No subject
Tue Jun 24 01:21:20 CDT 2008
# Need to convert single character % formats _and_ positional args all
# in one go, else may get unpleasant interactions, especially when the
# the resulting string contains a %
$s =~ s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a = $1;
$a =~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs
;
$s =~ s/%\{GlobalVar:([^{]+)\}/{&main::getVariable($1)}/egs;
$s =~ s/%\{Reply:([^{]+)\}/{$rpacket ? $rpacket->get_attr($1) : ''}/egs;
$s =~ s/%\{Client:([^{]+)\}/{$p ? $p->{Client}{$1} : ''}/egs;
$s =~ s/%\{Handler:([^{]+)\}/{$p ? $p->{Handler}{$1} : ''}/egs;
# $s =~ s/%\{Eval:([^{]+)\}/{eval($1)}/egs;
$s =~ s/%\{([^{]+)\}/{$p ? $p->get_attr($1) : ''}/egs;
I really don't think this is optimal; I wonder whether Eval would be OK if
the parser was modified to only do a single pass for the substitution (might
produce a speed increas as well); this also avoids, say, a maliciously
crafted username/password/whatever doing unpleasant things when it gets
re-parsed. This would be critical, I think, to any re-introduction of Eval
syntax.
Even without that, I'm somewhat hamstrung in the creation of, say, SQL
statements by the fact that there's no way to compensate for a missing
value. I think a simplified syntax for this would be useful as well - Wim
Bonis' extendedMacros.patch is a good thought for formatting, but is still
for Radiator 2.12, and hard-codes more than I'd like. I'd be more interested
in a general system that allows %{Anything:data} in the same way as we can
currently simply add %X as a special substitution where X is any alpha
character. The following patch (against Radius/Util.pm from Radiator 3.5)
seems to work OK, although I've not tested it extensively since it's just a
first draft -
*** Util.pm.orig Thu Jan 16 17:58:36 2003
--- Util.pm Fri Jan 17 13:32:25 2003
***************
*** 97,102 ****
--- 97,111 ----
);
+ my %substitutions = (
+ 'GlobalVar' => sub { &main::getVariable($2) },
+ 'Reply' => sub { ($rpacket ? $rpacket->get_attr($2) : '') },
+ 'Client' => sub { ($rpacket ? $rpacket->get_attr($2) : '') },
+ 'Handler' => sub { ($cpacket ? $cpacket->{Handler}{$2} : '') },
+ 'Foo' => sub { "foo=$2"; }
+ );
+ # 'Eval' => sub { eval($2) },
+
my %strftime_conversion =
(
'%', sub { '%' },
***************
*** 328,342 ****
# Need to convert single character % formats _and_ positional args all
# in one go, else may get unpleasant interactions, especially when the
# the resulting string contains a %
- $s =~ s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a =
$1; $a =~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs;
! $s =~ s/%\{GlobalVar:([^{]+)\}/{&main::getVariable($1)}/egs;
! $s =~ s/%\{Reply:([^{]+)\}/{$rpacket ? $rpacket->get_attr($1) :
''}/egs;
! $s =~ s/%\{Client:([^{]+)\}/{$p ? $p->{Client}{$1} : ''}/egs;
! $s =~ s/%\{Handler:([^{]+)\}/{$p ? $p->{Handler}{$1} : ''}/egs;
! # $s =~ s/%\{Eval:([^{]+)\}/{eval($1)}/egs;
! $s =~ s/%\{([^{]+)\}/{$p ? $p->get_attr($1) : ''}/egs;
!
return $s;
}
--- 337,345 ----
# Need to convert single character % formats _and_ positional args all
# in one go, else may get unpleasant interactions, especially when the
# the resulting string contains a %
! $s =~ s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a =
$1; $a =~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs;
! $s =~ s!%\{(?:([^:]+):)?(.+?(?<\!\\)(?:\\\\)*)\}!( (defined
$substitutions{$1}) ? &{$substitutions{$1}}() : ($cpacket ?
$cpacket->get_attr($1) : '') )!egs;
return $s;
}
- Matt S Trout
Internet Systems Developer
Business Serve plc
E-mail : matthewtrout at businessserve.co.uk
Tel : 0870 759 2041
The Stapler is Behind You
------_=_NextPart_001_01C2BE2E.EAB52BB0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>%{} parsing and the death of Eval syntax</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>From the changelog for 3.3 -</FONT>
</P>
<P><FONT SIZE=3D2>"Important Security Update: Removed support for =
the %Eval special character syntax due to security issues that can =
effect AuthBy SQL and AuthBy LDAP*. We recommend that all operators of =
Radiator 3.0, 3.1 and 3.2 upgrade to this version =
immediately"</FONT></P>
<P><FONT SIZE=3D2>However, it doesn't state what specific issue =
prompted this; does anybody know?</FONT>
</P>
<P><FONT SIZE=3D2>From Util.pm -</FONT>
</P>
<P><FONT SIZE=3D2> # Need to convert single character =
% formats _and_ positional args all</FONT>
<BR><FONT SIZE=3D2> # in one go, else may get =
unpleasant interactions, especially when the</FONT>
<BR><FONT SIZE=3D2> # the resulting string contains a =
%</FONT>
<BR><FONT SIZE=3D2> $s =3D~ =
s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a =3D $1; $a =
=3D~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs</FONT></P>
<P><FONT SIZE=3D2>;</FONT>
</P>
<P><FONT SIZE=3D2> $s =3D~ =
s/%\{GlobalVar:([^{]+)\}/{&main::getVariable($1)}/egs;</FONT>
<BR><FONT SIZE=3D2> $s =3D~ =
s/%\{Reply:([^{]+)\}/{$rpacket ? $rpacket->get_attr($1) : =
''}/egs;</FONT>
<BR><FONT SIZE=3D2> $s =3D~ s/%\{Client:([^{]+)\}/{$p =
? $p->{Client}{$1} : ''}/egs;</FONT>
<BR><FONT SIZE=3D2> $s =3D~ =
s/%\{Handler:([^{]+)\}/{$p ? $p->{Handler}{$1} : ''}/egs;</FONT>
<BR><FONT SIZE=3D2># $s =3D~ =
s/%\{Eval:([^{]+)\}/{eval($1)}/egs;</FONT>
<BR><FONT SIZE=3D2> $s =3D~ s/%\{([^{]+)\}/{$p ? =
$p->get_attr($1) : ''}/egs;</FONT>
</P>
<P><FONT SIZE=3D2>I really don't think this is optimal; I wonder =
whether Eval would be OK if the parser was modified to only do a single =
pass for the substitution (might produce a speed increas as well); this =
also avoids, say, a maliciously crafted username/password/whatever =
doing unpleasant things when it gets re-parsed. This would be critical, =
I think, to any re-introduction of Eval syntax.</FONT></P>
<P><FONT SIZE=3D2>Even without that, I'm somewhat hamstrung in the =
creation of, say, SQL statements by the fact that there's no way to =
compensate for a missing value. I think a simplified syntax for this =
would be useful as well - Wim Bonis' extendedMacros.patch is a good =
thought for formatting, but is still for Radiator 2.12, and hard-codes =
more than I'd like. I'd be more interested in a general system that =
allows %{Anything:data} in the same way as we can currently simply add =
%X as a special substitution where X is any alpha character. The =
following patch (against Radius/Util.pm from Radiator 3.5) seems to =
work OK, although I've not tested it extensively since it's just a =
first draft -</FONT></P>
<P><FONT SIZE=3D2>*** =
Util.pm.orig Thu Jan 16 =
17:58:36 2003</FONT>
<BR><FONT SIZE=3D2>--- Util.pm Fri Jan 17 =
13:32:25 2003</FONT>
<BR><FONT SIZE=3D2>***************</FONT>
<BR><FONT SIZE=3D2>*** 97,102 ****</FONT>
<BR><FONT SIZE=3D2>--- 97,111 ----</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> );</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>+ my %substitutions =3D (</FONT>
<BR><FONT SIZE=3D2>+ =
'GlobalVar' =3D> sub { =
&main::getVariable($2) },</FONT>
<BR><FONT SIZE=3D2>+ =
'Reply' =3D> sub { =
($rpacket ? $rpacket->get_attr($2) : '') },</FONT>
<BR><FONT SIZE=3D2>+ =
'Client' =3D> sub { =
($rpacket ? $rpacket->get_attr($2) : '') },</FONT>
<BR><FONT SIZE=3D2>+ =
'Handler' =3D> sub { ($cpacket ? =
$cpacket->{Handler}{$2} : '') },</FONT>
<BR><FONT SIZE=3D2>+ =
'Foo' =
=3D> sub { "foo=3D$2"; }</FONT>
<BR><FONT SIZE=3D2>+ );</FONT>
<BR><FONT SIZE=3D2>+ # =
'Eval' =3D> =
sub { eval($2) },</FONT>
<BR><FONT SIZE=3D2>+ </FONT>
<BR><FONT SIZE=3D2> my %strftime_conversion =3D </FONT>
<BR><FONT SIZE=3D2> (</FONT>
<BR><FONT SIZE=3D2> =
'%', sub { '%' },</FONT>
<BR><FONT SIZE=3D2>***************</FONT>
<BR><FONT SIZE=3D2>*** 328,342 ****</FONT>
<BR><FONT SIZE=3D2> # Need to convert =
single character % formats _and_ positional args all</FONT>
<BR><FONT SIZE=3D2> # in one go, else may =
get unpleasant interactions, especially when the</FONT>
<BR><FONT SIZE=3D2> # the resulting =
string contains a %</FONT>
<BR><FONT SIZE=3D2>- $s =3D~ =
s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a =3D $1; $a =
=3D~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs;</FONT></P>
<P><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>! $s =3D~ =
s/%\{GlobalVar:([^{]+)\}/{&main::getVariable($1)}/egs;</FONT>
<BR><FONT SIZE=3D2>! $s =3D~ =
s/%\{Reply:([^{]+)\}/{$rpacket ? $rpacket->get_attr($1) : =
''}/egs;</FONT>
<BR><FONT SIZE=3D2>! $s =3D~ =
s/%\{Client:([^{]+)\}/{$p ? $p->{Client}{$1} : ''}/egs;</FONT>
<BR><FONT SIZE=3D2>! $s =3D~ =
s/%\{Handler:([^{]+)\}/{$p ? $p->{Handler}{$1} : ''}/egs;</FONT>
<BR><FONT SIZE=3D2>! # $s =3D~ =
s/%\{Eval:([^{]+)\}/{eval($1)}/egs;</FONT>
<BR><FONT SIZE=3D2>! $s =3D~ s/%\{([^{]+)\}/{$p =
? $p->get_attr($1) : ''}/egs;</FONT>
<BR><FONT SIZE=3D2>! </FONT>
<BR><FONT SIZE=3D2> return $s;</FONT>
<BR><FONT SIZE=3D2> }</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>--- 337,345 ----</FONT>
<BR><FONT SIZE=3D2> # Need to convert =
single character % formats _and_ positional args all</FONT>
<BR><FONT SIZE=3D2> # in one go, else may =
get unpleasant interactions, especially when the</FONT>
<BR><FONT SIZE=3D2> # the resulting =
string contains a %</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>! $s =3D~ =
s/%([%abcCdDefghHiIjklLmMNopqQnPrRsStTUuvVwWyYz]|\d+)/{my $a =3D $1; $a =
=3D~ m@^\d@ ? $extras[$a] : &{$conversions{$a}}()}/egs;</FONT></P>
<P><FONT SIZE=3D2>! $s =3D~ =
s!%\{(?:([^:]+):)?(.+?(?<\!\\)(?:\\\\)*)\}!( (defined =
$substitutions{$1}) ? &{$substitutions{$1}}() : ($cpacket ? =
$cpacket->get_attr($1) : '') )!egs;</FONT></P>
<P><FONT SIZE=3D2> return $s;</FONT>
<BR><FONT SIZE=3D2> }</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>- Matt S Trout</FONT>
<BR><FONT SIZE=3D2>Internet Systems Developer</FONT>
<BR><FONT SIZE=3D2>Business Serve plc</FONT>
<BR><FONT SIZE=3D2>E-mail : matthewtrout at businessserve.co.uk</FONT>
<BR><FONT SIZE=3D2>Tel : 0870 759 2041 </FONT>
</P>
<P><FONT SIZE=3D2>The Stapler is Behind You</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C2BE2E.EAB52BB0--
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list