[Spyce-users] [PATCH] Three patches

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I've attached three patches to spyce-1.3.11 which I would like to see
included in the next version of Spyce:

1. spyce-uri-patch.diff -- fix for request.uri

  request.uri([component]) currently depends on the REQUEST_URI environment
  variable.  Unfortunately, the REQUEST_URI variable typically looks like
  "/index.html", and not "http://www.example.com/index.html".  This means
  the following are always true:

    request.uri("scheme") == ""
    request.uri("location") == ""

  This patch uses other environment variables which are typically present
  (at least on Apache) to attempt to build a more complete request.uri
  function.

2. spyce-redirect-patch.diff -- RFC 2068 conformance patch

  RFC 2068 states that the Location HTTP response header must be an
  absoluteURI.  That is, "Location: /" (such as is typically generated by
  redirect.external("/") ) is an illegal response header.  This patch
  builds on the first patch above to cause redirect.external to convert
  relative URLs into absolute URLs.

  Also, the "Refresh:" HTTP header is actually non-standard and does not
  work on several browsers I have used (Lynx, Dillo, w3m, and wget, just to
  name a few).  This patch updates the documentation for
  redirect.externalRefresh to inform users of that.

3. spyce-session-patch.diff -- fixes for automatic session handling

  This patch implements a sanity check in session_dir.get() so that illegal
  session IDs (like spyceSession=../../usr/lib/cgi-bin/some-secret-file) cannot
  be used.  Although the current 1.3.11 code appears safe, it is easy to
  make unsafe if you're not careful.  The sanity check may prevent security
  problems with this code in the future.

  The main point of this patch, however, is to make the following code work
  correctly:

    [[.import name=session args="'session_dir', '/tmp', auto=3600"]]
    [[\
    print (session.autoID, session.auto)
    session.auto = {}
    raise spyceDone
    ]]

  Without this patch, the following code in session.autoSession caused
  problems:

    1 if self.autoID:
    2   self.auto = self.get(self.autoID)
    3   if not self.auto: self.autoID = None
    4 if not self.autoID:  # generate a sessionid
    5   self.autoID = self.set(None, self.autoExpire)

  The problem is with line #3.  If self.auto is None, 0, {}, [], or any
  other value for which "not self.auto" is True, then this code will
  constantly reset self.auto to None, and re-generate a new session ID.

  This patch fixes this, by creating the functions session.get1 and
  session.has_key, which both differentiate between False values stored in
  a session, and no value stored at all.  Line #3 is changed to:

    3   if not self.has_key(self.autoID): self.autoID = None

-- 
Dwayne C. Litzenberger <dl...@dl...>

The attachment is an OpenPGP (PGP/MIME) signature, which can be used to verify
the authenticity of this message.  See the message headers for more information.