Re: [Catalyst] Re: New Catalyst Release on CPAN!
What I don't believe in is running off for two years to try and cut a branch of catalyst with 'perfect' unicode in it and then try to dump it on the community all at once (and likely fail due to compatibility issues). I don't believe that will work. So lets start a conversation about unicode in Catalyst, and what are the use cases we need for this to be great. Evan, since you seem to have some experience with this, I'd love your thoughts. Perl's Unicode handling has never been clearly understood by me but I just go along with the flow. Sometimes I find myself marking strings as Unicode. Sometimes I find myself re-encoding things from Unicode to Unicode. And, sometimes I find myself validating that what Perl thinks is Unicode is really what other less liberal Unicode implementations will accept. I can say this, in any conceivable case where compromise in /support/ of non-Unicode results in more difficulty for Unicode use, I'll take the former. -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] New Catalyst Release on CPAN!
But the quick summary includes UTF8 support out of the box, support for event loops and async code (including goodies like Websockets, and all that stuff) as well as the usual assortment of documentation fixes and related dependency fixes. I wish people would stop saying that in such a vague fashion. It seems as if there is no such thing as UTF-8 out of the box. Every time it comes up and someone requests it, I see a very complex and detailed message by a UTF-8 wizzard about why it's not possible and why such a request is a stupid one. Then a few months later, I see people claiming it's been done in some niche area. There is Catalyst::Plugin::Unicode::Encoding And, Catalyst::Plugin::Unicode What's wrong with those two, and what does the core magically do now? -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] TT2 multiple subtemplates
The idea behind WRAPPER is that one of these includes is magical (CONTENT) TOP [% CONTENT %] BOTTOM That's not to say you can't more complex wrappers with INCLUDES or PROCESS TOP [% CONTENT %] [% INCLUDE foo.tt %] BOTTOM It just means that the content being WRAPPED is the destination template, and TT will use the WRAPPER as a post-processor of sorts. Now, if you want something like this: TOP [% CONTENT %] [% INCLUDE $foo %] BOTTOM Where `$foo` is set in whatever template CONTENT targets.. you can do that too, though I wouldn't know the exact syntax. It'd probably consist of setting DEFAULT foo = 'right_content.tt'; In the CONTENT template. -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] .part file downloading while login/logout
On Thu, Jan 13, 2011 at 2:04 AM, mani kandan manimani1...@gmail.com wrote: I have created a catalyst web application , it working fine . But the problem I am facing is, when I click login its asking to save .part file , the same problem while logout. I'm taking a wild guess, but on success you're forwarding to, or just serving outright, something being served as non `text/*` for the mime-type. And, your browser (probably Firefox) is storing the file as *.part until it gets EOF from the stream when it would rename the file to having been downloaded. The .part is just usually a browser trick. Tt's a temporary store the browser will attempt a resume with. They're also easily deleted as uncompleted download trash... -- Evan Carroll - e...@dealermade.com System Lord of the Internets - Dealermade web: http://www.dealermade.com ph: 888.403.9143 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] elegant, Mark Beihoffer has invited you to open a Gmail account
You rock, thanks. -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Organizing link generators
My view often needs to generate complex links for chained actions.
Does anyone have a better way of doing this then recreating the link
generators in the controller?
$c-stash-{generate_link_edit} = sub {
my $vin = shift;
$c-uri_for_action(
'/auth/company/lot/vin/edit'
, [
$c-stash-{chained_company_id}
, $c-stash-{chained_lot_id}
, $vin
]
, ()
);
};
$c-stash-{generate_link_vehicle_add} = sub {
$c-uri_for_action(
'/auth/company/lot/inventory/add'
, [
$c-stash-{chained_company_id}
, $c-stash-{chained_lot_id}
]
, ()
);
};
I'm speaking fairly abstract, how do you generate links in views to
controllers with chained actions?
--
Evan Carroll - m...@evancarroll.com
System Lord of the Internets
web: http://www.evancarroll.com
ph: 281.901.0011
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] Patch for
I have a patch for: Catalyst::Plugin::Static::Simple, this allows you to override the files extention, or provide the content_type in the call to serve_static. Tests and POD included. html: http://github.com/EvanCarroll/Catalyst-Plugin-Static-Simple/compare/2b8647c57e9e4dba71b6...793a70075985b6493868 raw: http://github.com/EvanCarroll/Catalyst-Plugin-Static-Simple/compare/2b8647c57e9e4dba71b6...793a70075985b6493868.patch -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Cross-link: How do I turn Moose objects into JSON for use in Catalyst?
I've posted a question and a few possible fixes. Does anyone have anything to add here? How do you go about dumping Moose to JSON in Cat? http://stackoverflow.com/questions/3391967/how-do-i-turn-moose-objects-into-json-for-use-in-catalyst -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Cross-link: How do I turn Moose objects into JSON for use in Catalyst?
The documentation isn't clear on how, but this implies some combination of
these flags (probably setting both to true) should do the encoding the
reference as if it weren't blessed thing.
No, allow_blessed(1) means it will not die, it will instead print out
the totally useless string 'null'. This is technically allowing a
blessed scalar. However, convert_blessed, is a total misnomer as
nothing is /converted/. All that happens is the method TO_JSON is
called.
ecarr...@rda:~$ perl -MJSON::XS -E'my $o = bless { foo='bar' }; say
JSON::XS-new-encode( $o );'
encountered object 'main=HASH(0x7b8df0)', but neither allow_blessed
nor convert_blessed settings are enabled at -e line 1.
ecarr...@rda:~$ perl -MJSON::XS -E'my $o = bless { foo='bar' }; say
JSON::XS-new-allow_blessed(1)-encode( $o );'
null
ecarr...@rda:~$ perl -MJSON::XS -E'my $o = bless { foo='bar' }; say
JSON::XS-new-allow_blessed(1)-convert_blessed(1)-encode( $o );'
null
In this example the object is blessed in the default package main,
where TO_JSON is called.
ecarr...@rda:~$ perl -MJSON::XS -E'my $o = bless { foo='bar' }; sub
TO_JSON { hi }; say
JSON::XS-new-allow_blessed(1)-convert_blessed(1)-encode( $o );'
hi
But yes, ideally /convert_blessed/ would do what I want rather than
just call a sub that expects me to do it. My handy old XXX.pm does
this right:
ecarr...@rda:~$ perl -E'my $o = bless { foo='bar' }; use XXX; XXX $o'
--- !!perl/hash:main
foo: bar
...
at -e line 1
--
Evan Carroll - m...@evancarroll.com
System Lord of the Internets
web: http://www.evancarroll.com
ph: 281.901.0011
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Cross-link: How do I turn Moose objects into JSON for use in Catalyst?
On Tue, Aug 3, 2010 at 12:34 PM, Stuart Watt sw...@infobal.com wrote: You're right - I just checked the sources and there is no valid code for this case, despite the implication of the documentation. I'd be tempted to file a bug against JSON::XS, as at least the pod is wrong. I guess it got too hard, as blessedness does not require a thing to be a hashref. Looks like a fairly straightforward test case and patch, though. I filed a bug report (feature request) for real object dumping https://rt.cpan.org/Ticket/Display.html?id=60050 -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Cross-link: How do I turn Moose objects into JSON for use in Catalyst?
It also appears as if YAML::Syck does this very well:
perl -MJSON::Syck -MURI -E'say JSON::Syck::Dump( bless { foo =
URI-new(http://www.evancarrol.com;) } )'
--
Evan Carroll - m...@evancarroll.com
System Lord of the Internets
web: http://www.evancarroll.com
ph: 281.901.0011
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] Catalyst-Plugin-Params-Nested rt 59604
Is C:P:P:N still maintained? I filed a bug on CPAN, next day I heard a request for a patch. I provided a patch, and I haven't heard anything back. If any one is maintaining it? Can I get co-maint to apply my patch. Find more information about the issue and the patch set here: https://rt.cpan.org/Public/Bug/Display.html?id=59604 -- Evan Carroll - m...@evancarroll.com System Lord of the Internets web: http://www.evancarroll.com ph: 281.901.0011 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: jqGrid Help ( was: Re: [Catalyst] Nonsensical Problem with DBIx ResultSet )
On Mon, Jul 12, 2010 at 12:31 PM, Kyle Hall kyle.m.h...@gmail.com wrote: I've found it to be fantastic so far, but now I cannot get any versions of the search to work. I would prefer the toolbar search, but right now I'd be happy to have any of them. DataTables search is awesome ;) Switch over. It also works with around vanilla HTML for those that don't have javascript capable browsers. Also better for SEO. -- Evan Carroll System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: jqGrid Help ( was: Re: [Catalyst] Nonsensical Problem with DBIx ResultSet )
On Thu, Jul 8, 2010 at 12:45 PM, Kyle Hall kyle.m.h...@gmail.com wrote: I figured it out. I simply had to include grid.locale-en.js *before* jquery.jqGrid.min.js. Again, thanks for the help. How is jqGrid working out for you? I was just reviewing grids.. I'm not too thrilled with its feature set, it doesn't seem to be able to transform static HTML-tables. -- Evan Carroll System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Chained actions with can't terminate with :PathPart('') ?
I have two destinations in my Catalyst app
/auth/company/5/lot
/auth/company/5/lot/5
This works and is often seen in Catalyst apps to achive this effect.
sub lot :Chained('/auth/company') :CaptureArgs(1) {
sub view_lot :Chained('/auth/company') :PathPart('') :Args(1) {
However, I would also expect the below to work; but, it seems it doesn't. I
can only formulate the effect I want the above way. This is
unfortunate because if all chained descendants of `lot` utilize a
check provided here in the chain, then shouldn't `view_lot` also get
to utilize that code? It would certainly be nice to eliminate
redundant code here.
sub lot :Chained('/auth/company') :CaptureArgs(1) {
sub view_lot :Chained('/auth/company/lot') :PathPart('') :Args(0) {
I think it is also confusing to those that first encounter it.
I always know that I could just call it /view, and be done with it, but still.
/auth/company/5/lot/5/view rather than, /auth/company/5/lot/5
But, I just wanted to know what others thought of this.
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
I don't know what the fix is -- it seems like doc or code would work. The patch is already on github, it needs tests and some other qualifications before it gets accepted. -- Evan Carroll System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
On Sun, Apr 11, 2010 at 12:31 AM, Andrew Rodland and...@cleverdomain.org wrote: Please, make some more public insults. Your modus operandi consists of acting authoritative and aggressive in the hopes of soliciting a negative reaction. I've never seen you be so direct before. I would be even further entertained if you would make more sweeping declarations about modules you didn't even read the documentation for and have never used in your life Would you point to a single accusation that I've been wrong on in this entire thread? and submitted some more patches that duplicate functionality poorly. Feel free to speak your points with patches at your own expense in time: I did. I also don't appreciate you calling my contributions poor, or anyone else's for that matter. You can put on a show all you like for these people. If you keep it up, you can even get me to quit just to avoid your toxic presence. But I know you far too well. You're going to quit what? Mailing list? Tread? Community involvement? Development with Catalyst? Just because you entered into a conversation where you have, so far as I can see, given me little but insults. Ok, lets start the show and select only statements from Andrew Rodland's (hobbs) posts *on this thread about the issue I filed on RT.* We can start with one from this letter: -- Last post Please, make some more public insults. You'll never convince me that you're doing anything but trolling. On that topic, when did you stop being banned on this list? I'm guessing never. -- April 10 * complexity of storing them separately * Why would you add duplicate functionality that's inferior to what it duplicates? -- March 24 (first post, and your personal introduction to the topic) * It would be if anything you said were true; fortunately it's not * both available methods of doing salted passwords with ... Catalyst::Plugin::Authentication do salt entirely the correct way. * Your unncecessary and condescending lectures are, however, greatly appreciated as usual. Ok, March 24, was kind of dude, I probably should have just block quoted the whole response rather than breaking it up into ad hominem statements. I still have your original response from RT. -- RT March 24 * I have no idea what distribution you intended to file this bug against, but it's obviously not the one you *did* file against, which does nothing even vaguely resembling reading salt from a config file. Yea, I'm putting on a show: I'm calling you out. That's me being direct. I've acted hostile to you in the past to my own detriment. In my own mind - and maybe I'm wrong -- I doubt there are many unbiased readers sitting on your side. Oh, and I've never been banned from this list, not even for a second, perhaps you're confusing me for someone else? By any means, wrong again. With love, -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
Why would you want the complexity of storing them separately when you could do
it the way every other system on the planet does it? Why would you add
duplicate functionality that's inferior to what it duplicates?
The crypt method might be popular in some applications and in some
libraries; but, it looks to be more code here, and more complexity.
How do you use the crypt message in Bash? How do you, from your DB,
use the crypt method? How would you interface PHP or some other
horridly crappy language into this? Just the work of finding a
respective crypt module looks worse then this:
use Digest::SHA qw(sha1_hex)
sha1_hex( input.password . row.salt ) eq row.salthash
vs, what?
use Crypt::SaltedHash;
my $csh = Crypt::SaltedHash-new('algorithm' = 'SHA-1' );
$csv-validate( row.salthash, input.password, 4 );
Using my method, all I need is a sha1 hash function. This isn't the
best hash, but it works fairly well.
Also, I should point out that Crypt::SaltedHash permits the same
stupid idea of a static, non-random salt set up in the constructor.
This makes it slightly more fishy: why would you ever want to use this
module to do what I just did without it?
# salt: You can specify your on salt. You can either specify it as a
sequence of charactres or as a hex encoded string of the form
HEX{...}. If the argument is missing, a random seed is provided for
you (recommended).
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
On Sat, Apr 10, 2010 at 5:37 PM, Andrew Rodland and...@cleverdomain.org wrote: That's not why that argument exists, that's not how it gets used, and that's not how C::A::Cred::Password uses it. If you'd thought for half a second, it might have occurred to you that that calling convention actually exists to support exactly what you're asking for -- storing the hash and salt separately for some bizarre reason despite that each is entirely useless without the other. That documentation wasn't from C:A:Cred:Password, it was from Crypt::SH. And, I'm not sure why you would want to use that module IF you're doing things my way (please read previous post). With that said, I'd assume you're right, and that is what the intention is; but, it certainly doesn't seem to make the task at hand any more simple. I'm really only siding with you, because the alternative is to remove the benefit of doubt and assume that the intention was to permit a static salt for all applications of Crypt:SH. Storing things seperate is a bad thing? It actually 1NF. I gave you the bizarre reason for my doing this: you've chosen not to address it on the merits. I've also though for half a second: and, Andrew, I think you should stop responding to my posts. Your inability to behave in a civil fashion is annoying and unbecoming. And, to boot every time you've addressed me on these threads *you've* been wrong. With love, -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
As far as I can tell, the whole point of this patch is aimed at the 'hashed' password case only (rather than 'salted_hash'). The vulnerability was never against salted_hash. I've since learned what Crypt::SaltedHash is I just don't believe I have a reason to use it. Why would I want to use something that serializes the hash and password into one database column when I can simply store them separately? Now, I have everything I want running locally. -- Evan Carroll System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
This is actually a very unhelpful way to supply patches, as it makes the maintainer have to do a whole chunk of work to get as your patch. As such, given limited time, I haven't looked.. Here is the patch range for review: http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/compare/f3848f59f08687623cee58a3e5e392491890978b...133341ba8f45fecc3899fe41cc85e92fd20482cb Here are the 4 text diffs: http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/commit/59b2438ca637b7478068f9b1e8aead6772aaa5cf.diff http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/commit/4fae3ba9a5d37ede39e8c351200dd60d8b584f6f.diff http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/commit/e0215b2bc93a2c5cf78a48c9b67fe5ef5196d918.diff http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/commit/133341ba8f45fecc3899fe41cc85e92fd20482cb.diff GIthub also now has SVN support: http://github.com/blog/626-announcing-svn-support -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Outcome of the Security issue with hashed passwords in C:P:A:Password?
Gah, I posted the wrong URL.. If only we moved our mailing list to AOL, I could undo the send. http://github.com/EvanCarroll/Catalyst-Plugin-Authentication Anyway, that's the repo -- Find the commits here: http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/commits/master I'm not sure who has maint on C:P:A - i'd be happy to make a release though. -- Evan Carroll System Lord of the http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] How to extend authentication to use other DB fields?
I would like to extend my autentication to accept other fields:
with $c-authenticate({ fileld1 = [..], field2 = [...], fieldd = [...] });
...
Do I have to create my own Catalyst::Authentication::Credential plugin?
No, it already does that... per the docs:
The first, and most common, method is simple retrieval. As its
name implies simple
retrieval allows you to simply to provide the column = value
pairs that should be
used to locate the user in question. An example of this usage is below:
--
Evan Carroll
System Lord of the Internets
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] Re: Security issue with hashed passwords in C:P:A:Password
:re from rt So use salted_hash which uses Crypt::SaltedHash. Or, set the salt to a random value on each request. I think you're missing something -- or I am. How do you propose to set it to a different value on each request if if the salt is being read from the configuration and not the call to authenticate? Should I modify the global configuration of C:P:A from the Controller? That sounds hackish. Moreover, the traditional method of salting is to store the salt in the DB? If this is used, should I retrieve the salt with the Authentication plugin's model? That would sound silly. Crypt::SaltHash makes the salt a function of the username, I haven't looked too much into the implementation but it certainly isn't the normal method of salting -- though it most probably helps some level. The obvious solution to this will be to have a `salt_field`, that when filled out retrieves the salt from the userinfo. I'll see about a patch tomorrow. -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Security issue with hashed passwords in C:P:A:Password
P.S. Yes, I appreciate that the attack surface is fairly limited here, bit I feel the point still holds. I disagree, I wouldn't want to extend my fame into publicizing a massive security vulnerability. I think this one stems from a misunderstanding of salting. I've forked C:P:A on gitpan and I'll probably port some (or all) of it to Moose along with my own fix to this soonish. P.P.S. I expect to be uploading a fix this in the next 24-48 hours for anyone who concerned that evil people in possession of their application configuration are generating the relevant rainbow tables right now... -- Evan Carroll System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Security issue with hashed passwords in C:P:A:Password
I'll still chase this up tonight so that we're all clear if there is a potential (but very limited) issue or not :) The issue here is the implementation of salt gives you a false sense of security. If you aren't worried about rainbow attacks simply don't use salt at all. It should be noted that any global salt will at least lessen the chance of unsalted rainbow tables from being used (such as those downloaded from torrents), but this is marginal. With that said, I've got the rewritten, moosified, copy up with doc patches, passing tests, and a working implementation of password_pre_salt_field, and password_post_salt_field, you can find it at: http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/blob/master/lib/Catalyst/Authentication/Credential/Password.pm -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Security issue with hashed passwords in C:P:A:Password
It would be if anything you said were true; fortunately it's not, and both
available methods of doing salted passwords with
Catalyst::Plugin::Authentication do salt entirely the correct way.
Your unncecessary and condescending lectures are, however, greatly appreciated
as usual.
While you're probably doubting your whole statement about salts being
implemented entirely the correct way, I just wanted to indulge you
with one more lecture. I feel the need to call you out and cross-post
your repsonse on rt for the historical mailing-list record:
I have no idea what distribution you intended to file this bug against,
but it's obviously not the one you *did* file against, which does
nothing even vaguely resembling reading salt from a config file.
To which I responded:
http://search.cpan.org/src/FLORA/Catalyst-Plugin-Authentication-
0.10016/lib/Catalyst/Authentication/Credential/Password.pm
I think I've got the right one...
P.S. stop being an asshole, thanks.
along with the code:
Just to save some insincere discourse and further boring name calling:
$d-add( $self-_config-{'password_pre_salt'} || '' );
$d-add($password);
$d-add( $self-_config-{'password_post_salt'} || '' );
I have a disconnect sometimes when I see Andrew Rodland, instead of
hobbs but your unwavering hostility is certainly noticed. Rather
than give the bug report a fair evaluation you deny it without reason.
Like most religions, yours has an convenient indicator: if anything
you said were true; fortunately it's not. Good, concise illogical ad
hominum not grounded in reality, and totally without merit as to the
bug report.
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Security issue with hashed passwords in C:P:A:Password
While my opinion of you is not favorable, I do believe that we should always look at reports without seeing who filed them and react accordingly. duly noted. The option for 'hashed' does what you are talking about, and the documentation clearly lists the differences here. Yes, well I don't see this clearly communicated here. In fact, for me, I don't see the difference at all -- so maybe you can rub this off as a doc bug. I've never heard of Crypt::SaltedHash prior to today, and had no idea of what it does. However, I'm very familiar with salts, and hashing. I also see little reason to indicate 'salted_hash', should be chosen over 'hashed', w/ salted attributes. When I was reading the docs, I saw Digest, and mention of salts, and figured that was what I as looking for. This could have been my error. I'm more of the mind that this is a non-issue, but could easily lead people astray into doing something that they do not want to do. If there is a problem with the way the salts are handled, that would be a problem in Crypt::SaltedHash. I disagree, reviewing Crypt::SaltedHash, which I wasn't speaking about: it simply serializes the salts and hash(salt . password). Here, I just store in the DB the salt un-serialized with the hash of the salt and the password. I'm not sure my approach is better, or worse; but, I've been doing it for a long time and it is a wide spread practice. After, all the only thing we're doing with salts is stopping a rainbow table attack. Like, t0m I've patched this. In my patch I add two fields which read the user-object. So long as the salt isn't global, but user-specific it will work. Salting a pkid certainly works, and so does storing a random number. Arguably, there are benefits to both sides, and both should accomplish the task effectively. I personally feel, as if someone confused my method (not, that I did it first) when they implemented this pre_salt in config stuff... I'd guess I'm not the only one that has been confused by this. People who use salts the way I've always done them are very likely to read into it and think that the 'hashed' is the best match for them. Your bug report does seem to imply it would be a problem with Crypt::SaltedHash, though, which is why without a more thorough glance, you look like you are wholly mistaken. I don't think anything implies Crypt::SaltedHash in my bug report -- if it did it was a miscommunication. Sorry, I'm not speaking about it at all. Furthermore, after reviewing it seems like a perfectly good solution however different and less-portable it is. Thanks for the reply. -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Security issue with hashed passwords in C:P:A:Password
https://rt.cpan.org/Ticket/Display.html?id=55850results=a52c3c931cac70fddd2e1926e2f4280a The purpose of salt is to reduce the ability for a single (pre-calculated) rainbow table of passwords and hashes to compromise the whole store. If your salt isn't a random function, or specific to the user there is no benefit in the salt... This is broken implementation. Hard coding salt in a config file only protects you from a rainbow table without that salt. It still doesn't solve the problem of cached hashings. -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Updated Catalyst::Authentication::Store::DBI
I created a fork on gitpan of Catalyst::Authentication::Store::DBI (C:A:S:DBI). http://github.com/EvanCarroll/Catalyst-Authentication-Store-DBI C:A:S:DBI is now Moosified á la C:A:S:DBIC it has subclassable User classes works with composite keys has updated docs and internals notes has tests for roles has more quote_identifiers where they belong has better internal notes I'm still not sure if I should use something like MooseX::Storage::Format::Storable to do from_session and for_user. Ideas? -- Evan Carroll System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Request
Is there a Catalyst Request method for getting the path and the query_string? (Everything's after the base). $c-req-uri-path_query -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Debian recommendation
Then I suppose it's a good thing that no such thing happens.
Sure it happens;
ecarr...@x60s:~$ diff /usr/local/share/perl/5.10.0/XML/SAX.pm
/usr/share/perl5/XML/SAX.pm -C5
*** /usr/local/share/perl/5.10.0/XML/SAX.pm 2008-08-05 07:36:24.0
-0500
--- /usr/share/perl5/XML/SAX.pm 2009-04-29 08:28:25.0 -0500
***
*** 177,186
--- 177,195
}
sub save_parsers {
my $class = shift;
+ ### DEBIAN MODIFICATION
+ print \n;
+ print Please use 'update-perl-sax-parsers(8) to register this
parser.'\n;
+ print See /usr/share/doc/libxml-sax-perl/README.Debian.gz for
more info.\n;
+ print \n;
+
+ return $class; # rest of the function is disabled on Debian.
+ ### END DEBIAN MODIFICATION
+
# get directory from wherever XML::SAX is installed
my $dir = $INC{'XML/SAX.pm'};
$dir = dirname($dir);
my $file = File::Spec-catfile($dir, SAX, PARSER_DETAILS);
***
*** 204,213
--- 213,256
close $fh;
return $class;
}
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst::Test configuration questions
So, you want your tests to be configured based on a yaml config file? Or you want to base your tests off of a yaml config file? I'm not sure there is a difference as you word it. I want to dynamically modify the configuration of my application for the purpose of testing. That configuration is loaded from a yaml. I'm unsure of how to to load a different yaml-conf for the purpose of testing alternate configurations, or of how to best manipulate the configuration of my app after the load to simulate a test in a different environments then the default. http://github.com/EvanCarroll/Craiglickr/blob/master/craiglickr.yaml Craiglickr: location: cross_posting: 1 cross_metro: 0 max: 4 category: cross_posting: 0 I want to test different settings such as if cross_metro was set to 1, or of cross_posting was set to 0, and such. -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Debian recommendation
they're not published under the same namespaces, they don't change version numbers, and they're hardly sound improvements. That was supposed to read they're *not* published under different namespaces. The difference between a troll and a critique Citations and references. Fair enough, I've worked on these two bugs extensively before I came to the conclusion teaching good practice to people who use bad justification is pointless. https://bugs.launchpad.net/ubuntu/+source/libio-compress-zlib-perl/+bug/394481 https://bugs.launchpad.net/ubuntu/+source/libxml-sax-perl/+bug/13917 I've also done some work fixing cpanplus bugs where cpanplus will act radically different than cpan http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533707 I've also tried arguing this in the irc chans, it comes down to an unwillingness and apathetic attitude to do it right. Debian *wants* to changes the way modules they didn't create interact with the system. It is just asking for problems unless they have total control over CPAN. They don't, therefore CPAN is unsupported and your apt repository has got to be good enough. -- Evan Carroll System Lord of the Internets http://www.evancarroll.com ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] use base vs use parent
I know that the recommendation could be to use Moose and extends..., but if Moose is not needed, what's the difference between use parent and use base? per base.pm Unless you are using the fields pragma, consider this module discouraged in favor of the lighter-weight parent. per parent.pm This module was forked from base http://search.cpan.org/perldoc?base to remove the cruft that had accumulated in it. It also seems as if parent.pm has a '-norequire' field. When should be use parent be used and not use base or it really doesn't matter which one is used? parent.pm when you can use cpan, base.pm when you can't. -- Evan Carroll www.evancarroll.com System Lord of the Internets ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Http Status Chart
I always preferred digg with its posts of thought provoking cats and top ten teenage racks. With that said what is the diff between unauthorized and forbidden. On 3/11/08, Christopher H. Laco [EMAIL PROTECTED] wrote: This made it's way across reddit this morning... Nice chart. -- Evan Carroll System Lord of the Internets [EMAIL PROTECTED] 832-445-8877 ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
