Grokbase
Topics Posts Groups | in
x
[ help ]

Bill Moseley (mo...@hank.org)

Profile | Posts (287)

User Information

Display Name:Bill Moseley
Partial Email Address:mo...@hank.org
Posts:
287 total
157 in Catalyst Framework
17 in catalyst@lists.scsys.co.uk
15 in Class::DBI
16 in DBIx::Class
6 in mod_perl
65 in PostgreSQL - General
11 in PostgreSQL - Novice

5 Most Recent

All Posts
1) Bill Moseley [Catalyst] Re: CSRF (plus session security)
| +1 vote
Ya, but it's valid for multiple posts. That might be ok, but in general, I only want one post for...
catalyst@lists.scsys.co.uk
[ Profile | Reply to group ] [ Flat  Thread  Threaded ]
On Wed, Oct 01, 2008 at 12:20:04PM +0200, Aristotle Pagaltzis wrote:
> * Moritz Onken <onken@houseofdesign.de> [2008-10-01 09:25]:
> > The best way is to include a random string which has to be
> > stored somewhere for comparison on the server side.
>
> Doesn?t have to be stored. Send a random string as well as a HMAC
> digest of a server secret plus the same string. To check a token,
> check if the random string plus server secret hash to the same
> digest as the one provided by the client. Since the server secret
> is not known or knowable to third parties, if the digest checks
> out, then this token must have been minted by the server. Very
> simple; near-zero CPU overhead; no server-side storage required.

Ya, but it's valid for multiple posts.  That might be ok, but in
general, I only want one post for every one form generation (and no
post without a form being generated).

So, my forms all have a unique token that can only be used once.  If
used a second time I redisplay the form pre-filled with their post and
ask them to submit again if that's what they really intended.  That
has the benefit of catching if the form is no longer valid (due to
changes in the database from the first post).

Of course, that doesn't prevent using two browser windows, etc. but it
helps.


Let me ask a related question:

Where on the risk spectrum is CSRF compared to, say, session
hijacking?

I have an application that went from having some pages SSL encrypted
to all pages encrypted for logged in users.

I would like to only use secure cookies, but I place things in the
session that I need for both SSL and non-SSL pages (an example is a
language selection that is stored in the session).[1]

Makes me think I need $c->session and also $c->secure_session as
separate sessions and separate cookies.


--
Bill Moseley
[email protected: mo...@hank.org]
Sent from my iMutt
2) Bill Moseley [Catalyst] Passing UTF-8 arg in URL to DBIC search
| +1 vote
I think Encode::decode_utf8() the recommended method over using the utf8::decode call. Perhaps...
catalyst@lists.scsys.co.uk
[ Profile | Reply to group ] [ Flat  Thread  Threaded ]
On Tue, Sep 30, 2008 at 08:10:13AM -0700, J. Shirley wrote:
> On Sat, Sep 27, 2008 at 6:51 AM, Hugh Hunter <hhunter@gmail.com> wrote:
> > Hello all,
> >
> > I've been struggling with this for some time and know there must be an
> > answer out there.
> >
> > I'm using URL arguments to pass parameters to my controller. It's a site
> > about names, so take the url http://domain.com/name/Jes?s (note the accented
> > u). The Name.pm controller has an :Args(1) decorator so Jes?s is stored in
> > $name and then passed to my DBIC model in a ->search({name => $name}) call.
> > This doesn't manage to find the row that exists in mysql. When I dump
> > $name I get:
> >
> > 'name' => 'Jes\xc3\xbas'
> >
> > which I think I understand as being perl's internal escaping of utf-8
> > characters.
> >
> > I've done everything recommended on
> > http://dev.catalystframework.org/wiki/gettingstarted/tutorialsandhowtos/using_unicode and
> > the name column in my mysql database uses the utf-8 charset.
> >
> > Where am I going wrong?
> >
> > Best regards,
> >
> > --Hugh
>
> I haven't dug into the Catalyst source to see of any handling for the
> arguments, but just for testing you may want to try doing a
> utf8::decode($name) and see if that does the trick for you.

I think Encode::decode_utf8() the recommended method over using the
utf8::decode call.  Perhaps something like this early in the request:

    $c->req->arguments(
        [
            map { Encode::decode_utf8($_) } @{$c->req->arguments}
        ]
    );

But, I'd be concerned about doing this.  Will all browsers encode into
utf8 octets?  You could easily make an LWP request with other
encodings.


--
Bill Moseley
[email protected: mo...@hank.org]
Sent from my iMutt
3) Bill Moseley [Catalyst] Passing UTF-8 arg in URL to DBIC search
| +1 vote
The plugin does not decode the path, only the query parameters.[1] I'm not clear on passing utf8 on...
catalyst@lists.scsys.co.uk
[ Profile | Reply to group ] [ Flat  Thread  Threaded ]
On Sat, Sep 27, 2008 at 09:51:54AM -0400, Hugh Hunter wrote:
>
> I'm using URL arguments to pass parameters to my controller. It's a
> site about names, so take the url http://domain.com/name/Jes?s (note
> the accented u). The Name.pm controller has an :Args(1) decorator so
> Jes?s is stored in $name and then passed to my DBIC model in a -
> >search({name => $name}) call. This doesn't manage to find the row
> that exists in mysql.  When I dump $name I get:
>
>
> I've done everything recommended on
> http://dev.catalystframework.org/wiki/gettingstarted/tutorialsandhowtos/using_unicode
> and the name column in my mysql database uses the utf-8 charset.
> Where am I going wrong?

The plugin does not decode the path, only the query parameters.[1]


I'm not clear on passing utf8 on the path -- I thought you would have
to url-encode it, but maybe the browser will do that. Although, I'm not
clear how it knows what encoding to use.


[1] also note that it doesn't decoded the body params, so if you
access those via the body_parameters request method they won't be
decoded.  Accessing them via ->parameters is ok, though.

--
Bill Moseley
[email protected: mo...@hank.org]
Sent from my iMutt
4) Bill Moseley [Catalyst] Pushing data to Catalyst powered web page
| +1 vote
Pull with an AJAX update, perhaps.
catalyst@lists.scsys.co.uk
[ Profile | Reply to group ] [ Flat  Thread  Threaded ]
On Fri, Sep 12, 2008 at 02:15:23PM +0200, Supra, Morne wrote:
>
> The problem that I have is that I have no idea how to push the data to a
> web page instead of pulling.

Pull with an AJAX update, perhaps.

--
Bill Moseley
[email protected: mo...@hank.org]
Sent from my iMutt
5) Bill Moseley [Catalyst] HTTP::Body, Catalyst, and death.
| +1 vote
Catalyst::Engine prepare_body_chunk() calls HTTP::Body's add() method with chunks as they are read...
catalyst@lists.scsys.co.uk
[ Profile | Reply to group ] [ Flat  Thread  Threaded ]
Catalyst::Engine prepare_body_chunk() calls HTTP::Body's add() method
with chunks as they are read from the input stream.

What happens if the call to ->add($chunk); dies?  Does the input
stream get somehow flushed (up to the content_length)?  Or would the
exception bypass any flushing?

In other words, is it important that HTTP::Body's add() method (and
really, spin() ) not die and instead continue to, well, spin until all
the request data has been consumed?


--
Bill Moseley
[email protected: mo...@hank.org]
Sent from my iMutt

spacer
Profile | Posts (287)
Home > People > Bill Moseley
Grokbase | Groups | Tags | People | Add a group | FAQ | About

Provide feedback | del.icio.us | Credits | Created by John