NMS, London PM?

InfiniteSilence has asked for the wisdom of the Perl Monks concerning the following question:

Searching around for Perl projects on Sourceforge led me to NMS. (Update: The library in question is called CookieLib). There is a a README, but it does not mention anything about this. Okay, I think, this is posted by London PM (or by members thereof), and the code is supposed to be more secure than MSA code. What I don't get is how this is supposed to be more secure:

sub SetCookies {

    my (%input) = @_;
    while( my($name,$value) = each %input )
    {
        my $c = CGI->cookie (
                             -name    => $name,
                             -value   => $value,
                             -expires => ((exists($cookie_config{expir
+es}) && $cookie_config{expires} ==1) ? $cookie_config{expires} : unde
+f),
                             -domain  => ((exists($cookie_config{domai
+n})  && $cookie_config{domain}  ==1) ? $cookie_config{domain}  : unde
+f),
                             -secure  => ((exists($cookie_config{secur
+e})  && $cookie_config{secure}  ==1) ? $cookie_config{secure}  : unde
+f),
                             -path    => ((exists($cookie_config{path}
+)    && $cookie_config{path}    ==1) ? $cookie_config{path}    : unde
+f),
                            );
        print "Set-Cookie: ", $c, "\n";
    }
}
[download]

Note the "==1"s. Also, the quickest glance through the CGI::Cookie perldoc shows that you can use values for -expires like '3M':

 $c = new CGI::Cookie(-name    =>  'foo',
                                 -value   =>  'bar',
                                 -expires =>  '+3M',
                                 -domain  =>  '.capricorn.com',
                                 -path    =>  '/cgi-bin/database',
                                 -secure  =>  1
                                );
[download]

So, is the above supposed to be a secure version usage of the CGI::Cookie module? If so, why?

Update #2: As a result of my posting the following was appended to the modification history of CookieLib at NMS:

# $Log: cookielib,v $
# Revision 1.6  2006/04/08 08:34:31  gellyfish
# Appeared to be a cut and paste error in SetCookies
[download]

And the code has, apparently, been modified. Thank you gellyfish for your prompt action.

Celebrate Intellectual Diversity

Moved from Perl Monks Discussion to Seekers of Perl Wisdom by planetscape

Comment on NMS, London PM? Select or Download Code

Replies are listed 'Best First'.

Re: NMS, London PM?
by PodMaster (Abbot) on Apr 08, 2006 at 01:06 UTC

NMS, London PM?

What file is this code in? Does it have documentation?

Note the "==1"s. Also, the quickest glance through the CGI::Cookie perldoc shows that you can use values for -expires like '3M': ...So, is the above supposed to be a secure version usage of the CGI::Cookie module? If so, why?

==1

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

Re: NMS, London PM?
by gellyfish (Monsignor) on Apr 10, 2006 at 20:52 UTC

Firstly perlmonks is not an ideal place to be asking questions about the NMS programs, we have a support mailling list which is read by the developers at nms-cgi-support@lists.sourceforge.net, I can't speak for any of the other project members but I certainly don't have time to scan every possible place that Perl might be discussed in order to answer questions about NMS.

Yes there was what would appear to be a copy and paste error in the cookielib that has gone undetected for quite a long period of time. This code was contributed as-is by a single developer and it was only subsequently amended to conform to the 'house style' and to fix an obvious bug.

The typo in the cookie creation code poses no security risk, it simply means that it doesn't work in the way that is described in the README. As you noted above after you pointed this out on the mailing list I fixed this mistake and made a new release.

If you wish to contribute to the NMS project please feel free to contact us in the manner described on the project web site.

/J\

[reply]