Loading ...
Sorry, an error occurred while loading the content.

The Freakiest thing...

Expand Messages
  • Skylos the Doggie
    Okay, I ve gotta bounce this off some other programmers who work with Apache::ASP. This has been reported twice. Procedure: User loads signup form Result: User
    Message 1 of 7 , Jan 9, 2004
    • 0 Attachment
      Okay, I've gotta bounce this off some other programmers who work with
      Apache::ASP.

      This has been reported twice.

      Procedure:

      User loads signup form

      Result:

      User sees somebody else's credit card data - VERY VERY VERY BAD

      Attempts by programmer to recreate:

      Fruitless.

      Thoughts:

      I store the form data in a variable. This is a my scoped variable in the
      root file scope.

      I then utilize this $frm variable in a subroutine that I call, without
      passing the value. Utilizing it as a global variable, for the file, at
      least.

      The simplest case for example:

      ---index.asp---
      <%@Language=PerlScript%>
      <%
      my $frm = $Request->Form();

      Main(%Results);

      sub Main {
      %>various html stuff
      <input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
      more html stuff%>
      }
      %>
      ---index.asp---

      Now what has happened, reportedly twice (probably many more times),
      is that the Main() subroutine displays the cc_number that was entered
      BY A DIFFERENT SESSION!

      The question is. Is it at all possible that some other session (perhaps
      within the same apache process) acquired some other value of $frm through
      the persistant-across-page-loads value of $frm within Main? I think you
      programmers can understand what I'm asking, though it seems muddled even
      as I try to type it.

      As I understood it, a file 'my' scoped variable would NOT be persisted
      anywhere, but is considered global within subroutines in the same file.

      Maybe I'm wrong. I know that its ugly what I did there, and I have
      revised my code to pass the $frm variable from the file scope to the
      subroutine. Much prettier.

      Your thoughts?

      Skylos

      - skylos@...
      - The best part about the internet is nobody knows you're a dog.
      (Peter Stiener, The New Yorker, July 5, 1993)
      - Dogs like... TRUCKS! (Nissan commercial, 1996)
      - PGP key: http://dogpawz.com/skylos/mykey.asc

      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Fagyal, Csongor
      Skylos, I don t really follow the code snippet you presented here, but it sounds to me that you have generated a closure. This is a very usual mod_perl issue.
      Message 2 of 7 , Jan 9, 2004
      • 0 Attachment
        Skylos,

        I don't really follow the code snippet you presented here, but it sounds
        to me that you have generated a closure. This is a very usual mod_perl
        issue.

        See:
        http://perl.apache.org/docs/general/perl_reference/perl_reference.html#Understanding_Closures____the_Easy_Way

        Also look at this:
        http://perl.apache.org/docs/general/perl_reference/perl_reference.html#my___Scoped_Variable_in_Nested_Subroutines

        In general you should not declare subroutines inside ASP pages.
        (However, I have the rather faint memory that the newest version of
        Apache::ASP presents a workaround... others will probably comment on this.)

        - Csongor

        >Okay, I've gotta bounce this off some other programmers who work with
        >Apache::ASP.
        >
        >This has been reported twice.
        >
        >Procedure:
        >
        >User loads signup form
        >
        >Result:
        >
        >User sees somebody else's credit card data - VERY VERY VERY BAD
        >
        >Attempts by programmer to recreate:
        >
        >Fruitless.
        >
        >Thoughts:
        >
        >I store the form data in a variable. This is a my scoped variable in the
        >root file scope.
        >
        >I then utilize this $frm variable in a subroutine that I call, without
        >passing the value. Utilizing it as a global variable, for the file, at
        >least.
        >
        >The simplest case for example:
        >
        >---index.asp---
        ><%@Language=PerlScript%>
        ><%
        >my $frm = $Request->Form();
        >
        >Main(%Results);
        >
        >sub Main {
        > %>various html stuff
        > <input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
        > more html stuff%>
        >}
        >%>
        >---index.asp---
        >
        >Now what has happened, reportedly twice (probably many more times),
        >is that the Main() subroutine displays the cc_number that was entered
        >BY A DIFFERENT SESSION!
        >
        >The question is. Is it at all possible that some other session (perhaps
        >within the same apache process) acquired some other value of $frm through
        >the persistant-across-page-loads value of $frm within Main? I think you
        >programmers can understand what I'm asking, though it seems muddled even
        >as I try to type it.
        >
        >As I understood it, a file 'my' scoped variable would NOT be persisted
        >anywhere, but is considered global within subroutines in the same file.
        >
        >Maybe I'm wrong. I know that its ugly what I did there, and I have
        >revised my code to pass the $frm variable from the file scope to the
        >subroutine. Much prettier.
        >
        >Your thoughts?
        >
        >Skylos
        >
        >- skylos@...
        >- The best part about the internet is nobody knows you're a dog.
        > (Peter Stiener, The New Yorker, July 5, 1993)
        >- Dogs like... TRUCKS! (Nissan commercial, 1996)
        >- PGP key: http://dogpawz.com/skylos/mykey.asc
        >
        >---------------------------------------------------------------------
        >To unsubscribe, e-mail: asp-unsubscribe@...
        >For additional commands, e-mail: asp-help@...
        >
        >
        >
        >



        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      • Skylos the Doggie
        ... I m not sure how to be more simple. What part didn t you understand? ... I should know, I use them regularly in my programming. :) They re not an issue
        Message 3 of 7 , Jan 9, 2004
        • 0 Attachment
          On Fri, 9 Jan 2004, Fagyal, Csongor wrote:

          > Skylos,
          >
          > I don't really follow the code snippet you presented here,

          I'm not sure how to be more simple. What part didn't you understand?

          > but it sounds to me that you have generated a closure. This is a very
          > usual mod_perl issue.

          I should know, I use them regularly in my programming. :) They're not an
          issue so much as a useful feature?

          > See:
          > http://perl.apache.org/docs/general/perl_reference/perl_reference.html#Understanding_Closures____the_Easy_Way

          Been there.

          > Also look at this:
          > http://perl.apache.org/docs/general/perl_reference/perl_reference.html#my___Scoped_Variable_in_Nested_Subroutines

          But this information about scoped variables in nested subroutines I
          believe is the clue. If my script is a subroutine of Apache::ASP cache
          stuff, then my Main() subroutine is a nested subroutine, and its keeping
          the old value of $frm that was there the last time it ran the nested
          subroutine.

          Pretty much, mystery solved! Thanks muchly for the reference.

          > In general you should not declare subroutines inside ASP pages.

          *WHAT*???????? Whyever NOT? Subroutines are.... like one of my most
          basically consistent ways of subdividing programs. I use them
          extensively!

          > (However, I have the rather faint memory that the newest version of
          > Apache::ASP presents a workaround... others will probably comment on this.)

          I never found any issue with it, outside of occaisonal "redefined
          subroutine" errors in the logs if I had two scripts with the same
          subroutine name...

          > - Csongor
          >
          > >Okay, I've gotta bounce this off some other programmers who work with
          > >Apache::ASP.
          > >
          > >This has been reported twice.
          > >
          > >Procedure:
          > >
          > >User loads signup form
          > >
          > >Result:
          > >
          > >User sees somebody else's credit card data - VERY VERY VERY BAD
          > >
          > >Attempts by programmer to recreate:
          > >
          > >Fruitless.
          > >
          > >Thoughts:
          > >
          > >I store the form data in a variable. This is a my scoped variable in the
          > >root file scope.
          > >
          > >I then utilize this $frm variable in a subroutine that I call, without
          > >passing the value. Utilizing it as a global variable, for the file, at
          > >least.
          > >
          > >The simplest case for example:
          > >
          > >---index.asp---
          > ><%@Language=PerlScript%>
          > ><%
          > >my $frm = $Request->Form();
          > >
          > >Main(%Results);
          > >
          > >sub Main {
          > > %>various html stuff
          > > <input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
          > > more html stuff%>
          > >}
          > >%>
          > >---index.asp---
          > >
          > >Now what has happened, reportedly twice (probably many more times),
          > >is that the Main() subroutine displays the cc_number that was entered
          > >BY A DIFFERENT SESSION!
          > >
          > >The question is. Is it at all possible that some other session (perhaps
          > >within the same apache process) acquired some other value of $frm through
          > >the persistant-across-page-loads value of $frm within Main? I think you
          > >programmers can understand what I'm asking, though it seems muddled even
          > >as I try to type it.
          > >
          > >As I understood it, a file 'my' scoped variable would NOT be persisted
          > >anywhere, but is considered global within subroutines in the same file.
          > >
          > >Maybe I'm wrong. I know that its ugly what I did there, and I have
          > >revised my code to pass the $frm variable from the file scope to the
          > >subroutine. Much prettier.
          > >
          > >Your thoughts?
          > >
          > >Skylos
          > >
          > >- skylos@...
          > >- The best part about the internet is nobody knows you're a dog.
          > > (Peter Stiener, The New Yorker, July 5, 1993)
          > >- Dogs like... TRUCKS! (Nissan commercial, 1996)
          > >- PGP key: http://dogpawz.com/skylos/mykey.asc
          > >
          > >---------------------------------------------------------------------
          > >To unsubscribe, e-mail: asp-unsubscribe@...
          > >For additional commands, e-mail: asp-help@...
          > >
          > >
          > >
          > >
          >
          >
          >
          > ---------------------------------------------------------------------
          > To unsubscribe, e-mail: asp-unsubscribe@...
          > For additional commands, e-mail: asp-help@...
          >
          >

          - skylos@...
          - The best part about the internet is nobody knows you're a dog.
          (Peter Stiener, The New Yorker, July 5, 1993)
          - Dogs like... TRUCKS! (Nissan commercial, 1996)
          - PGP key: http://dogpawz.com/skylos/mykey.asc

          ---------------------------------------------------------------------
          To unsubscribe, e-mail: asp-unsubscribe@...
          For additional commands, e-mail: asp-help@...
        • Robert Friberg
          The same thing tortured me for weeks, I was getting random segfaults and didn t have the slightest clue as to what was causing them. I finally found a sub with
          Message 4 of 7 , Jan 9, 2004
          • 0 Attachment
            The same thing tortured me for weeks, I was getting random
            segfaults and didn't have the slightest clue as to what was
            causing them. I finally found a sub with a reference to the
            Apache::Request object...

            Of course you should use subroutines, just make sure to pass
            in all info as arguments. IMHO it's bad design when a sub
            depends on global variables.


            ------------------------------------------------------------------------
            ! Robert Friberg 0733-839080
            ! Developer/Trainer perl,java,dotnet,linux,xml,uml,sql,c/c++,vb
            ! Ensofus AB http://www.ensofus.se/
            ! Miljo Online AB http://www.miljo-online.se/
            ------------------------------------------------------------------------

            > -----Original Message-----
            > From: Skylos the Doggie [mailto:skylos@...]
            > Sent: Friday, January 09, 2004 10:47 PM
            > To: Fagyal, Csongor
            > Cc: asp@...
            > Subject: Re: The Freakiest thing...
            >
            >
            > On Fri, 9 Jan 2004, Fagyal, Csongor wrote:
            >
            > > Skylos,
            > >
            > > I don't really follow the code snippet you presented here,
            >
            > I'm not sure how to be more simple. What part didn't you understand?
            >
            > > but it sounds to me that you have generated a closure. This is a very
            > > usual mod_perl issue.
            >
            > I should know, I use them regularly in my programming. :) They're not an
            > issue so much as a useful feature?
            >
            > > See:
            > >
            > http://perl.apache.org/docs/general/perl_reference/perl_reference.
            > html#Understanding_Closures____the_Easy_Way
            >
            > Been there.
            >
            > > Also look at this:
            > >
            > http://perl.apache.org/docs/general/perl_reference/perl_reference.
            > html#my___Scoped_Variable_in_Nested_Subroutines
            >
            > But this information about scoped variables in nested subroutines I
            > believe is the clue. If my script is a subroutine of Apache::ASP cache
            > stuff, then my Main() subroutine is a nested subroutine, and its keeping
            > the old value of $frm that was there the last time it ran the nested
            > subroutine.
            >
            > Pretty much, mystery solved! Thanks muchly for the reference.
            >
            > > In general you should not declare subroutines inside ASP pages.
            >
            > *WHAT*???????? Whyever NOT? Subroutines are.... like one of my most
            > basically consistent ways of subdividing programs. I use them
            > extensively!
            >
            > > (However, I have the rather faint memory that the newest version of
            > > Apache::ASP presents a workaround... others will probably
            > comment on this.)
            >
            > I never found any issue with it, outside of occaisonal "redefined
            > subroutine" errors in the logs if I had two scripts with the same
            > subroutine name...
            >
            > > - Csongor
            > >
            > > >Okay, I've gotta bounce this off some other programmers who work with
            > > >Apache::ASP.
            > > >
            > > >This has been reported twice.
            > > >
            > > >Procedure:
            > > >
            > > >User loads signup form
            > > >
            > > >Result:
            > > >
            > > >User sees somebody else's credit card data - VERY VERY VERY BAD
            > > >
            > > >Attempts by programmer to recreate:
            > > >
            > > >Fruitless.
            > > >
            > > >Thoughts:
            > > >
            > > >I store the form data in a variable. This is a my scoped
            > variable in the
            > > >root file scope.
            > > >
            > > >I then utilize this $frm variable in a subroutine that I call, without
            > > >passing the value. Utilizing it as a global variable, for the file, at
            > > >least.
            > > >
            > > >The simplest case for example:
            > > >
            > > >---index.asp---
            > > ><%@Language=PerlScript%>
            > > ><%
            > > >my $frm = $Request->Form();
            > > >
            > > >Main(%Results);
            > > >
            > > >sub Main {
            > > > %>various html stuff
            > > > <input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
            > > > more html stuff%>
            > > >}
            > > >%>
            > > >---index.asp---
            > > >
            > > >Now what has happened, reportedly twice (probably many more times),
            > > >is that the Main() subroutine displays the cc_number that was entered
            > > >BY A DIFFERENT SESSION!
            > > >
            > > >The question is. Is it at all possible that some other
            > session (perhaps
            > > >within the same apache process) acquired some other value of
            > $frm through
            > > >the persistant-across-page-loads value of $frm within Main? I
            > think you
            > > >programmers can understand what I'm asking, though it seems
            > muddled even
            > > >as I try to type it.
            > > >
            > > >As I understood it, a file 'my' scoped variable would NOT be persisted
            > > >anywhere, but is considered global within subroutines in the same file.
            > > >
            > > >Maybe I'm wrong. I know that its ugly what I did there, and I have
            > > >revised my code to pass the $frm variable from the file scope to the
            > > >subroutine. Much prettier.
            > > >
            > > >Your thoughts?
            > > >
            > > >Skylos
            > > >
            > > >- skylos@...
            > > >- The best part about the internet is nobody knows you're a dog.
            > > > (Peter Stiener, The New Yorker, July 5, 1993)
            > > >- Dogs like... TRUCKS! (Nissan commercial, 1996)
            > > >- PGP key: http://dogpawz.com/skylos/mykey.asc
            > > >
            > > >---------------------------------------------------------------------
            > > >To unsubscribe, e-mail: asp-unsubscribe@...
            > > >For additional commands, e-mail: asp-help@...
            > > >
            > > >
            > > >
            > > >
            > >
            > >
            > >
            > > ---------------------------------------------------------------------
            > > To unsubscribe, e-mail: asp-unsubscribe@...
            > > For additional commands, e-mail: asp-help@...
            > >
            > >
            >
            > - skylos@...
            > - The best part about the internet is nobody knows you're a dog.
            > (Peter Stiener, The New Yorker, July 5, 1993)
            > - Dogs like... TRUCKS! (Nissan commercial, 1996)
            > - PGP key: http://dogpawz.com/skylos/mykey.asc
            >
            > ---------------------------------------------------------------------
            > To unsubscribe, e-mail: asp-unsubscribe@...
            > For additional commands, e-mail: asp-help@...


            ---------------------------------------------------------------------
            To unsubscribe, e-mail: asp-unsubscribe@...
            For additional commands, e-mail: asp-help@...
          • Robert Friberg
            ... Sorry, I wasn t paying complete attention... Of course that revision solved your bug, but I bet you didn t know that at the time :) One thing s pretty sure
            Message 5 of 7 , Jan 9, 2004
            • 0 Attachment
              Skylos wrote:
              > I have revised my code to pass the $frm variable from the file
              > scope to the subroutine.

              I wrote:
              > Of course you should use subroutines, just make sure to pass
              > in all info as arguments.

              Sorry, I wasn't paying complete attention... Of course that revision
              solved your bug, but I bet you didn't know that at the time :)

              One thing's pretty sure though, neither of us will ever make that
              same mistake again.

              cheers,
              ------------------------------------------------------------------------
              ! Robert Friberg 0733-839080
              ! Developer/Trainer perl,java,dotnet,linux,xml,uml,sql,c/c++,vb
              ! Ensofus AB http://www.ensofus.se/
              ! Miljo Online AB http://www.miljo-online.se/
              ------------------------------------------------------------------------


              ---------------------------------------------------------------------
              To unsubscribe, e-mail: asp-unsubscribe@...
              For additional commands, e-mail: asp-help@...
            • Josh Chamas
              ... Consider that Apache::ASP scripts are compiled as subroutines. Generally one does not defined subroutines in subroutines, you can, but it can easily create
              Message 6 of 7 , Jan 9, 2004
              • 0 Attachment
                >
                >>In general you should not declare subroutines inside ASP pages.
                >
                >
                > *WHAT*???????? Whyever NOT? Subroutines are.... like one of my most
                > basically consistent ways of subdividing programs. I use them
                > extensively!
                >

                Consider that Apache::ASP scripts are compiled as subroutines.
                Generally one does not defined subroutines in subroutines, you can,
                but it can easily create closure issues like the one you encountered.

                IF you really need to defined a subroutine in a script, define it as
                an anonymous sub, like

                my $sub = sub { ... };
                &$sub(); # execute sub

                This way it will be redefined each script invocation and will be immune
                to the my() closure caching effect that nested subs can create. Better yet,
                if you have common subs that you want to share between scripts, put them
                into the global.asa file, which is the default package for your scripts.

                >
                >>(However, I have the rather faint memory that the newest version of
                >>Apache::ASP presents a workaround... others will probably comment on this.)
                >

                Yes, the last version of Apache::ASP tries to detect the use of named subs
                in scripts, and if it finds them, will turn off script compilation caching.

                >
                > I never found any issue with it, outside of occaisonal "redefined
                > subroutine" errors in the logs if I had two scripts with the same
                > subroutine name...
                >
                >

                This issue that you have run into is an important reason for not defining
                subs in scripts. Another is that since all scripts are defined in the same
                perl package ( aka. GlobalPackage config ), the named subs will be shared
                between scripts, and could create a conflict if scripts name subs the same.

                If you really want to have named subs in your scripts, consider setting
                NoCache, which will prevent your scripts from being cached so that
                the my() closure caching won't affect you.

                Regards,

                Josh

                ________________________________________________________________
                Josh Chamas, Founder phone:925-552-0128
                Chamas Enterprises Inc. http://www.chamas.com
                NodeWorks Link Checker http://www.nodeworks.com


                ---------------------------------------------------------------------
                To unsubscribe, e-mail: asp-unsubscribe@...
                For additional commands, e-mail: asp-help@...
              • Warren Young
                ... ...or put them into a Perl module, which you can place in the same directory with the global.asa file. Import the library with a use statement at the
                Message 7 of 7 , Jan 12, 2004
                • 0 Attachment
                  Josh Chamas wrote:

                  > Better yet, if you have common subs that you want to share between
                  > scripts, put them into the global.asa file,

                  ...or put them into a Perl module, which you can place in the same
                  directory with the global.asa file. Import the library with a 'use'
                  statement at the top of global.asa. We have an Apache::ASP application
                  with dozens of subroutines, all stored in pm files. The only code in
                  the ASP files are the bits completely unique to that page's function.


                  ---------------------------------------------------------------------
                  To unsubscribe, e-mail: asp-unsubscribe@...
                  For additional commands, e-mail: asp-help@...
                Your message has been successfully submitted and would be delivered to recipients shortly.