From: Dwayne C. L. <dl...@dl...> - 2003-08-25 21:56:28
|
I've attached three patches to spyce-1.3.11 which I would like to see included in the next version of Spyce: 1. spyce-uri-patch.diff -- fix for request.uri request.uri([component]) currently depends on the REQUEST_URI environment variable. Unfortunately, the REQUEST_URI variable typically looks like "/index.html", and not "http://www.example.com/index.html". This means the following are always true: request.uri("scheme") == "" request.uri("location") == "" This patch uses other environment variables which are typically present (at least on Apache) to attempt to build a more complete request.uri function. 2. spyce-redirect-patch.diff -- RFC 2068 conformance patch RFC 2068 states that the Location HTTP response header must be an absoluteURI. That is, "Location: /" (such as is typically generated by redirect.external("/") ) is an illegal response header. This patch builds on the first patch above to cause redirect.external to convert relative URLs into absolute URLs. Also, the "Refresh:" HTTP header is actually non-standard and does not work on several browsers I have used (Lynx, Dillo, w3m, and wget, just to name a few). This patch updates the documentation for redirect.externalRefresh to inform users of that. 3. spyce-session-patch.diff -- fixes for automatic session handling This patch implements a sanity check in session_dir.get() so that illegal session IDs (like spyceSession=../../usr/lib/cgi-bin/some-secret-file) cannot be used. Although the current 1.3.11 code appears safe, it is easy to make unsafe if you're not careful. The sanity check may prevent security problems with this code in the future. The main point of this patch, however, is to make the following code work correctly: [[.import name=session args="'session_dir', '/tmp', auto=3600"]] [[\ print (session.autoID, session.auto) session.auto = {} raise spyceDone ]] Without this patch, the following code in session.autoSession caused problems: 1 if self.autoID: 2 self.auto = self.get(self.autoID) 3 if not self.auto: self.autoID = None 4 if not self.autoID: # generate a sessionid 5 self.autoID = self.set(None, self.autoExpire) The problem is with line #3. If self.auto is None, 0, {}, [], or any other value for which "not self.auto" is True, then this code will constantly reset self.auto to None, and re-generate a new session ID. This patch fixes this, by creating the functions session.get1 and session.has_key, which both differentiate between False values stored in a session, and no value stored at all. Line #3 is changed to: 3 if not self.has_key(self.autoID): self.autoID = None -- Dwayne C. Litzenberger <dl...@dl...> The attachment is an OpenPGP (PGP/MIME) signature, which can be used to verify the authenticity of this message. See the message headers for more information. |