Menu
▾
▴
[Nms-cgi-devel] Re: [Nms-cgi-support] cookielib
|
From: Jonathan S. <jn...@ge...> - 2006-04-10 20:32:53
|
On Mon, 2006-04-10 at 17:24, Joel Limardo wrote: > You don't mind if I use the contents of this e-mail as a PerlMonks > (http://www.perlmonks.org) post/discussion, do you? I will not mention > you by name. > Yes _we_ would mind, if there is to be discussion of the NMS project we would like it to be here so it is archived. Also your posting http://www.perlmonks.org/?node_id=541980 before asking here is impolite at best and your tone in your communications here has been somewhat combative. I am however going to followup to that post just to clarify matters. This is an open source project and we are happy for contributions, however it seems that people on the whole would rather gripe in the background rather than actually help. If you want to contribute please see http://nms-cgi.sourceforge.net/devel.html We periodically make appeals for volunteers in a wide variety of places but it seems that no-one actual wants to get involved. > Sincerely, > > > Joel Limardo > > > On Mon, 2006-04-10 at 01:03, Joel Limardo wrote: > > > Here's the problem. You should use CGI::Cookie, I agree, but newbies > > > have no friggin' idea how to use modules. People read the mission of > > > NMS and the statement about "experts" and they will assume that > > > everything has been properly tested (I did) and works. > > > > > > Here are other things that do not make sense in this library: > > > > > > 1) Why in the heck does CookieLib insist on copying stuff into main? > > > > > > $main::Cookies{$name} = $value; > > > > > > As a developer, I typically don't want libraries exporting stuff into my > > > main namespace. I presume this is the entire reasoning behind using > > > EXPORT_OK versus the standard EXPORT in modules. Why don't you just > > > specify a package and keep those values in that, like: > > > > > > $johnson::Cookies{'name'} = "whatever in the heck you want"; > > > > > > > The MSA version did exactly the same, we have no way of knowing how > > people were using it. The rest of the regex handles the others. > > > > > > > > 2) Why are these domain extensions hard coded? > > > > > > (.com|.edu|.net|.org|.gov|.mil|.int) > > > > > > There are dozens of extensions that are very popular in the US and > > > elsewhere. For instance, .tv. Why hard-code this at all? Rather, just > > > make it user-configurable? Also, the README file does not mention that > > > this module has a hard-coded limitation. There's probably some unwitting > > > guy in Taiwan (.tw I think) trying to use this library who is cursing > > > right now. > > > > > > > No, at the time of writing these were the only three letter TLDs and > > this is what the MSA version did. > > > > > > > 3) This statement, > > > > > > if ($_[0] =~ /(.com|.edu|.net|.org|.gov|.mil|.int)$/i && > > > $_[0] =~ /\.[^.]+\.\w{3}$/) { > > > $cookie_config{domain} = $_[0]; > > > return 1; > > > } > > > elsif ($_[0] !~ /(.com|.edu|.net|.org|.gov|.mil|.int)$/i && > > > $_[0] =~ /\.[^.]+\.[^.]+\./) { > > > $cookie_config{domain} = $_[0]; > > > return 1; > > > } > > > else > > > { > > > return 0; > > > } > > > > > > > > > Could be easily rewritten to eliminate one of the elseifs in the > > > following fashion: > > > > > > sub SetCookieDomain > > > { > > > > > > if ($_[0] =~ /(.com|.edu|.net|.org|.gov|.mil|.int)$/i && > > > ($_[0] =~ /\.[^.]+\.\w{3}$/) || ($_[0] =~ /\.[^.]+\.[^.]+\./) ) > > > { > > > $cookie_config{domain} = $_[0]; > > > return 1; > > > } > > > #elsif ($_[0] !~ /(.com|.edu|.net|.org|.gov|.mil|.int)$/i && > > > # $_[0] =~ /\.[^.]+\.[^.]+\./) { > > > # $cookie_config{domain} = $_[0]; > > > # return 1; > > > #} > > > else > > > { > > > return 0; > > > } > > > } > > > > > > In fact, I am pretty certain that the entire regex could be rewritten as > > > a single regex instead of three. Something like: perl -e "$rr = > > > q{ip.world.rocks.com}; if($rr=~m/(\.[^\.]+)+\.com/i){print 'yeah' . > $1};" > > > > > > 3) Why isn't this print statement optional: > > > > > > print "Set-Cookie: ", $c, "\n"; > > > > > > Print statements like this in subroutines are highly undesireable. It > > > would be better to, for backward compatibility, allow this but in > > > reality to just return the cookie information from the routine in a > scalar. > > > > > > > There is no point, if it wants to behave different the people should use > > CGI::Cookie. > > > > > 4) I don't see any MD5 hashes or anything else to ensure that these > > > libraries were not tampered with. Since the objective of the site is to > > > make more secure scripts, I would think that, somehow, there would be a > > > way to fingerprint them. > > > > > > > That's pretty much all I can think of right now. As I continue to work > > > with these libraries, I may have more. > > > > > > > > > Proper patches using diff -uBb if you have any more, I am more inclined > > to delete the thing personally. > > > > > > > > On Fri, 2006-04-07 at 15:13, Joel Limardo wrote: > > > > > What in the hell is wrong with this picture? > > > > > > > > > > Your code has the following line: > > > > > > > > > > -expires => ((exists($cookie_config{expires}) && > > > > > $cookie_config{expires} ==1) ? $cookie_config{expires} : undef), > > > > > > > > > > which feeds the expires key of a hash that creates a new CGI::Cookie > > > > > object. That object takes non-numeric values (as shown in the POD) > > > > > like '3M' for one thing. On the other hand, if I use a value other > > > > > than '1', IT DOESN'T WORK. The above code clearly tests to see if > > > > > $cookie_config{expires} EXISTS AND if ITS VALUE IS SET TO 1. > > > > > > > > > > See for yourself: > > > > > > > > > > !/usr/bin/perl -w > > > > > use strict; > > > > > > > > > > my %cookie_config; > > > > > > > > > > $cookie_config{expires} = 99999; > > > > > > > > > > my $ret = ((exists($cookie_config{expires}) && > > > $cookie_config{expires} ==1) ? $cookie_config{expires} : undef); > > > > > > > > > > print $ret unless (!$ret); > > > > > > > > > > 1; > > > > > > > > > > You won't see anything. Maybe I am nuts or I am just missing > something. > > > > > > > > > > > > > No you're not missing anything, it is definitely incorrect, which is > > > > strange because it has always been like that for four years or so. > > > > Taking the '== 1' out would fix it. > > > > > > > > To be honest we would recommend anyone who wanted to use cookies > to use > > > > the CGI::Cookie anyway. > > > > > > > > However it needs to be fixed and I'll see to it when I get a minute. > > > > > > > > /J\ > > > > -- > > > > > > > > This e-mail is sponsored by http://www.integration-house.com/ > > > > > > > > > > > > > > > > > > > > > Sincerely, > > > > > > > > > Joel Limardo > > > joe...@fo... > > > www.forwardphase.com > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > > > that extends applications into web and mobile media. Attend the live > webcast > > > and join the prime developer group breaking into this new coding > territory! > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > > > _______________________________________________ > > > To unsubscribe from this mailing list visit > > > https://lists.sourceforge.net/lists/listinfo/nms-cgi-support > > > and follow the simple instructions. > > -- > > > > This e-mail is sponsored by http://www.integration-house.com/ > > > > > > > > > Sincerely, > > > Joel Limardo > joe...@fo... > www.forwardphase.com > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > To unsubscribe from this mailing list visit > https://lists.sourceforge.net/lists/listinfo/nms-cgi-support > and follow the simple instructions. -- This e-mail is sponsored by http://www.integration-house.com/ |
