Re: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02

Subject: Re: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
Date: Fri, 19 Aug 2005 09:52:33 -0400
From: Michael Peters <suppressed>

Michael Graham wrote:
> CGI::Application::Plugin::LinkIntegrity should be available soon on a
> CPAN mirror near you:
> 
>     http://search.cpan.org/dist/CGI-Application-Plugin-LinkIntegrity-0.02/
> 
> Thank you to the cgiapp list for all your help answering my questions
> about QUERY_STRINGs and whatnot.
> 
> Thanks especially to Richard Dice.  This module is based on a feature
> from CAF that he wrote.
> 
> 
> CAP::LinkIntegrity is a plugin that makes it easy to create
> tamper-resistant URLs in your application.
> 
> Basically, it adds a crytpographic checksum to each link you generate:
> 
>     my $link = $self->make_link("/account.cgi?rm=balance&acct_id=73");
>     print $link; # /account.cgi?rm=balance&acct_id=73&_checksum=1d7c4b82d075785de04fa6b98b572691

What would be really cool is if the plugin could automatically rewrite
the links to be tamper proof for everything going out to the browser.
This could be done using a call back at postrun time with some HTML
parser. Of course this would be need to be turned on by the user (since
it could potentially be pretty slow) both globally and per run mode, and
then with the option of somehow disabling/enabling the tamper proof
filtering at run time in the run mode itself.

Or maybe there's a way to make this work from inside the template where
the programmer can decide for which URL's it makes a difference. Should
be pretty easy as a TT plugin, but might also work as H::T plugin with
Mark's new system.

Just some ideas :)

> If the user attempts to change part of the URL (e.g. a query string
> parameter, or the PATH_INFO), then the checksum will not match.  The run
> mode will be changed to link_tampered, and the invalid_checksum
> hook will be called.

What does the invalid_checksum hook do? Or is it just a hook that you
can inject stuff into if you need it?

> You can define the 'link_tampered' run mode yourself, or you can use
> the default 'link_tampered' run mode built into
> 'CGI::Application::Plugin::LinkIntegrity'.
> 
> You can disable link checking during development by passing a flag at
> configuration time.
> 
> You can choose the module you want to use to generate the checksum (e.g.
> Digest::MD5 or Digest::SHA1), or you can create your own subroutine to
> do the work.

Overall, very cool stuff...

-- 
Michael Peters
Developer
Plus Three, LP

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
  - From: Michael Graham

References:
- [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
  - From: Michael Graham

Prev by Date: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
Next by Date: Re: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
Previous by thread: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
Next by thread: Re: [cgiapp] ANNOUNCE: CAP::LinkIntegrity 0.02
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.