Joe Schaefer wrote:
Stas Bekman <[EMAIL PROTECTED]> writes:
[offlist]
Joe Schaefer wrote:
Apache/2.0.44 (Gentoo/Linux) mod_perl/1.99_09 Perl/v5.8.0 CGI.pm/2.93
Attempting to read POST data before the content-handler is called is unsafe with httpd-2. You'll probably have to wait for Apache::Request to be ported over in order to do something like that.
Why do you say that it's unsafe?
I haven't looked at how CGI.pm implements this, but IIRC the problem
with reading POST data from an auth handler is that ap_run_insert_filter
doesn't get called until the content handler is invoked. If there
are any request filters that are supposed to be active for the request, they'll be missed by CGI.pm 's parse.
Good point. We need to document this and make sure that CGI.pm does the right thing. Either it needs to check some flag that is available only inside the response handler or use the API that checks which phase we are in, which I haven't committed yet.
However what should do those who want to devise their own custom auth handlers, not based on mechanisms provided by Apache, but using HTML forms? Perhaps we need a technique to call ap_run_insert_filter(r) early if there is a need for that? Of course developers will have to be aware of the risks. I guess if CGI.pm and Apache::Request do the right thing, then they shouldn't worry about it.
mod_apreq.c still doesn't handle this situation quite right, but I have a good idea about how it should be fixed.
mod_cache.c runs it manually: modules/experimental/mod_cache.c: ap_run_insert_filter(r); however it has an excuse of being run as quick handler hook
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
