Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

NMS, London PM?

by InfiniteSilence (Curate)
on Apr 07, 2006 at 21:30 UTC ( [id://541980]=perlquestion: print w/replies, xml ) Need Help??

InfiniteSilence has asked for the wisdom of the Perl Monks concerning the following question:

Searching around for Perl projects on Sourceforge led me to NMS. (Update: The library in question is called CookieLib). There is a a README, but it does not mention anything about this. Okay, I think, this is posted by London PM (or by members thereof), and the code is supposed to be more secure than MSA code. What I don't get is how this is supposed to be more secure: 
sub SetCookies {

    my (%input) = @_;
    while( my($name,$value) = each %input )
    {
        my $c = CGI->cookie (
                             -name    => $name,
                             -value   => $value,
                             -expires => ((exists($cookie_config{expir
+es}) && $cookie_config{expires} ==1) ? $cookie_config{expires} : unde
+f),
                             -domain  => ((exists($cookie_config{domai
+n})  && $cookie_config{domain}  ==1) ? $cookie_config{domain}  : unde
+f),
                             -secure  => ((exists($cookie_config{secur
+e})  && $cookie_config{secure}  ==1) ? $cookie_config{secure}  : unde
+f),
                             -path    => ((exists($cookie_config{path}
+)    && $cookie_config{path}    ==1) ? $cookie_config{path}    : unde
+f),
                            );
        print "Set-Cookie: ", $c, "\n";
    }
}

[download]
Note the "==1"s. Also, the quickest glance through the CGI::Cookie perldoc shows that you can use values for -expires like '3M': 
 $c = new CGI::Cookie(-name    =>  'foo',
                                 -value   =>  'bar',
                                 -expires =>  '+3M',
                                 -domain  =>  '.capricorn.com',
                                 -path    =>  '/cgi-bin/database',
                                 -secure  =>  1
                                );

[download]
So, is the above supposed to be a secure version usage of the CGI::Cookie module? If so, why?

Update #2: As a result of my posting the following was appended to the modification history of CookieLib at NMS: 

# $Log: cookielib,v $
# Revision 1.6  2006/04/08 08:34:31  gellyfish
# Appeared to be a cut and paste error in SetCookies

[download]
And the code has, apparently, been modified. Thank you gellyfish for your prompt action.

Celebrate Intellectual Diversity

Moved from Perl Monks Discussion to Seekers of Perl Wisdom by planetscape

Replies are listed 'Best First'.
Re: NMS, London PM?
by PodMaster (Abbot) on Apr 08, 2006 at 01:06 UTC
    Your choice of title NMS, London PM? could be better.

    What file is this code in? Does it have documentation?

    Note the "==1"s. Also, the quickest glance through the CGI::Cookie perldoc shows that you can use values for -expires like '3M': ...So, is the above supposed to be a secure version usage of the CGI::Cookie module? If so, why?
    No. I don't see why you would think that. I think the various ==1 parts are probably typos. Its hard to say without context.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
Re: NMS, London PM?
by gellyfish (Monsignor) on Apr 10, 2006 at 20:52 UTC

    Firstly perlmonks is not an ideal place to be asking questions about the NMS programs, we have a support mailling list which is read by the developers at nms-cgi-support@lists.sourceforge.net, I can't speak for any of the other project members but I certainly don't have time to scan every possible place that Perl might be discussed in order to answer questions about NMS.

    Yes there was what would appear to be a copy and paste error in the cookielib that has gone undetected for quite a long period of time. This code was contributed as-is by a single developer and it was only subsequently amended to conform to the 'house style' and to fix an obvious bug.

    The typo in the cookie creation code poses no security risk, it simply means that it doesn't work in the way that is described in the README. As you noted above after you pointed this out on the mailing list I fixed this mistake and made a new release.

    If you wish to contribute to the NMS project please feel free to contact us in the manner described on the project web site.

    /J\

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://541980]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (6)
As of 2024-04-16 06:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found