return $escape;
}

So it looks like the purpose of line 66:

                $cookie =~ Encode($cookie);

is to encode special characters (“&+=#%;<>?{}|\^~`[] and \x00 through \x20 and 
\x7x through \xFF) in the cookie string. However, the variable $cookie is bound 
to the return from the Encode subroutine, not assigned to that value, and the 
encoded value is discarded.

Therefore, if your cookies contain any of the special characters, they will not 
be encoded properly.

Those lines should be changed to:

                $cookie = Encode($cookie);
                $value  = Encode($value);

Also notice that the Encode subroutine creates a 256-member hash for each 
execution, and uses that hash for each special character to be encoded. That is 
inefficient. You should create that hash one time outside of the Encode 
subroutine, or just create the encodings on the fly when a special character is 
encountered:

         $escape =~ 
s/([\x00-\x20\"\&\+=#%;<>?{}|\\^~`\[\]\x7F-\xFF])/sprintf("%%%02X",ord($1))/eg;

 That’s all the analysis I have time for.


--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/

Reply via email to