line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package CGI::Plus; |
2
|
1
|
|
|
1
|
|
6936
|
use strict; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
52
|
|
3
|
1
|
|
|
1
|
|
6
|
use Carp; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
110
|
|
4
|
1
|
|
|
1
|
|
906
|
use CGI::Safe 'taint'; |
|
1
|
|
|
|
|
56963
|
|
|
1
|
|
|
|
|
8
|
|
5
|
1
|
|
|
1
|
|
98
|
use base 'CGI::Safe'; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
145
|
|
6
|
1
|
|
|
1
|
|
1225
|
use String::Util ':all'; |
|
1
|
|
|
|
|
3706
|
|
|
1
|
|
|
|
|
357
|
|
7
|
1
|
|
|
1
|
|
910
|
use CGI::Cookie; |
|
1
|
|
|
|
|
3608
|
|
|
1
|
|
|
|
|
2556
|
|
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
# version |
10
|
|
|
|
|
|
|
our $VERSION = '0.14'; |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
# Debug::ShowStuff |
13
|
|
|
|
|
|
|
# use Debug::ShowStuff ':all'; |
14
|
|
|
|
|
|
|
# use Debug::ShowStuff::ShowVar; |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
# enable file uploads |
17
|
|
|
|
|
|
|
$CGI::DISABLE_UPLOADS = 0; |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
# maximum upload: 5 mb |
20
|
|
|
|
|
|
|
$CGI::POST_MAX = 5 * 1024 * 1024; |
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
# set path to empty string |
23
|
|
|
|
|
|
|
$ENV{'PATH'} = ''; |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
=head1 NAME |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
CGI::Plus -- Extra utilities for CGI |
28
|
|
|
|
|
|
|
|
29
|
|
|
|
|
|
|
=head1 Description |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
This module adds a few enhancements to |
32
|
|
|
|
|
|
|
L, |
33
|
|
|
|
|
|
|
which itself adds a few security-based enancements to |
34
|
|
|
|
|
|
|
L. The enhancement are almost |
35
|
|
|
|
|
|
|
entirely additions - the only method that is overridden is new(), and |
36
|
|
|
|
|
|
|
the changes there are only addition. The enhancements in this module entirely |
37
|
|
|
|
|
|
|
use the object-oriented interface. |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
=head1 SYNOPSIS |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
use CGI::Plus; |
42
|
|
|
|
|
|
|
my ($cgi, $cookie, $url, $param); |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
# new CGI::Plus object |
45
|
|
|
|
|
|
|
$cgi = CGI::Plus->new(); |
46
|
|
|
|
|
|
|
|
47
|
|
|
|
|
|
|
# turn on checks for cross-site request forgeries (CSRF) |
48
|
|
|
|
|
|
|
$cgi->csrf(1); |
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
# get a cookie and look at its values |
51
|
|
|
|
|
|
|
$cookie = $cgi->incoming_cookies->{'mycookie'}; |
52
|
|
|
|
|
|
|
print $cookie->{'values'}->{'x'}, "\n"; |
53
|
|
|
|
|
|
|
print $cookie->{'values'}->{'y'}, "\n"; |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
# more concise way to get an incoming cookie |
56
|
|
|
|
|
|
|
$cookie = $cgi->ic->{'mycookie'}; |
57
|
|
|
|
|
|
|
|
58
|
|
|
|
|
|
|
# resend a cookie, but change one of its values |
59
|
|
|
|
|
|
|
$cookie = $cgi->resend_cookie('mycookie'); |
60
|
|
|
|
|
|
|
$cookie->{'values'}->{'x'} = 2; |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
# add an outgoing cookie, set some values |
63
|
|
|
|
|
|
|
$cookie = $cgi->new_send_cookie('newcookie'); |
64
|
|
|
|
|
|
|
$cookie->{'values'}->{'val1'} = '1'; |
65
|
|
|
|
|
|
|
$cookie->{'values'}->{'val2'} = '2'; |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
# output HTTP header with outgoing cookies, including CSRF |
68
|
|
|
|
|
|
|
# check cookie, automatically added |
69
|
|
|
|
|
|
|
print $cgi->header_plus; |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
# output header again if it hasn't already been sent, but if it |
72
|
|
|
|
|
|
|
# has then output an empty string |
73
|
|
|
|
|
|
|
print $cgi->header_plus; |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
# output the URL of the current page but set a new value |
76
|
|
|
|
|
|
|
# for the "t" param and remove the "j" param |
77
|
|
|
|
|
|
|
$url = $cgi->self_link(params=>{t=>2, j=>undef}); |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
# check if the submitted form includes the value of the CSRF |
80
|
|
|
|
|
|
|
# cookie that was sent |
81
|
|
|
|
|
|
|
if (! $cgi->csrf_check) |
82
|
|
|
|
|
|
|
{ die 'security error' } |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
# output the randomly generated value of the CSRF cookie, |
85
|
|
|
|
|
|
|
# output: KTFnGgpkZ4 |
86
|
|
|
|
|
|
|
print $cgi->csrf_value, "\n"; |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
# output the hidden input form field that uses the same |
89
|
|
|
|
|
|
|
# value as the CSRF cookie |
90
|
|
|
|
|
|
|
# output: |
91
|
|
|
|
|
|
|
print $cgi->csrf_field, "\n"; |
92
|
|
|
|
|
|
|
|
93
|
|
|
|
|
|
|
# get the CSRF check param for use in a URL |
94
|
|
|
|
|
|
|
# output: csrf=KTFnGgpkZ4 |
95
|
|
|
|
|
|
|
print $cgi->csrf_param; |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
# set a custom header |
98
|
|
|
|
|
|
|
$cgi->set_header('myheader', 'whatever'); |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
# change content type |
101
|
|
|
|
|
|
|
$cgi->set_content_type('text/json'); |
102
|
|
|
|
|
|
|
|
103
|
|
|
|
|
|
|
# output HTTP headers, including added cookies, the CSRF cookie, |
104
|
|
|
|
|
|
|
# and the new header |
105
|
|
|
|
|
|
|
print $cgi->header_plus; |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
# outputs something like this: |
108
|
|
|
|
|
|
|
# Set-Cookie: newcookie=val2&2&val1&1; path=/ |
109
|
|
|
|
|
|
|
# Set-Cookie: mycookie=y&2&x&2; path=/ |
110
|
|
|
|
|
|
|
# Set-Cookie: csrf=v&KTFnGgpkZ4; path=/ |
111
|
|
|
|
|
|
|
# Date: Sun, 29 Jul 2012 04:08:06 GMT |
112
|
|
|
|
|
|
|
# Myheader: whatever |
113
|
|
|
|
|
|
|
# Content-Type: text/json; charset=ISO-8859-1 |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
=head1 INSTALLATION |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
CGI::Plus can be installed with the usual routine: |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
perl Makefile.PL |
120
|
|
|
|
|
|
|
make |
121
|
|
|
|
|
|
|
make test |
122
|
|
|
|
|
|
|
make install |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
=head1 METHODS |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=cut |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
130
|
|
|
|
|
|
|
## new |
131
|
|
|
|
|
|
|
# |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
=head2 CGI::Plus->new() |
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
Creates and returns a CGI::Plus object. New calls the super-class' new() |
136
|
|
|
|
|
|
|
method, so all params sent to this method will be passed through to CGI |
137
|
|
|
|
|
|
|
and CGI::Safe. |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
=cut |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
sub new { |
142
|
9
|
|
|
9
|
1
|
10258
|
my $class = shift; |
143
|
9
|
|
|
|
|
78
|
my $cgi = $class->SUPER::new(@_); |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
# set cookies |
146
|
9
|
|
|
|
|
19870
|
$cgi->initialize_cookies(); |
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
# call super method |
149
|
9
|
|
|
|
|
38
|
return $cgi; |
150
|
|
|
|
|
|
|
} |
151
|
|
|
|
|
|
|
# |
152
|
|
|
|
|
|
|
# new |
153
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
|
156
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
157
|
|
|
|
|
|
|
# ic, oc |
158
|
|
|
|
|
|
|
# quick accesors to incoming and outgoing cookies |
159
|
|
|
|
|
|
|
# |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
=head2 $cgi->ic, $cgi->oc |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
=cut |
165
|
|
|
|
|
|
|
|
166
|
6
|
|
|
6
|
0
|
46
|
sub incoming_cookies { return $_[0]->{'cookies'}->{'incoming'} } |
167
|
6
|
|
|
6
|
1
|
94
|
sub ic { return shift->incoming_cookies(@_) } |
168
|
|
|
|
|
|
|
|
169
|
11
|
|
|
11
|
0
|
149
|
sub outgoing_cookies { return $_[0]->{'cookies'}->{'outgoing'} } |
170
|
11
|
|
|
11
|
1
|
144
|
sub oc { return shift->outgoing_cookies(@_) } |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
# |
173
|
|
|
|
|
|
|
# ic, oc |
174
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
178
|
|
|
|
|
|
|
# initialize_cookies |
179
|
|
|
|
|
|
|
# private method |
180
|
|
|
|
|
|
|
# |
181
|
|
|
|
|
|
|
sub initialize_cookies { |
182
|
9
|
|
|
9
|
0
|
18
|
my ($cgi) = @_; |
183
|
9
|
|
|
|
|
15
|
my ($got, %cookies); |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
# cookie hashes |
186
|
9
|
|
|
|
|
126
|
$cgi->{'cookies'} = {}; |
187
|
9
|
|
|
|
|
30
|
$got = $cgi->{'cookies'}->{'incoming'} = {}; |
188
|
9
|
|
|
|
|
28
|
$cgi->{'cookies'}->{'outgoing'} = {}; |
189
|
|
|
|
|
|
|
|
190
|
|
|
|
|
|
|
# get hash of cookies that were sent |
191
|
9
|
|
|
|
|
329
|
%cookies = CGI::Cookie->fetch(); |
192
|
|
|
|
|
|
|
# showhash \%cookies, title=>'%cookies'; |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
# populate cookie values |
195
|
9
|
|
|
|
|
6157
|
foreach my $name (keys %cookies) { |
196
|
18
|
|
|
|
|
28
|
my ($cookie, $element, @value); |
197
|
18
|
|
|
|
|
35
|
$cookie = $cookies{$name}; |
198
|
18
|
|
|
|
|
30
|
$element = {}; |
199
|
|
|
|
|
|
|
|
200
|
|
|
|
|
|
|
# name of cookie |
201
|
18
|
|
|
|
|
117
|
$element->{'name'} = $name; |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
# original cookie object |
204
|
18
|
|
|
|
|
33
|
$element->{'org'} = $cookie; |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
# expires |
207
|
18
|
50
|
|
|
|
58
|
if (defined $cookie->expires()) |
208
|
0
|
|
|
|
|
0
|
{ $element->{'expires'} = $cookie->expires() } |
209
|
|
|
|
|
|
|
|
210
|
|
|
|
|
|
|
# get parsed values |
211
|
18
|
|
|
|
|
302
|
@value = $cookie->value(); |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
# if more than one element in @value, assume it's a hash |
214
|
18
|
100
|
|
|
|
317
|
if (@value > 1) |
215
|
9
|
|
|
|
|
40
|
{ $element->{'values'} = {@value} } |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
# else it's a single string value |
218
|
|
|
|
|
|
|
else |
219
|
9
|
|
|
|
|
25
|
{ $element->{'value'} = $cookie->value() } |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
# hold on to cookie element |
222
|
18
|
|
|
|
|
121
|
$got->{$name} = $element; |
223
|
|
|
|
|
|
|
} |
224
|
|
|
|
|
|
|
} |
225
|
|
|
|
|
|
|
# |
226
|
|
|
|
|
|
|
# initialize_cookies |
227
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
|
230
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
231
|
|
|
|
|
|
|
# cookie_resend |
232
|
|
|
|
|
|
|
# |
233
|
|
|
|
|
|
|
sub resend_cookie { |
234
|
1
|
|
|
1
|
0
|
360
|
my $cgi = shift; |
235
|
1
|
|
|
|
|
6
|
return $cgi->cookie_resend(@_); |
236
|
|
|
|
|
|
|
} |
237
|
|
|
|
|
|
|
|
238
|
|
|
|
|
|
|
sub cookie_resend { |
239
|
2
|
|
|
2
|
0
|
7
|
my ($cgi, $name, %opts) = @_; |
240
|
2
|
|
|
|
|
4
|
my ($got, $send); |
241
|
|
|
|
|
|
|
|
242
|
|
|
|
|
|
|
# default %opts |
243
|
2
|
|
|
|
|
8
|
%opts = (ensure=>1, %opts); |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
# if not ensuring existence of cookie, and cookie doesn't |
246
|
|
|
|
|
|
|
# exist, return undef |
247
|
2
|
50
|
66
|
|
|
9
|
unless ( $cgi->ic->{$name} || $opts{'ensure'}) { |
248
|
0
|
|
|
|
|
0
|
return undef; |
249
|
|
|
|
|
|
|
} |
250
|
|
|
|
|
|
|
|
251
|
|
|
|
|
|
|
# get sent cookie |
252
|
2
|
|
100
|
|
|
7
|
$got = $cgi->ic->{$name} || {'name'=>$name}; |
253
|
|
|
|
|
|
|
|
254
|
|
|
|
|
|
|
# create cookie that gets sent back out |
255
|
2
|
|
|
|
|
5
|
$send = {}; |
256
|
|
|
|
|
|
|
|
257
|
|
|
|
|
|
|
# clone $got cookie |
258
|
2
|
|
|
|
|
11
|
foreach my $key (keys %$got) { |
259
|
4
|
|
|
|
|
7
|
my $value = $got->{$key}; |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
# original cookie |
262
|
4
|
100
|
|
|
|
36
|
if (UNIVERSAL::isa $value, 'CGI::Cookie') { |
|
|
100
|
|
|
|
|
|
263
|
1
|
|
|
|
|
4
|
$send->{$key} = $value; |
264
|
|
|
|
|
|
|
} |
265
|
|
|
|
|
|
|
|
266
|
|
|
|
|
|
|
# hashref |
267
|
|
|
|
|
|
|
elsif (UNIVERSAL::isa $value, 'HASH') { |
268
|
1
|
|
|
|
|
6
|
$send->{$key} = {%$value}; |
269
|
|
|
|
|
|
|
} |
270
|
|
|
|
|
|
|
|
271
|
|
|
|
|
|
|
# else just copy |
272
|
|
|
|
|
|
|
else { |
273
|
2
|
|
|
|
|
7
|
$send->{$key} = $value; |
274
|
|
|
|
|
|
|
} |
275
|
|
|
|
|
|
|
} |
276
|
|
|
|
|
|
|
|
277
|
|
|
|
|
|
|
# set cookie |
278
|
2
|
|
|
|
|
10
|
$cgi->oc->{$name} = $send; |
279
|
|
|
|
|
|
|
|
280
|
|
|
|
|
|
|
# return new cookie |
281
|
2
|
|
|
|
|
9
|
return $send; |
282
|
|
|
|
|
|
|
} |
283
|
|
|
|
|
|
|
# |
284
|
|
|
|
|
|
|
# cookie_resend |
285
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
|
288
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
289
|
|
|
|
|
|
|
# new_send_cookie |
290
|
|
|
|
|
|
|
# |
291
|
|
|
|
|
|
|
sub new_send_cookie { |
292
|
1
|
|
|
1
|
0
|
7
|
my ($cgi, $name) = @_; |
293
|
1
|
|
|
|
|
2
|
my ($cookie); |
294
|
|
|
|
|
|
|
|
295
|
|
|
|
|
|
|
# create oject |
296
|
1
|
|
|
|
|
4
|
$cookie = {}; |
297
|
1
|
|
|
|
|
3
|
$cookie->{'name'} = $name; |
298
|
1
|
|
|
|
|
3
|
$cookie->{'values'} = {}; |
299
|
|
|
|
|
|
|
|
300
|
|
|
|
|
|
|
# add to hash of outgoing cookies |
301
|
1
|
|
|
|
|
5
|
$cgi->oc->{$name} = $cookie; |
302
|
|
|
|
|
|
|
|
303
|
|
|
|
|
|
|
# return new cookie |
304
|
1
|
|
|
|
|
3
|
return $cookie; |
305
|
|
|
|
|
|
|
} |
306
|
|
|
|
|
|
|
# |
307
|
|
|
|
|
|
|
# new_send_cookie |
308
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
309
|
|
|
|
|
|
|
|
310
|
|
|
|
|
|
|
|
311
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
312
|
|
|
|
|
|
|
# self_link |
313
|
|
|
|
|
|
|
# |
314
|
|
|
|
|
|
|
|
315
|
|
|
|
|
|
|
=head2 $cgi->self_link(%options) |
316
|
|
|
|
|
|
|
|
317
|
|
|
|
|
|
|
Returns a url that is a relative link to the current page. The local path of |
318
|
|
|
|
|
|
|
the URL is sent, but not the protocol or host. So, for example, if the URL |
319
|
|
|
|
|
|
|
of the current page is |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
http://www.example.com/cgi-plus/?y=1&x=2&t=2&y=2 |
322
|
|
|
|
|
|
|
|
323
|
|
|
|
|
|
|
then $cgi->self_link() would return something like as follows. Note that the |
324
|
|
|
|
|
|
|
order of the URL params mght be changed. |
325
|
|
|
|
|
|
|
|
326
|
|
|
|
|
|
|
/cgi-plus/?y=1&y=2&x=2&t=2 |
327
|
|
|
|
|
|
|
|
328
|
|
|
|
|
|
|
NOTE: If all you want is to do is get the URL of the current page, then |
329
|
|
|
|
|
|
|
L<$cgi-Eurl()|http://perldoc.perl.org/CGI.html#OBTAINING-THE-SCRIPT%27S-URL> |
330
|
|
|
|
|
|
|
is a better choice because it preserves the order of URL params. |
331
|
|
|
|
|
|
|
|
332
|
|
|
|
|
|
|
B params |
333
|
|
|
|
|
|
|
|
334
|
|
|
|
|
|
|
The C option allows you to change the values of some of the URL params |
335
|
|
|
|
|
|
|
while leaving others as-is. C is a hashref of URL params and |
336
|
|
|
|
|
|
|
their new values. For example, consider this URL: |
337
|
|
|
|
|
|
|
|
338
|
|
|
|
|
|
|
http://www.example.com/cgi-plus/?y=1&x=2&t=2&y=2 |
339
|
|
|
|
|
|
|
|
340
|
|
|
|
|
|
|
Suppose you want to change just that C param from 2 to 3. You would do that |
341
|
|
|
|
|
|
|
like this: |
342
|
|
|
|
|
|
|
|
343
|
|
|
|
|
|
|
$cgi->self_link(params=>{t=>3}) |
344
|
|
|
|
|
|
|
|
345
|
|
|
|
|
|
|
which gives us this relative URL with the C and C values as they were before, but |
346
|
|
|
|
|
|
|
with the new C value: |
347
|
|
|
|
|
|
|
|
348
|
|
|
|
|
|
|
/cgi-plus/?y=1&y=2&x=2&t=3 |
349
|
|
|
|
|
|
|
|
350
|
|
|
|
|
|
|
If the value of the param is an array ref, then the param is output once |
351
|
|
|
|
|
|
|
for each value in the array ref. So, for example, you could set that C |
352
|
|
|
|
|
|
|
to have the values 4 and 5 like this: |
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
$cgi->self_link(params=>{t=>[4,5]}) |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
which gives us |
357
|
|
|
|
|
|
|
|
358
|
|
|
|
|
|
|
/cgi-plus/?y=1&y=2&x=2&t=4&t=5 |
359
|
|
|
|
|
|
|
|
360
|
|
|
|
|
|
|
You can remove params by setting their values to undef: |
361
|
|
|
|
|
|
|
|
362
|
|
|
|
|
|
|
$cgi->self_link(params=>{t=>undef}) |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
which gives us |
365
|
|
|
|
|
|
|
|
366
|
|
|
|
|
|
|
/cgi-plus/?y=1&y=2&x=2 |
367
|
|
|
|
|
|
|
|
368
|
|
|
|
|
|
|
B clear_params |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
C removes all params from the URL. For example, using our |
371
|
|
|
|
|
|
|
example URL from above: |
372
|
|
|
|
|
|
|
|
373
|
|
|
|
|
|
|
http://www.example.com/cgi-plus/?y=1&x=2&t=2&y=2 |
374
|
|
|
|
|
|
|
|
375
|
|
|
|
|
|
|
this: |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
$cgi->self_link(clear_params=>1) |
378
|
|
|
|
|
|
|
|
379
|
|
|
|
|
|
|
returns this URL; |
380
|
|
|
|
|
|
|
|
381
|
|
|
|
|
|
|
/cgi-plus/ |
382
|
|
|
|
|
|
|
|
383
|
|
|
|
|
|
|
You can use C in conjunction with C to wipe the slate clean |
384
|
|
|
|
|
|
|
and send only specific params. So, for example, this call |
385
|
|
|
|
|
|
|
|
386
|
|
|
|
|
|
|
$cgi->self_link(clear_params=>1, params=>{j=>10}) |
387
|
|
|
|
|
|
|
|
388
|
|
|
|
|
|
|
gives us this URL: |
389
|
|
|
|
|
|
|
|
390
|
|
|
|
|
|
|
/cgi-plus/?j=10 |
391
|
|
|
|
|
|
|
|
392
|
|
|
|
|
|
|
B html |
393
|
|
|
|
|
|
|
|
394
|
|
|
|
|
|
|
The C option returns the URL HTML-escaped. So, for example, this |
395
|
|
|
|
|
|
|
call: |
396
|
|
|
|
|
|
|
|
397
|
|
|
|
|
|
|
$cgi->self_link(params=>{t=>[4,5]}, html=>1) |
398
|
|
|
|
|
|
|
|
399
|
|
|
|
|
|
|
returns this: |
400
|
|
|
|
|
|
|
|
401
|
|
|
|
|
|
|
/cgi-plus/?y=1&y=2&x=2&t=4&t=5 |
402
|
|
|
|
|
|
|
|
403
|
|
|
|
|
|
|
=cut |
404
|
|
|
|
|
|
|
|
405
|
|
|
|
|
|
|
sub self_link { |
406
|
6
|
|
|
6
|
1
|
4767
|
my ($cgi, %opts) = @_; |
407
|
6
|
|
|
|
|
11
|
my (%params, $rv, $query, $changes, %added); |
408
|
|
|
|
|
|
|
|
409
|
|
|
|
|
|
|
# get params for adding to url |
410
|
6
|
|
100
|
|
|
39
|
$changes = $opts{'params'} || $opts{'param'} || {}; |
411
|
|
|
|
|
|
|
|
412
|
|
|
|
|
|
|
# start with uri path |
413
|
6
|
50
|
|
|
|
58
|
unless ($rv = $ENV{'PATH_INFO'}) { |
414
|
6
|
|
|
|
|
13
|
$rv = $ENV{'REQUEST_URI'}; |
415
|
6
|
|
|
|
|
41
|
$rv =~ s|\?.*||s; |
416
|
|
|
|
|
|
|
} |
417
|
|
|
|
|
|
|
|
418
|
|
|
|
|
|
|
# get parameter names from cgi |
419
|
6
|
100
|
|
|
|
19
|
unless ($opts{'clear_params'}) |
420
|
4
|
|
|
|
|
17
|
{ @params{$cgi->param()} = () } |
421
|
|
|
|
|
|
|
|
422
|
|
|
|
|
|
|
# get parameter names from changes |
423
|
6
|
|
|
|
|
257
|
@params{keys %$changes} = (); |
424
|
|
|
|
|
|
|
|
425
|
|
|
|
|
|
|
# loop through params |
426
|
6
|
|
|
|
|
23
|
foreach my $key (keys %params) { |
427
|
9
|
|
|
|
|
12
|
my (@vals); |
428
|
|
|
|
|
|
|
|
429
|
|
|
|
|
|
|
# get values from adds |
430
|
9
|
100
|
|
|
|
22
|
if (exists $changes->{$key}) { |
431
|
4
|
100
|
|
|
|
12
|
if (ref $changes->{$key}) |
432
|
1
|
|
|
|
|
3
|
{ @vals = @{$changes->{$key}} } |
|
1
|
|
|
|
|
5
|
|
433
|
|
|
|
|
|
|
else |
434
|
3
|
|
|
|
|
7
|
{ @vals = $changes->{$key} } |
435
|
|
|
|
|
|
|
} |
436
|
|
|
|
|
|
|
else { |
437
|
5
|
|
|
|
|
16
|
@vals = $cgi->param($key); |
438
|
|
|
|
|
|
|
} |
439
|
|
|
|
|
|
|
|
440
|
|
|
|
|
|
|
# remove values that are undef |
441
|
9
|
|
|
|
|
210
|
@vals = grep {defined $_} @vals; |
|
12
|
|
|
|
|
73
|
|
442
|
|
|
|
|
|
|
|
443
|
|
|
|
|
|
|
# output values |
444
|
9
|
|
|
|
|
19
|
foreach my $val (@vals) { |
445
|
|
|
|
|
|
|
# add delimiter or query marker |
446
|
12
|
100
|
|
|
|
21
|
if ($query) |
447
|
7
|
|
|
|
|
14
|
{ $query .= '&' } |
448
|
|
|
|
|
|
|
else |
449
|
5
|
|
|
|
|
10
|
{ $query = '?' } |
450
|
|
|
|
|
|
|
|
451
|
|
|
|
|
|
|
# url escape |
452
|
12
|
|
|
|
|
58
|
$val = $cgi->escape($val); |
453
|
|
|
|
|
|
|
|
454
|
|
|
|
|
|
|
# add value |
455
|
12
|
|
|
|
|
297
|
$query .= $key . '=' . $val; |
456
|
|
|
|
|
|
|
} |
457
|
|
|
|
|
|
|
} |
458
|
|
|
|
|
|
|
|
459
|
|
|
|
|
|
|
# add query |
460
|
6
|
100
|
|
|
|
24
|
if ($query) |
461
|
5
|
|
|
|
|
10
|
{ $rv .= $query } |
462
|
|
|
|
|
|
|
|
463
|
|
|
|
|
|
|
# html escape |
464
|
6
|
50
|
|
|
|
17
|
if ($opts{'html'}) |
465
|
0
|
|
|
|
|
0
|
{ $rv = htmlesc($rv) } |
466
|
|
|
|
|
|
|
|
467
|
|
|
|
|
|
|
# return |
468
|
6
|
|
|
|
|
29
|
return $rv; |
469
|
|
|
|
|
|
|
} |
470
|
|
|
|
|
|
|
# |
471
|
|
|
|
|
|
|
# self_link |
472
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
473
|
|
|
|
|
|
|
|
474
|
|
|
|
|
|
|
|
475
|
|
|
|
|
|
|
|
476
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
477
|
|
|
|
|
|
|
# set_header |
478
|
|
|
|
|
|
|
# |
479
|
|
|
|
|
|
|
sub set_header { |
480
|
1
|
|
|
1
|
0
|
7
|
my ($cgi, $name, $value) = @_; |
481
|
|
|
|
|
|
|
|
482
|
|
|
|
|
|
|
# initialize header hash |
483
|
1
|
|
50
|
|
|
14
|
$cgi->{'headers'} ||= {}; |
484
|
|
|
|
|
|
|
|
485
|
|
|
|
|
|
|
# set header |
486
|
1
|
|
|
|
|
3
|
$cgi->{'headers'}->{$name} = $value; |
487
|
|
|
|
|
|
|
|
488
|
|
|
|
|
|
|
# return |
489
|
1
|
|
|
|
|
4
|
return 1; |
490
|
|
|
|
|
|
|
} |
491
|
|
|
|
|
|
|
# |
492
|
|
|
|
|
|
|
# set_header |
493
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
494
|
|
|
|
|
|
|
|
495
|
|
|
|
|
|
|
|
496
|
|
|
|
|
|
|
|
497
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
498
|
|
|
|
|
|
|
# set_content_type |
499
|
|
|
|
|
|
|
# |
500
|
|
|
|
|
|
|
sub set_content_type { |
501
|
1
|
|
|
1
|
0
|
6
|
my ($cgi, $type) = @_; |
502
|
|
|
|
|
|
|
|
503
|
|
|
|
|
|
|
# set type |
504
|
1
|
|
|
|
|
3
|
$cgi->{'content_type'} = $type; |
505
|
|
|
|
|
|
|
|
506
|
|
|
|
|
|
|
# return |
507
|
1
|
|
|
|
|
2
|
return 1; |
508
|
|
|
|
|
|
|
} |
509
|
|
|
|
|
|
|
# |
510
|
|
|
|
|
|
|
# set_content_type |
511
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
512
|
|
|
|
|
|
|
|
513
|
|
|
|
|
|
|
|
514
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
515
|
|
|
|
|
|
|
# header_plus |
516
|
|
|
|
|
|
|
# |
517
|
|
|
|
|
|
|
sub header_plus { |
518
|
3
|
|
|
3
|
0
|
743
|
my ($cgi, %opts) = @_; |
519
|
3
|
|
|
|
|
8
|
my (@cookies); |
520
|
|
|
|
|
|
|
|
521
|
|
|
|
|
|
|
# if header has already been sent, don't send it again, just |
522
|
|
|
|
|
|
|
# return empty string |
523
|
3
|
50
|
|
|
|
10
|
if ($cgi->{'header_sent'}) |
524
|
0
|
|
|
|
|
0
|
{ return '' } |
525
|
|
|
|
|
|
|
|
526
|
|
|
|
|
|
|
# set content type |
527
|
3
|
100
|
66
|
|
|
27
|
if ( (! $opts{'-type'}) && $cgi->{'content_type'} ) { |
528
|
1
|
|
|
|
|
4
|
$opts{'-type'} = $cgi->{'content_type'}; |
529
|
|
|
|
|
|
|
} |
530
|
|
|
|
|
|
|
|
531
|
|
|
|
|
|
|
# add headers |
532
|
3
|
100
|
|
|
|
85
|
if ($cgi->{'headers'}) { |
533
|
1
|
|
|
|
|
2
|
while ( my($name, $value) = each(%{$cgi->{'headers'}}) ) { |
|
2
|
|
|
|
|
11
|
|
534
|
1
|
|
|
|
|
6
|
$name =~ s|^\-*|-|s; |
535
|
1
|
|
33
|
|
|
7
|
$opts{$name} ||= $value; |
536
|
|
|
|
|
|
|
} |
537
|
|
|
|
|
|
|
} |
538
|
|
|
|
|
|
|
|
539
|
|
|
|
|
|
|
# add cookies |
540
|
3
|
|
|
|
|
5
|
foreach my $name ( keys %{$cgi->oc} ) { |
|
3
|
|
|
|
|
9
|
|
541
|
1
|
|
|
|
|
2
|
my (%element, %params, $cookie); |
542
|
1
|
|
|
|
|
6
|
%element = %{$cgi->oc->{$name}}; |
|
1
|
|
|
|
|
7
|
|
543
|
|
|
|
|
|
|
|
544
|
|
|
|
|
|
|
# 'values' takes precedence over 'value' |
545
|
1
|
50
|
|
|
|
7
|
if ($element{'values'}) |
|
|
0
|
|
|
|
|
|
546
|
1
|
|
|
|
|
3
|
{ delete $element{'value'} } |
547
|
|
|
|
|
|
|
|
548
|
|
|
|
|
|
|
# else if no 'value' either, set it to empty string |
549
|
|
|
|
|
|
|
elsif (! defined $element{'value'}) |
550
|
0
|
|
|
|
|
0
|
{ $element{'value'} = '' } |
551
|
|
|
|
|
|
|
|
552
|
|
|
|
|
|
|
# loop through values |
553
|
1
|
|
|
|
|
4
|
foreach my $key (keys %element) { |
554
|
|
|
|
|
|
|
# special case: values |
555
|
2
|
100
|
|
|
|
7
|
if ($key eq 'values') { |
556
|
1
|
|
|
|
|
3
|
$params{'-value'} = $element{$key}; |
557
|
|
|
|
|
|
|
} |
558
|
|
|
|
|
|
|
|
559
|
|
|
|
|
|
|
# else just copy value |
560
|
|
|
|
|
|
|
else { |
561
|
1
|
|
|
|
|
3
|
my $send_key = $key; |
562
|
1
|
|
|
|
|
7
|
$send_key =~ s|^\-*|-|; |
563
|
|
|
|
|
|
|
|
564
|
1
|
|
|
|
|
6
|
$params{$send_key} = $element{$key}; |
565
|
|
|
|
|
|
|
} |
566
|
|
|
|
|
|
|
} |
567
|
|
|
|
|
|
|
|
568
|
|
|
|
|
|
|
# set domain |
569
|
1
|
50
|
|
|
|
5
|
if ($element{'domain'}) |
570
|
0
|
|
|
|
|
0
|
{ $params{'-domain'} = $element{'domain'} } |
571
|
|
|
|
|
|
|
|
572
|
|
|
|
|
|
|
# set expires: default to one year |
573
|
1
|
50
|
|
|
|
6
|
if (exists $element{'expires'}) { |
574
|
0
|
0
|
|
|
|
0
|
if (defined $element{'expires'}) |
575
|
0
|
|
|
|
|
0
|
{ $params{'-expires'} = $element{'expires'} } |
576
|
|
|
|
|
|
|
} |
577
|
|
|
|
|
|
|
else { |
578
|
1
|
|
|
|
|
3
|
$params{'-expires'} = '+1y'; |
579
|
|
|
|
|
|
|
} |
580
|
|
|
|
|
|
|
|
581
|
|
|
|
|
|
|
# create cookie object |
582
|
1
|
|
|
|
|
7
|
$cookie = CGI::Cookie->new(%params); |
583
|
|
|
|
|
|
|
|
584
|
1
|
50
|
|
|
|
386
|
if (! defined $cookie) { |
585
|
|
|
|
|
|
|
# showhash \%params, title=>'error generating cookie'; |
586
|
0
|
|
|
|
|
0
|
die 'cookie error'; |
587
|
|
|
|
|
|
|
} |
588
|
|
|
|
|
|
|
|
589
|
|
|
|
|
|
|
# add to cookie array |
590
|
1
|
|
|
|
|
6
|
push @cookies, $cookie; |
591
|
|
|
|
|
|
|
} |
592
|
|
|
|
|
|
|
|
593
|
|
|
|
|
|
|
# add cookies to header options |
594
|
3
|
100
|
|
|
|
10
|
if (@cookies) |
595
|
1
|
|
|
|
|
3
|
{ $opts{'-cookie'} = \@cookies } |
596
|
|
|
|
|
|
|
|
597
|
|
|
|
|
|
|
# note that header has been sent |
598
|
3
|
|
|
|
|
7
|
$cgi->{'header_sent'} = 1; |
599
|
|
|
|
|
|
|
|
600
|
|
|
|
|
|
|
# call super method |
601
|
3
|
|
|
|
|
82
|
return $cgi->SUPER::header(%opts); |
602
|
|
|
|
|
|
|
} |
603
|
|
|
|
|
|
|
# |
604
|
|
|
|
|
|
|
# header_plus |
605
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
606
|
|
|
|
|
|
|
|
607
|
|
|
|
|
|
|
|
608
|
|
|
|
|
|
|
|
609
|
|
|
|
|
|
|
|
610
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
611
|
|
|
|
|
|
|
# CSRF info |
612
|
|
|
|
|
|
|
# |
613
|
|
|
|
|
|
|
|
614
|
|
|
|
|
|
|
=head1 Cross-site request forgery (CSRF) defenses |
615
|
|
|
|
|
|
|
|
616
|
|
|
|
|
|
|
A L |
617
|
|
|
|
|
|
|
(CSRF) is a technique for breaching a web site's security. CSRF is one of the |
618
|
|
|
|
|
|
|
most common web-site vulnerabilities. CGI::Plus provides a technique for |
619
|
|
|
|
|
|
|
protecting |
620
|
|
|
|
|
|
|
|
621
|
|
|
|
|
|
|
=cut |
622
|
|
|
|
|
|
|
|
623
|
|
|
|
|
|
|
# |
624
|
|
|
|
|
|
|
# CSRF info |
625
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
626
|
|
|
|
|
|
|
|
627
|
|
|
|
|
|
|
|
628
|
|
|
|
|
|
|
|
629
|
|
|
|
|
|
|
|
630
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
631
|
|
|
|
|
|
|
# csrf |
632
|
|
|
|
|
|
|
# |
633
|
|
|
|
|
|
|
sub csrf { |
634
|
6
|
|
|
6
|
0
|
15
|
my $cgi = shift; |
635
|
|
|
|
|
|
|
|
636
|
|
|
|
|
|
|
# set csrf value if sent |
637
|
6
|
100
|
|
|
|
20
|
if (@_) { |
638
|
1
|
|
|
|
|
82
|
$cgi->{'csrf'} = $_[0]; |
639
|
|
|
|
|
|
|
|
640
|
|
|
|
|
|
|
# set csrf cookie |
641
|
1
|
50
|
|
|
|
7
|
if ($cgi->{'csrf'}) { |
642
|
1
|
|
|
|
|
2
|
my ($cookie); |
643
|
1
|
|
|
|
|
6
|
$cookie = $cgi->cookie_resend($cgi->csrf_name); |
644
|
1
|
|
50
|
|
|
33
|
$cookie->{'values'} ||= {v=>randword(10)}; |
645
|
|
|
|
|
|
|
} |
646
|
|
|
|
|
|
|
} |
647
|
|
|
|
|
|
|
|
648
|
|
|
|
|
|
|
# return |
649
|
6
|
|
|
|
|
300
|
return $cgi->{'csrf'}; |
650
|
|
|
|
|
|
|
} |
651
|
|
|
|
|
|
|
# |
652
|
|
|
|
|
|
|
# csrf |
653
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
654
|
|
|
|
|
|
|
|
655
|
|
|
|
|
|
|
|
656
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
657
|
|
|
|
|
|
|
# csrf_name |
658
|
|
|
|
|
|
|
# |
659
|
|
|
|
|
|
|
sub csrf_name { |
660
|
5
|
|
|
5
|
0
|
557
|
return 'csrf'; |
661
|
|
|
|
|
|
|
} |
662
|
|
|
|
|
|
|
# |
663
|
|
|
|
|
|
|
# csrf_name |
664
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
665
|
|
|
|
|
|
|
|
666
|
|
|
|
|
|
|
|
667
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
668
|
|
|
|
|
|
|
# csrf_value |
669
|
|
|
|
|
|
|
# |
670
|
|
|
|
|
|
|
|
671
|
|
|
|
|
|
|
=head2 $cgi->csrf_value() |
672
|
|
|
|
|
|
|
|
673
|
|
|
|
|
|
|
Returns the string used in CSRF checks. This value must be included in an HTML |
674
|
|
|
|
|
|
|
form (see L$cgi-Ecsrf_value()>) |
675
|
|
|
|
|
|
|
|
676
|
|
|
|
|
|
|
=cut |
677
|
|
|
|
|
|
|
|
678
|
|
|
|
|
|
|
sub csrf_value { |
679
|
0
|
|
|
0
|
1
|
0
|
my ($cgi) = @_; |
680
|
0
|
|
|
|
|
0
|
my ($name, $cookie, $rv); |
681
|
|
|
|
|
|
|
|
682
|
|
|
|
|
|
|
# must be in csrf mode |
683
|
0
|
0
|
|
|
|
0
|
if (! $cgi->csrf) |
684
|
0
|
|
|
|
|
0
|
{ croak 'cannot set CSRF field when not in CSRF mode' } |
685
|
|
|
|
|
|
|
|
686
|
|
|
|
|
|
|
# get name of csrf cookie |
687
|
0
|
|
|
|
|
0
|
$name = $cgi->csrf_name; |
688
|
|
|
|
|
|
|
|
689
|
|
|
|
|
|
|
# get csrf cookie |
690
|
0
|
|
|
|
|
0
|
$cookie = $cgi->oc->{$name}; |
691
|
0
|
0
|
|
|
|
0
|
$cookie or die 'do not have csrf cookie'; |
692
|
|
|
|
|
|
|
|
693
|
|
|
|
|
|
|
# return |
694
|
0
|
|
|
|
|
0
|
return $cookie->{'values'}->{'v'}; |
695
|
|
|
|
|
|
|
} |
696
|
|
|
|
|
|
|
# |
697
|
|
|
|
|
|
|
# csrf_value |
698
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
699
|
|
|
|
|
|
|
|
700
|
|
|
|
|
|
|
|
701
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
702
|
|
|
|
|
|
|
# csrf_field |
703
|
|
|
|
|
|
|
# |
704
|
|
|
|
|
|
|
|
705
|
|
|
|
|
|
|
=head2 $cgi->csrf_field() |
706
|
|
|
|
|
|
|
|
707
|
|
|
|
|
|
|
Returns a hidden HTML field with the CSRF check value in it. This field must |
708
|
|
|
|
|
|
|
be included in HTML forms if you do a CSRF check. The string will look |
709
|
|
|
|
|
|
|
something like this: |
710
|
|
|
|
|
|
|
|
711
|
|
|
|
|
|
|
|
712
|
|
|
|
|
|
|
|
713
|
|
|
|
|
|
|
=cut |
714
|
|
|
|
|
|
|
|
715
|
|
|
|
|
|
|
sub csrf_field { |
716
|
1
|
|
|
1
|
1
|
3
|
my ($cgi) = @_; |
717
|
1
|
|
|
|
|
3
|
my ($name, $cookie, $rv); |
718
|
|
|
|
|
|
|
|
719
|
|
|
|
|
|
|
# must be in csrf mode |
720
|
1
|
50
|
|
|
|
4
|
if (! $cgi->csrf) |
721
|
0
|
|
|
|
|
0
|
{ croak 'cannot set CSRF field when not in CSRF mode' } |
722
|
|
|
|
|
|
|
|
723
|
|
|
|
|
|
|
# get name of csrf cookie |
724
|
1
|
|
|
|
|
4
|
$name = $cgi->csrf_name; |
725
|
|
|
|
|
|
|
|
726
|
|
|
|
|
|
|
# get csrf cookie |
727
|
1
|
|
|
|
|
5
|
$cookie = $cgi->oc->{$name}; |
728
|
1
|
50
|
|
|
|
6
|
$cookie or die 'do not have csrf cookie'; |
729
|
|
|
|
|
|
|
|
730
|
|
|
|
|
|
|
# showhash $cookie; |
731
|
|
|
|
|
|
|
# showhash $cookie->{'values'}->{'v'}; |
732
|
|
|
|
|
|
|
|
733
|
|
|
|
|
|
|
# build return value |
734
|
1
|
|
|
|
|
7
|
$rv = |
735
|
|
|
|
|
|
|
'
|
736
|
|
|
|
|
|
|
'name="' . htmlesc($name) . '" ' . |
737
|
|
|
|
|
|
|
'value="' . htmlesc($cookie->{'values'}->{'v'}) . '">'; |
738
|
|
|
|
|
|
|
|
739
|
|
|
|
|
|
|
# return |
740
|
1
|
|
|
|
|
56
|
return $rv; |
741
|
|
|
|
|
|
|
} |
742
|
|
|
|
|
|
|
# |
743
|
|
|
|
|
|
|
# csrf_field |
744
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
745
|
|
|
|
|
|
|
|
746
|
|
|
|
|
|
|
|
747
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
748
|
|
|
|
|
|
|
# csrf_param |
749
|
|
|
|
|
|
|
# |
750
|
|
|
|
|
|
|
|
751
|
|
|
|
|
|
|
=head2 $cgi->csrf_param() |
752
|
|
|
|
|
|
|
|
753
|
|
|
|
|
|
|
Returns the URL parameter to use in a URL. The return value will look |
754
|
|
|
|
|
|
|
something like this: |
755
|
|
|
|
|
|
|
|
756
|
|
|
|
|
|
|
csrf=8hFnVjSr25 |
757
|
|
|
|
|
|
|
|
758
|
|
|
|
|
|
|
The string will never contain HTML or URL meta characters, so it does not need |
759
|
|
|
|
|
|
|
to be HTML or URL escaped. |
760
|
|
|
|
|
|
|
|
761
|
|
|
|
|
|
|
=cut |
762
|
|
|
|
|
|
|
|
763
|
|
|
|
|
|
|
sub csrf_param { |
764
|
1
|
|
|
1
|
1
|
3
|
my ($cgi) = @_; |
765
|
1
|
|
|
|
|
2
|
my ($name, $cookie, $rv); |
766
|
|
|
|
|
|
|
|
767
|
|
|
|
|
|
|
# must be in csrf mode |
768
|
1
|
50
|
|
|
|
3
|
if (! $cgi->csrf) |
769
|
0
|
|
|
|
|
0
|
{ croak 'cannot set CSRF field when not in CSRF mode' } |
770
|
|
|
|
|
|
|
|
771
|
|
|
|
|
|
|
# get name of csrf cookie |
772
|
1
|
|
|
|
|
3
|
$name = $cgi->csrf_name; |
773
|
|
|
|
|
|
|
|
774
|
|
|
|
|
|
|
# get csrf cookie |
775
|
1
|
|
|
|
|
5
|
$cookie = $cgi->oc->{$name}; |
776
|
1
|
50
|
|
|
|
9
|
$cookie or die 'do not have csrf cookie'; |
777
|
|
|
|
|
|
|
|
778
|
|
|
|
|
|
|
# build return value |
779
|
1
|
|
|
|
|
4
|
$rv = $name . '=' . $cookie->{'values'}->{'v'}; |
780
|
|
|
|
|
|
|
|
781
|
|
|
|
|
|
|
# return |
782
|
1
|
|
|
|
|
7
|
return $rv; |
783
|
|
|
|
|
|
|
} |
784
|
|
|
|
|
|
|
# |
785
|
|
|
|
|
|
|
# csrf_param |
786
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
787
|
|
|
|
|
|
|
|
788
|
|
|
|
|
|
|
|
789
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
790
|
|
|
|
|
|
|
# csrf_check |
791
|
|
|
|
|
|
|
# |
792
|
|
|
|
|
|
|
|
793
|
|
|
|
|
|
|
=head2 $cgi->csrf_check() |
794
|
|
|
|
|
|
|
|
795
|
|
|
|
|
|
|
Checks if a CSRF check value was sent and that it matches the CSRF check |
796
|
|
|
|
|
|
|
cookie. CSRF checks must be turned on or this method will croak. The |
797
|
|
|
|
|
|
|
following code is a typical usage of csrf checking: |
798
|
|
|
|
|
|
|
|
799
|
|
|
|
|
|
|
$cgi->csrf(1); |
800
|
|
|
|
|
|
|
|
801
|
|
|
|
|
|
|
if (! $cgi->csrf_check) { |
802
|
|
|
|
|
|
|
die 'security error'; |
803
|
|
|
|
|
|
|
} |
804
|
|
|
|
|
|
|
|
805
|
|
|
|
|
|
|
=cut |
806
|
|
|
|
|
|
|
|
807
|
|
|
|
|
|
|
sub csrf_check { |
808
|
1
|
|
|
1
|
1
|
3
|
my ($cgi) = @_; |
809
|
1
|
|
|
|
|
3
|
my ($name, $cookie, $cookie_value, $form_value); |
810
|
|
|
|
|
|
|
|
811
|
|
|
|
|
|
|
# must be in csrf mode |
812
|
1
|
50
|
|
|
|
4
|
if (! $cgi->csrf) |
813
|
0
|
|
|
|
|
0
|
{ croak 'cannot check CSRF when not in CSRF mode' } |
814
|
|
|
|
|
|
|
|
815
|
|
|
|
|
|
|
# get name of csrf cookie |
816
|
1
|
|
|
|
|
6
|
$name = $cgi->csrf_name; |
817
|
|
|
|
|
|
|
|
818
|
|
|
|
|
|
|
# get csrf cookie |
819
|
1
|
|
|
|
|
4
|
$cookie = $cgi->oc->{$name}; |
820
|
1
|
50
|
|
|
|
5
|
$cookie or return 0; |
821
|
|
|
|
|
|
|
|
822
|
|
|
|
|
|
|
# get cookie value |
823
|
1
|
|
|
|
|
3
|
$cookie_value = $cookie->{'values'}->{'v'}; |
824
|
1
|
50
|
|
|
|
4
|
$cookie_value or return 0; |
825
|
|
|
|
|
|
|
|
826
|
|
|
|
|
|
|
# get form value |
827
|
1
|
|
|
|
|
6
|
$form_value = $cgi->param($name); |
828
|
1
|
50
|
|
|
|
33
|
$form_value or return 0; |
829
|
|
|
|
|
|
|
|
830
|
|
|
|
|
|
|
# return true if same |
831
|
0
|
0
|
|
|
|
|
if ($cookie_value eq $form_value) |
832
|
0
|
|
|
|
|
|
{ return 1 } |
833
|
|
|
|
|
|
|
|
834
|
|
|
|
|
|
|
# else return false |
835
|
0
|
|
|
|
|
|
return 0; |
836
|
|
|
|
|
|
|
} |
837
|
|
|
|
|
|
|
# |
838
|
|
|
|
|
|
|
# csrf_check |
839
|
|
|
|
|
|
|
#------------------------------------------------------------------------------ |
840
|
|
|
|
|
|
|
|
841
|
|
|
|
|
|
|
|
842
|
|
|
|
|
|
|
|
843
|
|
|
|
|
|
|
|
844
|
|
|
|
|
|
|
# return true |
845
|
|
|
|
|
|
|
1; |
846
|
|
|
|
|
|
|
|
847
|
|
|
|
|
|
|
__END__ |