CGI-Application-Plugin-LinkIntegrity-0.06/0042755000175200001440000000000010432775231017665 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/t/0042755000175200001440000000000010432775231020130 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/t/pod.t0100644000175200001440000000021410432775231021067 0ustar michaelusers#!perl -T use Test::More; eval "use Test::Pod 1.14"; plan skip_all => "Test::Pod 1.14 required for testing POD" if $@; all_pod_files_ok(); CGI-Application-Plugin-LinkIntegrity-0.06/t/06-built_in_link_tampered_rm.t0100644000175200001440000000573310432775231025744 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; use URI; use URI::QueryParam; my $Created_Link; { package WebApp; use CGI; use CGI::Application; use vars qw(@ISA); use URI; use URI::Escape; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->header_type('none'); $self->run_modes([qw( link_okay create_link bad_user_no_biscuit )]); my %li_config = ( secret => 'extree seekrit', ); if ($self->param('custom_rm')) { $li_config{'link_tampered_run_mode'} = 'bad_user_no_biscuit'; } if ($self->param('check')) { $li_config{'checksum_param'} = $self->param('check'); } if ($self->param('create_link')) { $self->start_mode('create_link'); $li_config{'disable'} = 1; } else { $self->start_mode('link_okay'); } $self->link_integrity_config( %li_config, ); } sub link_okay { my $self = shift; return 'rm=link_okay'; } sub create_link { my $self = shift; return $self->link($self->param('create_link')); } sub bad_user_no_biscuit { my $self = shift; return 'rm=bad_user_no_biscuit'; } } ########################################################################### # Build the link $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = '80'; $ENV{'SCRIPT_NAME'} = '/cgi-bin/app.cgi'; $ENV{'SERVER_NAME'} = 'www.example.com'; $ENV{'PATH_INFO'} = '/my/happy/pathy/info'; $ENV{'QUERY_STRING'} = 'zap=zoom&zap=zub&guff=gubbins&zap=zuzzu'; my $link = URI->new(WebApp->new(PARAMS => { create_link => 'http://www.example.com/script.cgi/path/info?p1=v1&p2=v2&p2=v3', })->run); # Validate it $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', 'link_okay'); # remove the _checksum from the query - this should invalidate it my $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, '

Access Denied

', 'link_tampered (checksum removed)'); # add a bogus checksum - this should invalidate it my $qf = $link->query_form_hash; $qf->{'_checksum'} = 'xxxx'; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, '

Access Denied

', 'link_tampered (checksum changed)'); # restore original checksum - this should revalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = $checksum; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', 'link_okay (original checksum added again)'); CGI-Application-Plugin-LinkIntegrity-0.06/t/03-path_info_link.t0100644000175200001440000000722510432775231023522 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; { package WebApp; use CGI::Application; use vars qw(@ISA); use URI; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->run_modes([qw/start/]); $self->link_integrity_config( 'secret' => 'foo', 'disable' => 1, ); } sub start { my $self = shift; my $self_url = URI->new($self->query->url); my $self_url_w_path_info = URI->new($self->query->url(-path_info => 1)); $self->link_integrity_config( secret => 'foo', ); # Bare path_link - should remove the path_info my $link = $self->path_link; my $uri = URI->new($link); my %params = $uri->query_form; is($uri->path, $self_url->path, '[plain checksum] URI path'); ok(keys %params == 1, '[plain checksum] URI params'); ok(length $params{'_checksum'}, '[plain checksum] URI checksum'); # Test explicitly passing url params (w/o path_info (empty_string)) $link = $self->path_link('', wubba => 'woo', 'foo' => 'bar', bar=> 'baz'); $uri = URI->new($link); %params = $uri->query_form; is($uri->path, $self_url->path, '[params path_info=""] URI path'); ok(keys %params == 4, '[params path_info=""] URI params'); ok(length $params{'_checksum'}, '[params path_info=""] URI checksum'); is($params{'foo'}, 'bar', '[params path_info=""] URI param:foo'); is($params{'bar'}, 'baz', '[params path_info=""] URI param:bar'); is($params{'wubba'}, 'woo', '[params path_info=""] URI param:wubba'); # Test explicitly passing url params (w/o path_info (undef) $link = $self->path_link(undef, wubba => 'woo', 'foo' => 'bar', bar=> 'baz'); $uri = URI->new($link); %params = $uri->query_form; is($uri->path, $self_url->path, '[params path_info=undef] URI path'); ok(keys %params == 4, '[params path_info=undef] URI params'); ok(length $params{'_checksum'}, '[params path_info=undef] URI checksum'); is($params{'foo'}, 'bar', '[params path_info=undef] URI param:foo'); is($params{'bar'}, 'baz', '[params path_info=undef] URI param:bar'); is($params{'wubba'}, 'woo', '[params path_info=undef] URI param:wubba'); # Test with new path_info $link = $self->path_link('/sic/transit/gloria/mundi', wubba => 'woo','foo' => 'bar', bar=> 'baz' ); $uri = URI->new($link); %params = $uri->query_form; my $u = $self_url->clone; $u->path_segments($u->path_segments, qw(sic transit gloria mundi)); is($uri->path, $u->path, '[new path_info] URI path'); ok(keys %params == 4, '[new path_info] URI params'); ok(length $params{'_checksum'}, '[new path_info] URI checksum'); is($params{'foo'}, 'bar', '[new path_info] URI param:foo'); is($params{'bar'}, 'baz', '[new path_info] URI param:bar'); is($params{'wubba'}, 'woo', '[new path_info] URI param:wubba'); } } $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = '80'; $ENV{'SCRIPT_NAME'} = '/cgi-bin/app.cgi'; $ENV{'SERVER_NAME'} = 'www.example.com'; $ENV{'PATH_INFO'} = '/my/happy/pathy/info'; $ENV{'QUERY_STRING'} = 'zap=zoom&zap=zub&guff=gubbins&zap=zuzzu'; WebApp->new->run; CGI-Application-Plugin-LinkIntegrity-0.06/t/01-link.t0100644000175200001440000000604510432775231021470 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; { package WebApp; use CGI::Application; use vars qw(@ISA); use URI; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->run_modes([qw/start/]); $self->link_integrity_config( 'secret' => 'foo', ); } sub start { my $self = shift; # Test bad digest module $self->link_integrity_config( digest_module => '', secret => 'foo', ); eval { $self->link('/fee/fie/foo'); }; ok($@, '[usage] bad digest_module caught'); $self->link_integrity_config(secret => 'foo'); # this should reset the config # Test that the checksum is created my $link = $self->link('/foo/bar/baz'); my $uri = URI->new($link); my %params = $uri->query_form; is($uri->path, '/foo/bar/baz', '[basic checksum] URI path'); ok(keys %params == 1, '[basic checksum] URI params'); ok(length $params{'_checksum'}, '[basic checksum] URI checksum'); # Test that url params are retained $link = $self->link('/foo/bar/baz/boom?wubba=woo&foo=bar&bar=baz'); $uri = URI->new($link); %params = $uri->query_form; is($uri->path, '/foo/bar/baz/boom', '[params (qs)] URI path'); ok(keys %params == 4, '[params (qs)] URI params'); ok(length $params{'_checksum'}, '[params (qs)] URI checksum'); is($params{'foo'}, 'bar', '[params (qs)] URI param:foo'); is($params{'bar'}, 'baz', '[params (qs)] URI param:bar'); is($params{'wubba'}, 'woo', '[params (qs)] URI param:wubba'); # Test explicitly passing url params $link = $self->link('/fee/fie/foo?wubba=woo', 'foo' => 'bar', bar=> 'baz'); $uri = URI->new($link); %params = $uri->query_form; is($uri->path, '/fee/fie/foo', '[params] URI path'); ok(keys %params == 4, '[params] URI params'); ok(length $params{'_checksum'}, '[params] URI checksum'); is($params{'foo'}, 'bar', '[params] URI param:foo'); is($params{'bar'}, 'baz', '[params] URI param:bar'); is($params{'wubba'}, 'woo', '[params] URI param:wubba'); # Test changing the checksum param $self->link_integrity_config( checksum_param => 'gordon', secret => 'sooper secret', ); $link = $self->link('/foo/bar/baz'); $uri = URI->new($link); %params = $uri->query_form; $uri = URI->new($link); %params = $uri->query_form; is($uri->path, '/foo/bar/baz', '[checksum_param] URI path'); ok(keys %params == 1, '[checksum_param] URI params'); ok(length $params{'gordon'}, '[checksum_param] URI checksum'); } } WebApp->new->run; CGI-Application-Plugin-LinkIntegrity-0.06/t/02-self_link.t0100644000175200001440000000410010432775231022470 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; { package WebApp; use CGI::Application; use vars qw(@ISA); use URI; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->run_modes([qw/start/]); $self->link_integrity_config( 'secret' => 'foo', 'disable' => 1, ); } sub start { my $self = shift; my $self_url = URI->new($self->query->url); my $self_url_w_path_info = URI->new($self->query->url(-path_info => 1)); $self->link_integrity_config( secret => 'foo', ); # Plain self_link my $link = $self->self_link; my $uri = URI->new($link); my %params = $uri->query_form; is($uri->path, $self_url_w_path_info->path, '[plain checksum] URI path'); ok(keys %params == 1, '[plain checksum] URI params'); ok(length $params{'_checksum'}, '[plain checksum] URI checksum'); # Test keeping path_info $link = $self->self_link(wubba => 'woo', 'foo' => 'bar', bar=> 'baz'); $uri = URI->new($link); %params = $uri->query_form; is($uri->path, $self_url_w_path_info->path, '[keep path_info] URI path'); ok(keys %params == 4, '[keep path_info] URI params'); ok(length $params{'_checksum'}, '[keep path_info] URI checksum'); is($params{'foo'}, 'bar', '[keep path_info] URI param:foo'); is($params{'bar'}, 'baz', '[keep path_info] URI param:bar'); is($params{'wubba'}, 'woo', '[keep path_info] URI param:wubba'); } } $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = '80'; $ENV{'SCRIPT_NAME'} = '/cgi-bin/app.cgi'; $ENV{'SERVER_NAME'} = 'www.example.com'; $ENV{'PATH_INFO'} = '/my/happy/pathy/info'; $ENV{'QUERY_STRING'} = 'zap=zoom&zap=zub&guff=gubbins&zap=zuzzu'; WebApp->new->run; CGI-Application-Plugin-LinkIntegrity-0.06/t/07-invalid_checksum_hook.t0100644000175200001440000000522610432775231025071 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; use URI; use URI::QueryParam; my $Created_Link; my $Checksum_Callback_Called = 0; { package WebApp; use CGI; use CGI::Application; use vars qw(@ISA); use URI; use URI::Escape; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->header_type('none'); $self->run_modes([qw( link_okay create_link bad_user_no_biscuit )]); my %li_config = ( secret => 'extree seekrit', ); if ($self->param('custom_rm')) { $li_config{'link_tampered_run_mode'} = 'bad_user_no_biscuit'; } if ($self->param('check')) { $li_config{'checksum_param'} = $self->param('check'); } if ($self->param('create_link')) { $self->start_mode('create_link'); $li_config{'disable'} = 1; } else { $self->start_mode('link_okay'); } $self->link_integrity_config( %li_config, ); } sub link_okay { my $self = shift; return 'rm=link_okay'; } sub create_link { my $self = shift; return $self->link($self->param('create_link')); } sub bad_user_no_biscuit { my $self = shift; return 'rm=bad_user_no_biscuit'; } sub checksum_callback { $Checksum_Callback_Called = 1; } } ########################################################################### # Build the link $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = '80'; $ENV{'SCRIPT_NAME'} = '/cgi-bin/app.cgi'; $ENV{'SERVER_NAME'} = 'www.example.com'; $ENV{'PATH_INFO'} = '/my/happy/pathy/info'; $ENV{'QUERY_STRING'} = 'zap=zoom&zap=zub&guff=gubbins&zap=zuzzu'; my $link = URI->new(WebApp->new(PARAMS => { create_link => 'http://www.example.com/script.cgi/path/info?p1=v1&p2=v2&p2=v3', })->run); # Validate it $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', 'link_okay'); # remove the _checksum from the query - this should invalidate it my $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; ok(!$Checksum_Callback_Called, 'checksum hook not yet called'); is(WebApp->new->run, '

Access Denied

', 'link_tampered (checksum removed)'); ok(!$Checksum_Callback_Called, 'checksum hook called'); CGI-Application-Plugin-LinkIntegrity-0.06/t/05-tampering.t0100644000175200001440000003353410432775231022530 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; use URI; use URI::QueryParam; my $Created_Link; { package WebApp; use CGI; use CGI::Application; use vars qw(@ISA); use URI; use URI::Escape; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->header_type('none'); $self->run_modes([qw( link_okay create_link bad_user_no_biscuit link_tampered )]); my %li_config = ( secret => 'extree seekrit', ); if ($self->param('custom_rm')) { $li_config{'link_tampered_run_mode'} = 'bad_user_no_biscuit'; } if ($self->param('check')) { $li_config{'checksum_param'} = $self->param('check'); } if ($self->param('create_link')) { $self->start_mode('create_link'); $li_config{'disable'} = 1; } else { $self->start_mode('link_okay'); } $self->link_integrity_config( %li_config, ); } sub link_okay { my $self = shift; return 'rm=link_okay'; } sub create_link { my $self = shift; return $self->link($self->param('create_link')); } sub link_tampered { my $self = shift; return 'rm=link_tampered'; } sub bad_user_no_biscuit { my $self = shift; return 'rm=bad_user_no_biscuit'; } } ########################################################################### # Entry point: Build a link without parameters my $meth; my $link = URI->new('http://www.example.com/script.cgi'); $ENV{'REQUEST_METHOD'} = $meth = 'GET'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query || ''; CGI::initialize_globals(); is(WebApp->new->run, 'rm=link_okay', "[$meth] entry_point (no params) link_okay"); $ENV{'REQUEST_METHOD'} = $meth = 'POST'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query || ''; CGI::initialize_globals(); is(WebApp->new->run, 'rm=link_okay', "[$meth] entry_point (no params) link_okay"); $ENV{'REQUEST_METHOD'} = $meth = 'POST'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = 'foo+bar+baz+boom'; CGI::initialize_globals(); is(WebApp->new->run, 'rm=link_okay', "[$meth] entry_point (no named params but with keywords) link_okay"); ########################################################################### # Bad entry point #1: Build a link with a non-blank keyword parameter $link = URI->new('http://www.example.com/script.cgi?keywords=x'); # Validate it $ENV{'REQUEST_METHOD'} = $meth = 'GET'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query || ''; # print STDERR "[$link] qs: $ENV{'QUERY_STRING'}\n"; CGI::initialize_globals(); is(WebApp->new->run, 'rm=link_tampered', "[$meth] bad entry_point 1 (non-blank 'keywords' param) link_tampered"); ########################################################################### # Bad entry point #2: Build a link with a zero (still non-blank) keyword parameter $link = URI->new('http://www.example.com/script.cgi?keywords=0'); # Validate it $ENV{'REQUEST_METHOD'} = $meth = 'GET'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query; # print STDERR "[$link] qs: $ENV{'QUERY_STRING'}\n"; CGI::initialize_globals(); is(WebApp->new->run, 'rm=link_tampered', "[$meth] bad entry_point 2 (false but non-blank 'keywords' param) link_tampered"); ########################################################################### # Bad entry point #3: Build a link with actual keywords $link = URI->new('http://www.example.com/script.cgi'); # Validate it $ENV{'REQUEST_METHOD'} = $meth = 'POST'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = 'foo+bar+baz boom'; # print STDERR "[$link] qs: $ENV{'QUERY_STRING'}\n"; is(WebApp->new->run, 'rm=link_tampered', "[$meth] bad entry_point 4 (URI contains actual keywords) link_tampered"); # Build the link $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = '80'; $ENV{'SCRIPT_NAME'} = '/cgi-bin/app.cgi'; $ENV{'SERVER_NAME'} = 'www.example.com'; $ENV{'PATH_INFO'} = '/my/happy/pathy/info'; $ENV{'QUERY_STRING'} = 'zap=zoom&zap=zub&guff=gubbins&zap=zuzzu'; $link = URI->new(WebApp->new(PARAMS => { create_link => 'http://www.example.com/script.cgi/path/info?p1=v1&p2=v2&p2=v3', })->run); # Validate it $ENV{'REQUEST_METHOD'} = 'POST'; $ENV{'SERVER_PORT'} = $link->port; $ENV{'SCRIPT_NAME'} = $link->path; $ENV{'SERVER_NAME'} = $link->authority; $ENV{'PATH_INFO'} = ''; $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', '[POST] link_okay'); # remove the _checksum from the query - this should invalidate it my $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[POST] link_tampered (checksum removed)'); # add a bogus checksum - this should invalidate it my $qf = $link->query_form_hash; $qf->{'_checksum'} = 'xxxx'; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[POST] link_tampered (checksum changed)'); # restore original checksum - this should revalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = $checksum; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', '[POST] link_okay (original checksum added again)'); ########################################################################### # Same tests with method=GET $ENV{'REQUEST_METHOD'} = 'GET'; is(WebApp->new->run, 'rm=link_okay', '[GET] link_okay'); # remove the _checksum from the query - this should invalidate it $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[GET] link_tampered (checksum removed)'); # add a bogus checksum - this should invalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = 'xxxx'; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[GET] link_tampered (checksum changed)'); # restore original checksum - this should revalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = $checksum; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=link_okay', '[GET] link_okay (original checksum added again)'); ########################################################################### # Same tests with method=XXX $ENV{'REQUEST_METHOD'} = 'XXX'; is(WebApp->new->run, 'rm=link_okay', '[XXX] link_okay'); # remove the _checksum from the query - this should invalidate it $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[XXX] link_tampered (checksum removed)'); # add a bogus checksum - this should invalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = 'xxxx'; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[XXX] link_tampered (checksum changed)'); # restore original checksum - this should revalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = $checksum; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=link_okay', '[XXX] link_okay (original checksum added again)'); ########################################################################### # Same tests with method=BARNEY $ENV{'REQUEST_METHOD'} = 'PUT'; is(WebApp->new->run, 'rm=link_okay', '[PUT] link_okay'); # remove the _checksum from the query - this should invalidate it $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[PUT] link_tampered (checksum removed)'); # add a bogus checksum - this should invalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = 'xxxx'; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[PUT] link_tampered (checksum changed)'); # restore original checksum - this should revalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = $checksum; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=link_okay', '[PUT] link_okay (original checksum added again)'); ########################################################################### # Same tests with custom link_tampered_run_mode $ENV{'REQUEST_METHOD'} = 'GET'; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=link_okay', '[CUSTOM RM] link_okay'); # remove the _checksum from the query - this should invalidate it $checksum = $link->query_param_delete('_checksum'); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=bad_user_no_biscuit', '[CUSTOM RM] bad_user (checksum removed)'); # add a bogus checksum - this should invalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = 'xxxx'; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=bad_user_no_biscuit', '[CUSTOM RM] bad_user (checksum changed)'); # restore original checksum - this should revalidate it $qf = $link->query_form_hash; $qf->{'_checksum'} = $checksum; $qf = $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'custom_rm' => 1 })->run, 'rm=link_okay', '[CUSTOM RM] link_okay (original checksum added again)'); ########################################################################### # Same tests with custom checksum_param $ENV{'REQUEST_METHOD'} = 'GET'; is(WebApp->new(PARAMS => { 'check' => '_checksum' })->run, 'rm=link_okay', '[custom checksum] link_okay'); is(WebApp->new(PARAMS => { 'check' => '**frobnicate**' })->run, 'rm=link_tampered', '[custom checksum] link_tampered (changed checksum_param)'); # remove the _checksum from the query - this should invalidate it $qf = $link->query_form_hash; delete $qf->{'_checksum'}; $qf->{'**frobnicate**'} = 'xxxx'; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'check' => '**frobnicate**' })->run, 'rm=link_tampered', '[custom checksum] link_tampered (checksum removed)'); # add a bogus checksum - this should invalidate it delete $qf->{'**frobnicate**'}; $qf->{'xxx_frobozz_xxx'} = 'xxxx'; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'check' => 'xxx_frobozz_xxx' })->run, 'rm=link_tampered', '[custom checksum] link_tampered (checksum changed)'); # restore original checksum - this should revalidate it delete $qf->{'xxx_frobozz_xxx'}; $qf->{'xxx_fizzle_***'} = $checksum; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new(PARAMS => { 'check' => 'xxx_fizzle_***' })->run, 'rm=link_okay', '[custom checksum] link_okay (original checksum added again)'); ########################################################################### # Leave the checksum, alter a param delete $qf->{'xxx_fizzle_***'}; $qf->{'_checksum'} = $checksum; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); # add a param $qf->{'yyy'} = 'xxxx'; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[alter param] link_tampered (added param)'); # change a param delete $qf->{'yyy'}; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); $qf->{'p1'} = 'v1b'; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', '[alter param] link_tampered (changed param)'); $qf->{'p1'} = 'v1'; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); # change a value $qf->{'p2'} = ['v2', 'v3b']; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_tampered', "[alter param] link_tampered (changed a param's value)"); $qf->{'p2'} = ['v2', 'v3']; $link->query_form_hash($qf); $ENV{'QUERY_STRING'} = $link->query; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); # change host $ENV{'SERVER_NAME'} = 'www.badhost.com'; is(WebApp->new->run, 'rm=link_tampered', "[alter param] link_tampered (changed a host)"); $link->query_form_hash($qf); $ENV{'SERVER_NAME'} = 'www.example.com'; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); # change port $ENV{'SERVER_PORT'} = '88'; is(WebApp->new->run, 'rm=link_tampered', "[alter param] link_tampered (changed a host)"); $link->query_form_hash($qf); $ENV{'SERVER_PORT'} = '80'; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); # change scheme $ENV{'HTTPS'} = 'on'; is(WebApp->new->run, 'rm=link_tampered', "[alter param] link_tampered (changed a host)"); $link->query_form_hash($qf); delete $ENV{'HTTPS'}; is(WebApp->new->run, 'rm=link_okay', '[alter param] link_okay'); CGI-Application-Plugin-LinkIntegrity-0.06/t/00.load.t0100644000175200001440000000042210432775231021443 0ustar michaelusers use Test::More tests => 1; use CGI::Application; BEGIN { @::ISA = qw(CGI::Application); } BEGIN { use_ok( 'CGI::Application::Plugin::LinkIntegrity' ); } diag( "Testing CGI::Application::Plugin::LinkIntegrity $CGI::Application::Plugin::LinkIntegrity::VERSION" ); CGI-Application-Plugin-LinkIntegrity-0.06/t/pod-coverage.t0100644000175200001440000000025410432775231022664 0ustar michaelusers#!perl -T use Test::More; eval "use Test::Pod::Coverage 1.04"; plan skip_all => "Test::Pod::Coverage 1.04 required for testing POD coverage" if $@; all_pod_coverage_ok(); CGI-Application-Plugin-LinkIntegrity-0.06/t/04-hmac.t0100644000175200001440000001700310432775231021442 0ustar michaelusers use Test::More 'no_plan'; use strict; $ENV{CGI_APP_RETURN_ONLY} = 1; { package WebApp; use CGI::Application; use vars qw(@ISA); use URI; @ISA = ('CGI::Application'); use Test::More; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->run_modes([qw/start/]); $self->link_integrity_config( 'secret' => 'foo', ); } sub start { my $self = shift; # Test that the checksum actually is generated. Using a known # method ('Digest::MD5') independently verify the checksum # checking it against the one generated by CAP::LI my $secret = 'some super secret'; $self->link_integrity_config( 'secret' => $secret, 'digest_module' => 'Digest::MD5', 'additional_data' => '12345', ); my $uri = '/foo/bar/baz?one=foo&two=boom'; my $link = $self->link($uri); my $hmac = Digest::HMAC->new($secret, 'Digest::MD5'); my $u = URI->new($uri, 'http'); $hmac->add($u->scheme || ''); $hmac->add($u->authority || ''); $hmac->add($u->port || ''); $hmac->add($u->path || ''); foreach my $key (sort $u->query_param) { $hmac->add('key'); $hmac->add($key); $hmac->add('values'); foreach my $val (sort $u->query_param($key)) { $hmac->add($val); } } $hmac->add('12345'); # additional_data; my $checksum = $hmac->hexdigest; my %params = $link->query_form; ok(keys %params == 3, '[_checksum] param keys'); is($params{'one'}, 'foo', '[_checksum] param "one"'); is($params{'two'}, 'boom', '[_checksum] param "two"'); is($params{'_checksum'}, $checksum, '[_checksum] param "_checksum"'); # Same test as above, except using a different parameter than # checksum, and also checking that Digest::MD5 is the default $secret = 'again with the secrets'; $self->link_integrity_config( 'secret' => $secret, 'checksum_param' => '??_link_guardian__??', 'additional_data' => '54321', ); $uri = '/foo/bar/baz?one=foo&two=boom'; $link = $self->link($uri); $hmac = Digest::HMAC->new($secret, 'Digest::MD5'); $u = URI->new($uri, 'http'); $hmac->add($u->scheme || ''); $hmac->add($u->authority || ''); $hmac->add($u->port || ''); $hmac->add($u->path || ''); foreach my $key (sort $u->query_param) { $hmac->add('key'); $hmac->add($key); $hmac->add('values'); foreach my $val (sort $u->query_param($key)) { $hmac->add($val); } } $hmac->add('54321'); # additional_data; $checksum = $hmac->hexdigest; %params = $link->query_form; ok(keys %params == 3, '[??_link_guardian__??] param keys'); is($params{'one'}, 'foo', '[??_link_guardian__??] param "one"'); is($params{'two'}, 'boom', '[??_link_guardian__??] param "two"'); is($params{'??_link_guardian__??'}, $checksum, '[??_link_guardian__??] param "??_link_guardian__??"'); # Same test as above, except using a subroutine for the additional data # parameter $secret = 'again with the secrets'; $self->param('base' => 3); $self->link_integrity_config( 'secret' => $secret, 'checksum_param' => '??_link_guardian__??', 'additional_data' => sub { my $self = shift; $self->param('base') * 10 * 10 * 5 }, ); $uri = '/foo/bar/baz?one=foo&two=boom'; $link = $self->link($uri); $hmac = Digest::HMAC->new($secret, 'Digest::MD5'); $u = URI->new($uri, 'http'); $hmac->add($u->scheme || ''); $hmac->add($u->authority || ''); $hmac->add($u->port || ''); $hmac->add($u->path || ''); foreach my $key (sort $u->query_param) { $hmac->add('key'); $hmac->add($key); $hmac->add('values'); foreach my $val (sort $u->query_param($key)) { $hmac->add($val); } } $hmac->add(1500); # additional_data sub (base = 3) * 10 * 10 * 5; $checksum = $hmac->hexdigest; %params = $link->query_form; ok(keys %params == 3, '[additional_data sub] param keys'); is($params{'one'}, 'foo', '[additional_data sub] param "one"'); is($params{'two'}, 'boom', '[additional_data sub] param "two"'); is($params{'??_link_guardian__??'}, $checksum, '[additional_data sub] param "??_link_guardian__??"'); # Same test but with SHA1 (if available) SKIP: { eval { require Digest::SHA1; }; skip 'Digest::SHA1 not installed', 3 if $@; $secret = 'even secreter'; $self->link_integrity_config( 'secret' => $secret, 'digest_module' => 'Digest::SHA1', 'additional_data' => 'abcde', ); $uri = '/foo/bar/baz?one=foo&two=boom'; $link = $self->link($uri); $hmac = Digest::HMAC->new($secret, 'Digest::SHA1'); $u = URI->new($uri, 'http'); $hmac->add($u->scheme || ''); $hmac->add($u->authority || ''); $hmac->add($u->port || ''); $hmac->add($u->path || ''); foreach my $key (sort $u->query_param) { $hmac->add('key'); $hmac->add($key); $hmac->add('values'); foreach my $val (sort $u->query_param($key)) { $hmac->add($val); } } $hmac->add('abcde'); # additional_data; $checksum = $hmac->hexdigest; %params = $link->query_form; ok(keys %params == 3, '[(SHA1)_checksum] param keys'); is($params{'one'}, 'foo', '[(SHA1)_checksum] param "one"'); is($params{'two'}, 'boom', '[(SHA1)_checksum] param "two"'); is($params{'_checksum'}, $checksum, '[(SHA1)_checksum] param "_checksum"'); } # Now use a custom checksum_generator $secret = '_X_'; $self->link_integrity_config( 'secret' => $secret, 'additional_data' => 'edcba', 'checksum_generator' => sub { my ($secret, $uri, $additional_data) = @_; my @words = split /\W/, $uri->as_string; return (join $secret, @words) . '|' . $additional_data; } ); $uri = '/foo/bar/baz?one=foo&two=boom'; $link = $self->link($uri); $checksum = '_X_foo_X_bar_X_baz_X_one_X_foo_X_two_X_boom|edcba'; %params = $link->query_form; ok(keys %params == 3, '[checksum_generator] param keys'); is($params{'one'}, 'foo', '[checksum_generator] param "one"'); is($params{'two'}, 'boom', '[checksum_generator] param "two"'); is($params{'_checksum'}, $checksum, '[checksum_generator] param "_checksum"'); } } WebApp->new->run; CGI-Application-Plugin-LinkIntegrity-0.06/lib/0042755000175200001440000000000010432775231020433 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/lib/CGI/0042755000175200001440000000000010432775231021035 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/lib/CGI/Application/0042755000175200001440000000000010432775231023300 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/lib/CGI/Application/Plugin/0042755000175200001440000000000010432775231024536 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/lib/CGI/Application/Plugin/LinkIntegrity.pm0100644000175200001440000004522410432775231027672 0ustar michaelusers package CGI::Application::Plugin::LinkIntegrity; use warnings; use strict; =head1 NAME CGI::Application::Plugin::LinkIntegrity - Make tamper-resisistent links in CGI::Application =head1 VERSION Version 0.06 =cut our $VERSION = '0.06'; =head1 SYNOPSIS In your application: use base 'CGI::Application'; use CGI::Application::Plugin::LinkIntegrity; sub setup { my $self = shift; $self->link_integrity_config( secret => 'some secret string known only to you and me', ); } sub account_info { my $self = shift; my $account_id = get_user_account_id(); my $template = $self->load_tmpl('account.html'); $template->param( 'balance' => $self->link("/account.cgi?rm=balance&acct_id=$account_id"); 'transfer' => $self->link("/account.cgi?rm=transfer&acct_id=$account_id"); 'withdrawal' => $self->link("/account.cgi?rm=withdrawl&acct_id=$account_id"); ); } In your template:

Welcome to The Faceless Banking Corp.

Actions:


">Show Balance
">Make a Transfer
">Get Cash This will send the following HTML to the browser:

Welcome to The Faceless Banking Corp.

Actions:


Show Balance
Make a Transfer
Get Cash The URLs created are now tamper-resistent. If the user changes C from C<73> to C<74>, the C<_checksum> will not match, and the system will treat it as an intrusion attempt. =head2 Calling link and self_link directly from the template If you use C or C, you can pass the C C<$self> object into the template and call C and C directly from the template. In your app: $template->param( 'app' => $self, 'name' => 'gordon', 'email' => 'gordon@example.com', ); And in your template you can use # Template::Toolkit syntax ... # HTML::Template::Plugin::Dot syntax ">... # Petal syntax ... Note that in the parameters of the call to << link >>, items enclosed in quotes are treated as literal parameters and barewords are treated as template params. So C<'email'> is the literal string, and C is the template paramter named email (in this case 'gordon@example.com'). =head1 DESCRIPTION C lets you create tamper-resistent links within your CGI::Application project. When you create an URL with C, a C<_checksum> is added to the URL: my $link = $self->link("/account.cgi?rm=balance&acct_id=73"); print $link; # /account.cgi?rm=balance&acct_id=73&_checksum=1d7c4b82d075785de04fa6b98b572691 The checksum is a (cryptographic) hash of the URL, plus a secret string known only to the server. If the user attempts to change part of the URL (e.g. a query string parameter, or the PATH_INFO), then the checksum will not match. The run mode will be changed to C, and the C hook will be called. You can define the C run mode yourself, or you can use the default C run mode built into L. You can disable link checking during development by passing a true value to the C parameter of C<< $self->link_integrity_config >>. =cut use Carp; use File::Spec; use Digest::HMAC; use URI; use URI::QueryParam; use Exporter; use vars qw( @ISA @EXPORT $Default_Secret ); @ISA = qw(Exporter); @EXPORT = qw(link self_link path_link link_integrity_config); use CGI::Application; if (CGI::Application->can('new_hook')) { CGI::Application->new_hook('invalid_checksum'); } =head1 METHODS =head2 link_integrity_config Configure the L. Usually, it makes sense to configure this in the C method of your application's base class: use CGI::Application::Plugin::LinkIntegrity; use base 'CGI::Application'; package My::Project; sub setup { my $self = shift; $self->run_modes(['bad_user_no_biscuit']); $self->link_integrity_config( secret => 'some secret string known only to you and me', link_tampered_run_mode => 'bad_user_no_biscuit', digest_module => 'Digest::MD5', disable => 1, ); } Or you can pull in this configuration info from a config file. For instance, with using L: use CGI::Application::Plugin::LinkIntegrity; use CGI::Application::Plugin::Config::Context; use base 'CGI::Application'; package My::Project; sub setup { my $self = shift; $self->conf->init( file => 'app.conf', driver => 'ConfigGeneral', ); my $config = $self->conf->context; $self->link_integrity_config( $config->{'LinkIntegrity'}, additional_data => sub { my $self = shift; return $self->session->id; }, ); my $link_tampered_rm = $config->{'LinkIntegrity'}{'link_tampered_run_mode'} || 'link_tampered'; $self->run_modes([$link_tampered_rm]); } Then in your configuration file: secret = some REALLY secret string link_tampered_run_mode = bad_user_no_biscuit hash_algorithm = SHA1 disable = 1 This strategy allows you to enable and disable link checking on the fly by changing the value of C in the config file. The following configuration parameters are available: =over 4 =item secret A string known only to your application. At a commandline, you can generate a secret string with md5: $ perl -MDigest::MD5 -le"print Digest::MD5::md5_hex($$, time, rand(42));" Or you can use Data::UUID: $ perl -MData::UUID -le"$ug = new Data::UUID; $uuid = $ug->create; print $ug->to_string($uuid)" If someone knows your secret string, then they can generate their own checksums on arbitrary data that will always pass the integrity check in your application. That's a Bad Thing, so don't let other people know your secret string, and don't use the default secret string if you can help it. =item additional_data You can pass constant additional data to the checksum generator for every link. $self->link_integrity_config( secret => 'really secret', additional_data => 'some other secret data', } For instance, to stop one user from following a second user's link, you can add a user-specific component to the session, such as the user's session id: $self->link_integrity_config( secret => 'really secret', additional_data => sub { my $self = shift; return $self->session->id; } } You can pass a string instead of a subroutine. But in the case of the user's session, a subroutine is useful so that you get the value of the user's session at the time when the checksum is generated, not at the time when the link integrity system is configured. =item checksum_param The name of the checksum parameter, which is added to the query string and contains the cryptographic checksum of link. By default, this parameter is named C<_checksum>. =item link_tampered_run_mode The run mode to go to when it has been detected that the user has tampered with the link. The default is C. See L<"The link_tampered Run Mode">, below. =item digest_module Which digest module to use to create the checksum. Typically, this will be either C or C. However any module supported by C will work. The default C is C. =item checksum_generator If you want to provide a custom subroutine to make your own checksums, you can define your own subroutine do it via the C param. Here's an example of one that uses Digest::SHA2: $self->link_integrity_config( checksum_generator => sub { my ($url, $secret) = @_; require Digest::SHA2; my $ctx = Digest::SHA2->new(); $ctx->add($url . $secret); return $ctx->hexdigest; }, ); =item disable You can disable link checking entirely by setting C to a true value. This can be useful when you are developing or debugging the application and you want the ability to tweak URL params without getting busted. =back =cut my %Config_Defaults = ( secret => undef, checksum_param => '_checksum', link_tampered_run_mode => undef, digest_module => 'Digest::MD5', disable => undef, checksum_generator => undef, additional_data => undef, ); sub link_integrity_config { my $self = shift; my $caller = scalar(caller); $self->new_hook('invalid_checksum'); $caller->add_callback('prerun', \&_check_link_integrity); my $args; if (ref $_[0] eq 'HASH') { $args = $_[0]; } else { $args = { @_ }; } # Clear config undef $self->{__PACKAGE__}{__CONFIG}; my $config = _get_config($self, $args); $config->{'link_tampered_run_mode'} ||= 'link_tampered'; my %run_modes = $self->run_modes; unless ($run_modes{$config->{'link_tampered_run_mode'}}) { $self->run_modes($config->{'link_tampered_run_mode'} => sub { return '

Access Denied

'; }); } %run_modes = $self->run_modes; } sub _get_config { my ($self, $args) = @_; if ($self->{__PACKAGE__}{__CONFIG}) { return $self->{__PACKAGE__}{__CONFIG}; } my $config = $self->{__PACKAGE__}{__CONFIG} = { %Config_Defaults }; if ($args) { # Check that all key names are valid foreach my $key (keys %$args) { unless (exists $config->{$key}) { croak "CAP::LinkIntegrity: Bad configuration key: $key\n"; } $config->{$key} = $args->{$key}; } # Check that checksum_generator is coderef if (exists $args->{'checksum_generator'}) { unless (ref $args->{'checksum_generator'} eq 'CODE') { croak "CAP::LinkIntegrity: checksum_generator must be coderef\n"; } } } $config->{'link_tampered_run_mode'} ||= 'link_tampered'; $config->{'secret'} || croak "CAP::LinkIntegrity - You need to provide a secret string to link_integrity_config"; return $config; } =head2 link Create a link, and add a checksum to it. You can add parameters to the link directly in the URL: my $link = $self->link('/cgi-bin/app.cgi?var=value&var2=value2'); Or you can add them as a hash of parameters after the URL: my $link = $self->link( '/cgi-bin/app.cgi', 'param1' => 'value', 'param2' => 'value2', ); =cut sub link { my $self = shift; my $uri = shift; my $config = _get_config($self); $uri = URI->new($uri, 'http'); my @query_form = $uri->query_form; push @query_form, @_; my $additional_data = $config->{'additional_data'}; $additional_data = $additional_data->($self) if ref $additional_data eq 'CODE'; my $checksum = _hmac($self, $uri, $additional_data); $uri->query_form(@query_form); $uri->query_param_append($config->{'checksum_param'} => $checksum); return $uri; } sub _hmac { my $self = shift; my $uri = shift; my $additional_data = shift; my $config = _get_config($self); my $secret = $config->{'secret'}; my $digest; if ($config->{'checksum_generator'}) { $digest = $config->{'checksum_generator'}->($secret, $uri, $additional_data); } else { my $digest_module = $config->{'digest_module'} || croak "CAP::LinkIntegrity: digest_module not configured"; eval "require $digest_module"; if ($@) { carp "CAP::LinkIntegrity: Requested digest_module ($digest_module) not installed"; } my $hmac = Digest::HMAC->new($secret, $digest_module); # Add all elements of the URL $hmac->add($uri->scheme || ''); $hmac->add($uri->authority || ''); $hmac->add($uri->port || ''); $hmac->add($uri->path || ''); foreach my $key (sort $uri->query_param) { $hmac->add('key'); $hmac->add($key); $hmac->add('values'); $hmac->add($_) for sort $uri->query_param($key); } $hmac->add($additional_data || ''); $digest = $hmac->hexdigest; } return $digest; } =head2 self_link Make a link to the current application, with optional parameters, and add a checksum to the URL. my $link = $self->self_link( 'param1' => 'value1', 'param2' => 'value2', ); C preserves the value of the current application's C. For instance if the current URL is: /cgi-bin/app.cgi/some/path?foo=bar # PATH_INFO is 'some/path' Calling: $self->self_link('bar' => 'baz'); Will produce the URL: /cgi-bin/app.cgi/some/path?bar=baz If you want to remove the C value or replace it with a new value, use L. =cut sub self_link { my $self = shift; my $uri = URI->new($self->query->url(-path_info => 1)); $uri->query_form(@_) if @_; return $self->link($uri); } =head2 path_link Calling C is the same as calling C, except the current value of C can be replaced. my $link = $self->path_link( '/new/path', 'param1' => 'value1', 'param2' => 'value2', ); For instance if the current URL is: /cgi-bin/app.cgi/some/path?foo=bar # PATH_INFO is 'some/path' Calling: $self->path_link('/new/path'); Will produce the URL: /cgi-bin/app.cgi/new/path?foo=bar If you want to remove C entirely, call one of the following: $self->path_link; $self->path_link(undef, 'param1' => 'val1', 'param2 => 'val2' ...); $self->path_link('', 'param1' => 'val1', 'param2 => 'val2' ...); If you want to keep the existing C that was passed to the current application, use L instead. =cut sub path_link { my $self = shift; my $path_info = shift; my $uri; $uri = URI->new($self->query->url); if ($path_info) { # Convert into an array of path elements my @path_info = File::Spec->splitdir($path_info); # Remove the first element if it is the empty root element shift @path_info unless $path_info[0]; $uri->path_segments($uri->path_segments, @path_info); } $uri->query_form(@_) if @_; return $self->link($uri); } sub _check_link_integrity { my $self = shift; unless ($self->{__PACKAGE__}{__CONFIG}) { croak "CAP::LinkIntegrity - You need to call link_integrity_config before 'prerun' (e.g. in start or cgiapp_init)\n"; } my $config = _get_config($self); return if $config->{'disable'}; my $uri = URI->new($self->query->url(-path_info => 1)); my @params; # Entry point #1: if the URL contains no params we let it through return unless $self->query->url_param; # Entry point #2: if the URL contains only a single param named 'keywords' # and this param has no value. This is due to the fact that CGI.pm adds # a blank 'keywords' param when the QUERY_STRING is blank my @param = $self->query->url_param; if (@param == 1 and $param[0] eq 'keywords') { my $keywords = $self->query->param('keywords'); return if !defined $keywords or $keywords eq ''; } foreach my $name (sort $self->query->url_param) { foreach my $val (sort $self->query->url_param($name)) { push @params, $name, $val; } } $uri->query_form(@params); my $uri_checksum = $uri->query_param_delete($config->{'checksum_param'}); my $expected_checksum = _hmac($self, $uri, $config->{'additional_data'}); if (($uri_checksum || '') ne ($expected_checksum || '')) { $self->prerun_mode($config->{'link_tampered_run_mode'}); $self->call_hook('invalid_checksum'); } } =head1 RUN MODES =head2 The link_tampered Run Mode Your application is redirected to this run mode when it has been detected that the user has tampered with the link. You can change the name of this run mode by changing the value of the C param to C. L provides a default C run mode, which just displays a page with some stern warning text. You can define your own as follows: sub link_tampered { my $self = shift; my $template = $self->load_template('stern_talking_to'); return $template->output; } =head1 HOOKS When a link is followed that doesn't match the checksum, the C hook is called. You can add a callback to this hook to do some cleanup such as deleting the user's session. For instance: sub setup { my $self = shift; $self->add_callback('invalid_checksum' => \&bad_user); } sub bad_user { my $self = shift; # The user has been messing with the URLs, possibly trying to # break into the system. We don't tolerate this behaviour. # So we delete the user's session: $self->session->delete; } =head1 AUTHOR Michael Graham, C<< >> =head1 ACKNOWLEDGEMENTS This module was based on the checksum feature originally built into Richard Dice's L. =head1 BUGS Please report any bugs or feature requests to C, or through the web interface at L. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes. =head1 COPYRIGHT & LICENSE Copyright 2005 Michael Graham, All Rights Reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =cut 1; # End of CGI::Application::Plugin::LinkIntegrity CGI-Application-Plugin-LinkIntegrity-0.06/misc/0042755000175200001440000000000010432775231020620 5ustar michaelusersCGI-Application-Plugin-LinkIntegrity-0.06/misc/dist0100644000175200001440000000017710432775231021506 0ustar michaelusers#!/bin/sh rm MANIFEST misc/makedocs.pl perl ./Build.PL perl ./Build perl ./Build manifest perl ./Build test perl ./Build dist CGI-Application-Plugin-LinkIntegrity-0.06/misc/module-starter-opts.txt0100644000175200001440000000021210432775231025301 0ustar michaelusers $ module-starter --mb --module=CGI::Application::Plugin::LinkIntegrity --author="Michael Graham" --email=mag-perl@occamstoothbrush.com CGI-Application-Plugin-LinkIntegrity-0.06/misc/style.css0100644000175200001440000001136710432775231022475 0ustar michaelusersBODY, .logo { background: white; } BODY { color: black; font-family: arial,sans-serif; margin: 0; padding: 1ex; } TABLE { border-collapse: collapse; border-spacing: 0; border-width: 0; color: inherit; } IMG { border: 0; } FORM { margin: 0; } input { margin: 2px; } .logo { float: left; width: 264px; height: 77px; } .front .logo { float: none; display:block; } .front .searchbox { margin: 2ex auto; text-align: center; } .front .menubar { text-align: center; } .menubar { background: #006699; margin: 1ex 0; padding: 1px; } .menubar A { padding: 0.8ex; font: bold 10pt Arial,Helvetica,sans-serif; } .menubar A:link, .menubar A:visited { color: white; text-decoration: none; } .menubar A:hover { color: #ff6600; text-decoration: underline; } A:link, A:visited { background: transparent; color: #006699; } A[href="#POD_ERRORS"] { background: transparent; color: #FF0000; } TD { margin: 0; padding: 0; } DIV { border-width: 0; } DT { margin-top: 1em; } .credits TD { padding: 0.5ex 2ex; } .huge { font-size: 32pt; } .s { background: #dddddd; color: inherit; } .s TD, .r TD { padding: 0.2ex 1ex; vertical-align: baseline; } TH { background: #bbbbbb; color: inherit; padding: 0.4ex 1ex; text-align: left; } TH A:link, TH A:visited { background: transparent; color: black; } .box { border: 1px solid #006699; margin: 1ex 0; padding: 0; } .distfiles TD { padding: 0 2ex 0 0; vertical-align: baseline; } .manifest TD { padding: 0 1ex; vertical-align: top; } .l1 { font-weight: bold; } .l2 { font-weight: normal; } .t1, .t2, .t3, .t4 { background: #006699; color: white; } .t4 { padding: 0.2ex 0.4ex; } .t1, .t2, .t3 { padding: 0.5ex 1ex; } /* IE does not support .box>.t1 Grrr */ .box .t1, .box .t2, .box .t3 { margin: 0; } .t1 { font-size: 1.4em; font-weight: bold; text-align: center; } .t2 { font-size: 1.0em; font-weight: bold; text-align: left; } .t3 { font-size: 1.0em; font-weight: normal; text-align: left; } /* width: 100%; border: 0.1px solid #FFFFFF; */ /* NN4 hack */ .datecell { text-align: center; width: 17em; } .cell { padding: 0.2ex 1ex; text-align: left; } .label { background: #aaaaaa; color: black; font-weight: bold; padding: 0.2ex 1ex; text-align: right; white-space: nowrap; vertical-align: baseline; } .categories { border-bottom: 3px double #006699; margin-bottom: 1ex; padding-bottom: 1ex; } .categories TABLE { margin: auto; } .categories TD { padding: 0.5ex 1ex; vertical-align: baseline; } .path A { background: transparent; color: #006699; font-weight: bold; } .pages { background: #dddddd; color: #006699; padding: 0.2ex 0.4ex; } .path { background: #dddddd; border-bottom: 1px solid #006699; color: #006699; /* font-size: 1.4em;*/ margin: 1ex 0; padding: 0.5ex 1ex; } .menubar TD { background: #006699; color: white; } .menubar { background: #006699; color: white; margin: 1ex 0; padding: 1px; } .menubar .links { background: transparent; color: white; padding: 0.2ex; text-align: left; } .menubar .searchbar { background: black; color: black; margin: 0px; padding: 2px; text-align: right; } A.m:link, A.m:visited { background: #006699; color: white; font: bold 10pt Arial,Helvetica,sans-serif; text-decoration: none; } A.o:link, A.o:visited { background: #006699; color: #ccffcc; font: bold 10pt Arial,Helvetica,sans-serif; text-decoration: none; } A.o:hover { background: transparent; color: #ff6600; text-decoration: underline; } A.m:hover { background: transparent; color: #ff6600; text-decoration: underline; } table.dlsip { background: #dddddd; border: 0.4ex solid #dddddd; } .pod PRE { background: #eeeeee; border: 1px solid #888888; color: black; padding: 1em; white-space: pre; } .pod H1 { background: transparent; color: #006699; font-size: large; } .pod H2 { background: transparent; color: #006699; font-size: medium; } .pod IMG { vertical-align: top; } .pod .toc A { text-decoration: none; } .pod .toc LI { line-height: 1.2em; list-style-type: none; } .faq DT { font-size: 1.4em; font-weight: bold; } .chmenu { background: black; color: red; font: bold 1.1em Arial,Helvetica,sans-serif; margin: 1ex auto; padding: 0.5ex; } .chmenu TD { padding: 0.2ex 1ex; } .chmenu A:link, .chmenu A:visited { background: transparent; color: white; text-decoration: none; } .chmenu A:hover { background: transparent; color: #ff6600; text-decoration: underline; } .column { padding: 0.5ex 1ex; vertical-align: top; } .datebar { margin: auto; width: 14em; } .date { background: transparent; color: #008000; } CGI-Application-Plugin-LinkIntegrity-0.06/misc/makedocs.pl0100644000175200001440000000327610432775231022746 0ustar michaelusers#!/usr/bin/perl # This is a Quick and dirty script to generate docs. # # It can do three things: # 1) make HTML docs that look like those on search.cpan.org # 2) make text docs # 3) copy files # # Run this from the main module directory with: # $ misc/makedocs.pl # my $StyleSheet = "misc/style.css"; my %HTML = ( 'CAP-LinkIntegrity.html' => 'lib/CGI/Application/Plugin/LinkIntegrity.pm', ); my %TEXT = ( 'README' => 'lib/CGI/Application/Plugin/LinkIntegrity.pm', ); my %COPY = ( 'changes.txt' => 'Changes', 'readme.txt' => 'README', ); my @Tempfiles = qw( pod2htmd.tmp pod2htmd.x~~ pod2htmi.tmp pod2htmi.x~~ ); use strict; use File::Copy; local $/; foreach my $target (keys %TEXT) { my $source = $TEXT{$target}; system("pod2text $source $target"); } foreach my $target (keys %HTML) { my $source = $HTML{$target}; system("pod2html --css=$StyleSheet $source $target"); open my $fh, $target or die "can't read $target: $!\n"; my $text = <$fh>; close $fh; # Add
...
$text =~ s/(]*>)/$1
/i; $text =~ s/(<\/body>)/<\/div>$1/i; # remove redundant 
 sequences (only necessary in old pod2html)
    # $text =~ s/<\/pre>(\s*)
/$1/imsg;

    # remove redundant 
  
 
 tags (only necessary in old pod2html)
    # $text =~ s/<\/pre>(\s*)<\/dd>\s*
\s*
/$1/imsg;


    open my $fh, '>', $target or die "can't clobber $target: $!\n";
    print $fh $text;
    close $fh;

    foreach my $tempfile (@Tempfiles) {
        unlink $tempfile;
    }
}

foreach my $target (keys %COPY) {
    my $source = $COPY{$target};
    copy($source, $target);
}

CGI-Application-Plugin-LinkIntegrity-0.06/misc/prove_prereqs.pl0100644000175200001440000000477210432775231024056 0ustar  michaelusers#!/usr/bin/perl

=pod

This script allows you to run the test suite, simulating the absense of
a particular set of Perl modules, even if they are installed on your
system.

To run the test suite multiple times in a row, each tie multiple times
(each with a different selection of absent modules), run:

    $ perl misc/prove_prereqs.pl t/*.t

To add a new set of absent modules, make a subdir under t/prereq_scenarios, and
add a dummy perl module for every module you want to skip.  This file
should be empty.  For instance if you wanted to simulate the absense of
XML::Complicated and Config::Obscure, you would do the following:

    $ mkdir t/prereq_scenarios/skip_xc+co
    $ mkdir t/prereq_scenarios/skip_xc+co/XML
    $ touch t/prereq_scenarios/skip_xc+co/XML/Complicated.pm
    $ mkdir t/prereq_scenarios/skip_xc+co/Config
    $ touch t/prereq_scenarios/skip_xc+co/Config/Obscure.pm

Finally, add this directory to the @Scenarios array below.

=cut

my @Scenarios = qw(
    t/prereq_scenarios/cgi-3.10
    t/prereq_scenarios/cgi-3.11
    t/prereq_scenarios/cgi-3.20
);

###################################################################
use strict;
use File::Find;

unless (@ARGV) {
    die "Usage: $0 [args to prove]\n";
}

my %Skip_Modules;
my $errors;
foreach my $prereq_scenarios_dir (@Scenarios) {
    if (!-d $prereq_scenarios_dir) {
        $errors = 1;
        warn "Skip lib dir does not exist: $prereq_scenarios_dir\n";
        next;
    }
    my @modules;
    find(sub {
        return unless -f;
        my $dir = "$File::Find::dir/$_";
        $dir =~ s/^\Q$prereq_scenarios_dir\E//;
        $dir =~ s/\.pm$//;
        $dir =~ s{^/}{};
        $dir =~ s{/}{::}g;
        push @modules, $dir;
    }, $prereq_scenarios_dir);
    $Skip_Modules{$prereq_scenarios_dir} = \@modules;
}
die "Terminating." if $errors;

foreach my $prereq_scenarios_dir (@Scenarios) {
    my $modules = join ', ', sort @{ $Skip_Modules{$prereq_scenarios_dir} };
    $modules ||= 'none';
    print "\n##############################################################\n";
    print "Running tests.  Old (or absent) modules in this scenario:\n";
    print "$modules\n";
    my @prove_command = ('prove', '-Ilib', "-I$prereq_scenarios_dir", @ARGV);
    system(@prove_command) && do {
        die <link_integrity_config(
                secret => 'some secret string known only to you and me',
            );
        }

        sub account_info {
            my $self = shift;

            my $account_id = get_user_account_id();

            my $template = $self->load_tmpl('account.html');

            $template->param(
                'balance'    => $self->link("/account.cgi?rm=balance&acct_id=$account_id");
                'transfer'   => $self->link("/account.cgi?rm=transfer&acct_id=$account_id");
                'withdrawal' => $self->link("/account.cgi?rm=withdrawl&acct_id=$account_id");
            );
        }

    In your template:

        
Welcome to The Faceless Banking Corp.

        
Actions:

        
">Show Balance
        
">Make a Transfer
        
">Get Cash

    This will send the following HTML to the browser:

        
Welcome to The Faceless Banking Corp.

        
Actions:

        
Show Balance
        
Make a Transfer
        
Get Cash

    The URLs created are now tamper-resistent. If the user changes "acct_id"
    from 73 to 74, the "_checksum" will not match, and the system will treat
    it as an intrusion attempt.

  Calling link and self_link directly from the template
    If you use "Template::Toolkit|Template" or
    "HTML::Template::Plugin::Dot", you can pass the "CGI::Application" $self
    object into the template and call "link" and "self_link" directly from
    the template. In your app:

        $template->param(
            'app'     => $self,
            'name'    => 'gordon',
            'email'   => 'gordon@example.com',
        );

    And in your template you can use

        # Template::Toolkit syntax
        ...

        # HTML::Template::Plugin::Dot syntax
        ">...

        # Petal syntax
        ...

    Note that in the parameters of the call to << link >>, items enclosed in
    quotes are treated as literal parameters and barewords are treated as
    template params. So 'email' is the literal string, and "email" is the
    template paramter named email (in this case 'gordon@example.com').

DESCRIPTION
    "CGI::Application::Plugin::LinkIntegrity" lets you create
    tamper-resistent links within your CGI::Application project. When you
    create an URL with "link", a "_checksum" is added to the URL:

        my $link = $self->link("/account.cgi?rm=balance&acct_id=73");
        print $link; # /account.cgi?rm=balance&acct_id=73&_checksum=1d7c4b82d075785de04fa6b98b572691

    The checksum is a (cryptographic) hash of the URL, plus a secret string
    known only to the server.

    If the user attempts to change part of the URL (e.g. a query string
    parameter, or the PATH_INFO), then the checksum will not match. The run
    mode will be changed to "link_tampered", and the "invalid_checksum" hook
    will be called.

    You can define the "link_tampered" run mode yourself, or you can use the
    default "link_tampered" run mode built into
    CGI::Application::Plugin::LinkIntegrity.

    You can disable link checking during development by passing a true value
    to the "disable" parameter of "$self->link_integrity_config".

METHODS
  link_integrity_config
    Configure the CGI::Application::Plugin::LinkIntegrity. Usually, it makes
    sense to configure this in the "setup" method of your application's base
    class:

        use CGI::Application::Plugin::LinkIntegrity;
        use base 'CGI::Application';
        package My::Project;

        sub setup {
            my $self = shift;

            $self->run_modes(['bad_user_no_biscuit']);
            $self->link_integrity_config(
                secret                 => 'some secret string known only to you and me',
                link_tampered_run_mode => 'bad_user_no_biscuit',
                digest_module          => 'Digest::MD5',
                disable                => 1,
            );
        }

    Or you can pull in this configuration info from a config file. For
    instance, with using CGI::Application::Config::Context:

        use CGI::Application::Plugin::LinkIntegrity;
        use CGI::Application::Plugin::Config::Context;

        use base 'CGI::Application';
        package My::Project;

        sub setup {
            my $self = shift;

            $self->conf->init(
                file   => 'app.conf',
                driver => 'ConfigGeneral',
            );

            my $config = $self->conf->context;

            $self->link_integrity_config(
                $config->{'LinkIntegrity'},
                additional_data => sub {
                    my $self = shift;
                    return $self->session->id;
                },
            );

            my $link_tampered_rm = $config->{'LinkIntegrity'}{'link_tampered_run_mode'} || 'link_tampered';

            $self->run_modes([$link_tampered_rm]);
        }

    Then in your configuration file:

        
            secret                 = some REALLY secret string
            link_tampered_run_mode = bad_user_no_biscuit
            hash_algorithm         = SHA1
            disable                = 1
        

    This strategy allows you to enable and disable link checking on the fly
    by changing the value of "disable" in the config file.

    The following configuration parameters are available:

    secret
        A string known only to your application. At a commandline, you can
        generate a secret string with md5:

         $ perl -MDigest::MD5 -le"print Digest::MD5::md5_hex($$, time, rand(42));"

        Or you can use Data::UUID:

         $ perl -MData::UUID -le"$ug = new Data::UUID; $uuid = $ug->create; print $ug->to_string($uuid)"

        If someone knows your secret string, then they can generate their
        own checksums on arbitrary data that will always pass the integrity
        check in your application. That's a Bad Thing, so don't let other
        people know your secret string, and don't use the default secret
        string if you can help it.

    additional_data
        You can pass constant additional data to the checksum generator for
        every link.

            $self->link_integrity_config(
                secret          => 'really secret',
                additional_data => 'some other secret data',
            }

        For instance, to stop one user from following a second user's link,
        you can add a user-specific component to the session, such as the
        user's session id:

            $self->link_integrity_config(
                secret          => 'really secret',
                additional_data => sub {
                    my $self = shift;
                    return $self->session->id;
                }
            }

        You can pass a string instead of a subroutine. But in the case of
        the user's session, a subroutine is useful so that you get the value
        of the user's session at the time when the checksum is generated,
        not at the time when the link integrity system is configured.

    checksum_param
        The name of the checksum parameter, which is added to the query
        string and contains the cryptographic checksum of link. By default,
        this parameter is named "_checksum".

    link_tampered_run_mode
        The run mode to go to when it has been detected that the user has
        tampered with the link. The default is "link_tampered".

        See "The link_tampered Run Mode", below.

    digest_module
        Which digest module to use to create the checksum. Typically, this
        will be either "Digest::MD5" or "Digest::SHA1". However any module
        supported by "Digest::HMAC" will work.

        The default "digest_module" is "Digest::MD5".

    checksum_generator
        If you want to provide a custom subroutine to make your own
        checksums, you can define your own subroutine do it via the
        "make_checksum" param. Here's an example of one that uses
        Digest::SHA2:

                $self->link_integrity_config(
                    checksum_generator => sub {
                        my ($url, $secret) = @_;
                        require Digest::SHA2;

                        my $ctx = Digest::SHA2->new();
                        $ctx->add($url . $secret);

                        return $ctx->hexdigest;
                    },
                );

    disable
        You can disable link checking entirely by setting "disable" to a
        true value. This can be useful when you are developing or debugging
        the application and you want the ability to tweak URL params without
        getting busted.

  link
    Create a link, and add a checksum to it.

    You can add parameters to the link directly in the URL:

        my $link = $self->link('/cgi-bin/app.cgi?var=value&var2=value2');

    Or you can add them as a hash of parameters after the URL:

        my $link = $self->link(
            '/cgi-bin/app.cgi',
            'param1'  => 'value',
            'param2' => 'value2',
        );

  self_link
    Make a link to the current application, with optional parameters, and
    add a checksum to the URL.

        my $link = $self->self_link(
            'param1' => 'value1',
            'param2' => 'value2',
        );

    "self_link" preserves the value of the current application's
    "PATH_INFO". For instance if the current URL is:

        /cgi-bin/app.cgi/some/path?foo=bar # PATH_INFO is 'some/path'

    Calling:

        $self->self_link('bar' => 'baz');

    Will produce the URL:

        /cgi-bin/app.cgi/some/path?bar=baz

    If you want to remove the "PATH_INFO" value or replace it with a new
    value, use path_link.

  path_link
    Calling "path_link" is the same as calling "self_link", except the
    current value of "PATH_INFO" can be replaced.

        my $link = $self->path_link(
            '/new/path',
            'param1' => 'value1',
            'param2' => 'value2',
        );

    For instance if the current URL is:

        /cgi-bin/app.cgi/some/path?foo=bar # PATH_INFO is 'some/path'

    Calling:

        $self->path_link('/new/path');

    Will produce the URL:

        /cgi-bin/app.cgi/new/path?foo=bar

    If you want to remove "PATH_INFO" entirely, call one of the following:

        $self->path_link;
        $self->path_link(undef, 'param1' => 'val1', 'param2 => 'val2' ...);
        $self->path_link('', 'param1' => 'val1', 'param2 => 'val2' ...);

    If you want to keep the existing "PATH_INFO" that was passed to the
    current application, use self_link instead.

RUN MODES
  The link_tampered Run Mode
    Your application is redirected to this run mode when it has been
    detected that the user has tampered with the link. You can change the
    name of this run mode by changing the value of the
    "link_tampered_runmode" param to "link_integrity_config".

    CGI::Application::Plugin::LinkIntegrity provides a default
    "link_tampered" run mode, which just displays a page with some stern
    warning text.

    You can define your own as follows:

        sub link_tampered {
            my $self = shift;
            my $template = $self->load_template('stern_talking_to');
            return $template->output;
        }

HOOKS
    When a link is followed that doesn't match the checksum, the
    "invalid_checksum" hook is called. You can add a callback to this hook
    to do some cleanup such as deleting the user's session. For instance:

        sub setup {
            my $self = shift;
            $self->add_callback('invalid_checksum' => \&bad_user);
        }

        sub bad_user {
            my $self = shift;

            # The user has been messing with the URLs, possibly trying to
            # break into the system.  We don't tolerate this behaviour.
            # So we delete the user's session:

            $self->session->delete;
        }

AUTHOR
    Michael Graham, ""

ACKNOWLEDGEMENTS
    This module was based on the checksum feature originally built into
    Richard Dice's CGI::Application::Framework.

BUGS
    Please report any bugs or feature requests to
    "bug-cgi-application-plugin-linkintegrity@rt.cpan.org", or through the
    web interface at . I will be notified, and then
    you'll automatically be notified of progress on your bug as I make
    changes.

COPYRIGHT & LICENSE
    Copyright 2005 Michael Graham, All Rights Reserved.

    This program is free software; you can redistribute it and/or modify it
    under the same terms as Perl itself.

CGI-Application-Plugin-LinkIntegrity-0.06/Changes0100644000175200001440000000537010432775231021160 0ustar  michaelusersRevision history for CGI-Application-Plugin-LinkIntegrity

0.06 May 18, 2006
        - the entry point code added so many months ago had a bug in it:
          When there is a blank query string, CGI.pm adds an empty 'keywords'
          key to the query paremeters.  This meant that 'GET' requests
          without parameters would fail.

0.05 October 3, 2005
        - now install 'invalid_checksum' hook at class load time

0.04 October 3, 2005
        - made the module actually useful!  In order to generate a valid
          link, you need to load the module.  However you can't load the
          module if the application was invoked with an invalid URL.
          Catch-22.  So now there's an entry point:  if the invoking URL
          contained no parameters, then it is considered to be valid.

        - changed setup of hooks to happen at config time instead of
          import time.  Hopefully this makes it possible to use '@ISA'
          instead of 'use base':

              # Typical usage
              use base 'CGI::Application';
              use CGI::Application::Plugin::LinkIntegrity;

              # This also works
              use CGI::Application;
              our @ISA = qw(CGI::Application);
              use CGI::Application::Plugin::LinkIntegrity;

        - made CGI version 2.37 or greater a prerequisite (for url_param)

0.03 August 21, 2005
        - NOTE:  This release is not compatible with previous versions.
        - API radically rewritten to make it possible to protect links
          directly from within templates (Thanks to Michael Peter and
          Mark Stosberg for the feedback and ideas)
        - the following methods have changed:

          Old Syntax                                         New Syntax
          ==========                                         ==========
          ->make_link($url, { 'p1' => 'v1'})                 ->link($url, 'p1' => 'v1')

          ->make_self_link($url,                             ->self_link($url, 'p1' => 'v1')
                            keep_path_info => 1,
                            params => { 'p1' => 'v1'})

          ->make_self_link($url,                             ->path_link('', 'p1' => 'v1')
                            keep_path_info => 0,
                            params => { 'p1' => 'v1'})

          ->make_self_link($url,                             ->path_link('/new/path', 'p1' => 'v1')
                            path_info => '/new/path'
                            params => { 'p1' => 'v1'}
                          )

        - added documentation illustrating how to call link, make_link,
          etc. directly from templates

0.02 ????
        - added 'additional_data' feature

0.01 ????
        - First development version released for comments and feedback

CGI-Application-Plugin-LinkIntegrity-0.06/Build.PL0100644000175200001440000000150210432775231021152 0ustar  michaelusersuse strict;
use warnings;
use Module::Build;

my $builder = Module::Build->new(
    module_name         => 'CGI::Application::Plugin::LinkIntegrity',
    license             => 'perl',
    dist_author         => 'Michael Graham ',
    dist_version_from   => 'lib/CGI/Application/Plugin/LinkIntegrity.pm',
    requires => {
        'Test::More'       => 0,
        'CGI::Application' => 4.0,  # need hooks
        'URI'              => 0,
        'URI::Escape'      => 0,  # included in URI
        'URI::QueryParam'  => 0,  # included in URI
        'Digest::HMAC'     => 0,
        'Digest::MD5'      => 0,
        'CGI'              => 2.37,
    },
    add_to_cleanup      => [ 'CGI-Application-Plugin-LinkIntegrity-*' ],
    create_makefile_pl  => 'traditional',
);

$builder->create_build_script();
CGI-Application-Plugin-LinkIntegrity-0.06/MANIFEST.SKIP0100644000175200001440000000020410432775231021552 0ustar  michaelusers^_build
^Build$
^blib
~$
\.cvsignore$
\.bak$
CVS
^cover_db
^readme.txt$
^changes.txt$
^[^/]*\.html$
\.gz$
\.tar$
^t/prereq_scenariosCGI-Application-Plugin-LinkIntegrity-0.06/Makefile.PL0100644000175200001440000000136610432775231021640 0ustar  michaelusers# Note: this file was auto-generated by Module::Build::Compat version 0.03
use ExtUtils::MakeMaker;
WriteMakefile
(
          'PL_FILES' => {},
          'INSTALLDIRS' => 'site',
          'NAME' => 'CGI::Application::Plugin::LinkIntegrity',
          'VERSION_FROM' => 'lib/CGI/Application/Plugin/LinkIntegrity.pm',
          'PREREQ_PM' => {
                           'Test::More' => 0,
                           'Digest::HMAC' => 0,
                           'CGI::Application' => '4',
                           'URI' => 0,
                           'URI::Escape' => 0,
                           'Digest::MD5' => 0,
                           'URI::QueryParam' => 0,
                           'CGI' => '2.37'
                         }
        )
;
CGI-Application-Plugin-LinkIntegrity-0.06/META.yml0100644000175200001440000000077010432775231021135 0ustar  michaelusers---
name: CGI-Application-Plugin-LinkIntegrity
version: 0.06
author:
  - Michael Graham 
abstract: Make tamper-resisistent links in CGI::Application
license: perl
requires:
  CGI: 2.37
  CGI::Application: 4
  Digest::HMAC: 0
  Digest::MD5: 0
  Test::More: 0
  URI: 0
  URI::Escape: 0
  URI::QueryParam: 0
provides:
  CGI::Application::Plugin::LinkIntegrity:
    file: lib/CGI/Application/Plugin/LinkIntegrity.pm
    version: 0.06
generated_by: Module::Build version 0.2611
CGI-Application-Plugin-LinkIntegrity-0.06/MANIFEST0100644000175200001440000000062510432775231021014 0ustar  michaelusersBuild.PL
Changes
lib/CGI/Application/Plugin/LinkIntegrity.pm
Makefile.PL
MANIFEST			This list of files
MANIFEST.SKIP
META.yml
misc/dist
misc/makedocs.pl
misc/module-starter-opts.txt
misc/prove_prereqs.pl
misc/style.css
README
t/00.load.t
t/01-link.t
t/02-self_link.t
t/03-path_info_link.t
t/04-hmac.t
t/05-tampering.t
t/06-built_in_link_tampered_rm.t
t/07-invalid_checksum_hook.t
t/pod-coverage.t
t/pod.t