Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Re: Instant redirect from form input

by Clownburner (Monk)
on Mar 15, 2001 at 04:54 UTC ( [id://64578]=note: print w/replies, xml ) Need Help??


in reply to Re: Instant redirect from form input
in thread Instant redirect from form input

FWIW, the servers I run this script on do not have any access restricted pages, and the redirects are always local (relative) URLs anyway.

What's interesting is that I did a packet capture using this script with Apache (1.3.14/Linux) and it did in fact pass a "302 Moved" back to the browser, and my browser immediately proceeded to fetch the indicated page. So how do you mean "internal" redirect?

Also, what do you mean by "The tr/// does nothing"? It does seem to handily eat any characters that aren't in the list -- or did you mean that it doesn't do anything with regards to security?

I'm anxious to hear your opinion on this in slighly more depth, and what could be done to improve the code. Perhaps always returning the redirect with an absolute URL?

Thanks for your help...
Signature void where prohibited by law.
  • Comment on Re: Re: Instant redirect from form input

Replies are listed 'Best First'.
Re: Re: Re: Instant redirect from form input
by merlyn (Sage) on Mar 15, 2001 at 05:00 UTC
    The tr/// does nothing. This: 
    tr/[^\w\/\.\-\?\=\&\@\%]//

    [download]
    does nothing. When there's no right side, and no flags, the left side is copied to the right side, and thus we've got a mapping of % to itself, w to itself, and so on.

    Which brings up the second problem. You seem to be treating it like a s///, rather than a tr///, and they share only the slashes. {grin} There's no "character classes" in tr///, nor do the square brackets mean what you think they mean, nor does the \w mean anything other than backslash followed by the letter w.

    As for the "external redirect" issue, dws and tilly helped me determine that CGI.pm now in fact (in violation of the spec) sends both a Status-302 and a Location header to the server, which the server error-corrects by turning an internal redirect into a fully-qualified external redirect. Ewww. This is sooooo broken, and was therefore unexpected when I posted my first note.

    So, you're safe, but only because others have padded the hallways for you, and only because everybody is error-correcting for you. {grin}

    -- Randal L. Schwartz, Perl hacker

[reply]
[d/l]
      So what I really needed to do was change the tr/// into an s/// construct. I didn't realize that tr wasn't interpolated like s is. Hmm.

      With regards to the second issue, how would you modify the code to send a correctly formatted redirect? Would you manually print(); the "Status" and "Location" headers, or is there some other way I don't know about?

      A newly-shaven initiate thanks you...
      Signature void where prohibited by law.
[reply]

In Section Cool Uses for Perl

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://64578]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (3)
As of 2024-04-19 22:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found