Re:

Maurizio Marini 4 Oct 2002 17:32:54 -0000

On Friday 04 October 2002 12:26 pm, i.t wrote:

  >it would be helpful, if you could provide some more actual details




Hi sir,

It would be nice in general to have a module that allows to modify parameters 
passed in a post, precisely like mod_rewrite allows the change of parameters 
passed by get. Is this feasible ?

leave general case and come to my problem.


I'm developing in redhat 7.3 httpd 1.3.23-14; it's a very complex 
infrastructure with mod_pubcookie, mod_proxy and mod_rewrite
it's not easy to describe it; it's easier for me to show you the piece of code 
that in  http allowed  me to change parameter in post stuff, but not any more  
in https



int change_out_post(request_rec *r, char *username) {
   char argsbuffer[HUGE_STRING_LEN];
   int retval;


   /* checkout http_protocols.c for reading the body info */
   if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
        return retval;


   if (ap_should_client_block(r)) {
        char *p=r->connection->client->inptr;
        int len_read;
        ap_hard_timeout("copy script args", r);


                ;
                if ((p=strstr(r->connection->client->inptr, "username")) != 
NULL) {
                        memcpy( p+strlen("username="), foo, 10);
                        p=r->connection->client->inptr;
                }
                libpbc_debug("change_out_post[%d]: inptr: %s\n", __LINE__, p);
                ap_kill_timeout(r);
    }
    return(1);


}


i try to explain it:


Premise.
suppose that u want authenticate a user and after authentication u want to add 
the username to hidden parameter
beacause application on backend (we are in rev-proxy architecture) needs it as 
post parameters.


The misfact.
before autheticating using mod_pubcookie i add some hidden parameter 
initialized to null
e.g. 'username=                                                                 
  '
u can see sufficient blanks after username=, to accomodate for username value
it's a low tricky, don't blame to me!


after authetication i try to valorize username...how?!?
with strstr i search the parameter name in post area pointed (if we are in 
http!!!) by r->connection->client->inptr
i add 9 bytes to this pointer (strlen("username="))
i write the username in place of blanks
done!
this horrible trick worked until i pass to https...


Conclusion.
i fear that it's not portable (sure it doesn't work in apache 2.0!) and after 
apache
rewriting for chunked exploit all my stuff is outdated, even i've not tested it;
i write this piece of code the days before 21 June!!!


My prayer.
now, i know well that this piece of sw cannot be a solution and i seraching for 
some help to do something more robust and reliable.


thnx in advance!



--
Maurizio Marini

Re:

Reply via email to