NMS, London PM?
InfiniteSilence
created: 2006-04-07 17:30:08
perlmonks
prlmnks
Searching around for Perl projects on Sourceforge led me to NMS. Okay, I think, this is posted by London PM (or by members thereof), and the code is supposed to be more secure than MSA code. What I don't get is how this is supposed to be more secure: 
sub SetCookies {

    my (%input) = @_;
    while( my($name,$value) = each %input )
    {
        my $c = CGI->cookie (
                             -name    => $name,
                             -value   => $value,
                             -expires => ((exists($cookie_config{expires}) && $cookie_config{expires} ==1) ? $cookie_config{expires} : undef),
                             -domain  => ((exists($cookie_config{domain})  && $cookie_config{domain}  ==1) ? $cookie_config{domain}  : undef),
                             -secure  => ((exists($cookie_config{secure})  && $cookie_config{secure}  ==1) ? $cookie_config{secure}  : undef),
                             -path    => ((exists($cookie_config{path})    && $cookie_config{path}    ==1) ? $cookie_config{path}    : undef),
                            );
        print "Set-Cookie: ", $c, "\n";
    }
}
Note the "==1"s. Also, the quickest glance through the CGI::Cookie perldoc shows that you can use values for -expires like '3M': 
 $c = new CGI::Cookie(-name    =>  'foo',
                                 -value   =>  'bar',
                                 -expires =>  '+3M',
                                 -domain  =>  '.capricorn.com',
                                 -path    =>  '/cgi-bin/database',
                                 -secure  =>  1
                                );
So, is the above supposed to be a secure version usage of the CGI::Cookie module? If so, why?

Celebrate Intellectual Diversity

Re: NMS, London PM?
PodMaster
created: 2006-04-07 21:06:00
perlmonks
prlmnks
Your choice of title NMS, London PM? could be better.

What file is this code in? Does it have documentation?

Note the "==1"s. Also, the quickest glance through the CGI::Cookie perldoc shows that you can use values for -expires like '3M': ...So, is the above supposed to be a secure version usage of the CGI::Cookie module? If so, why?
No. I don't see why you would think that. I think the various ==1 parts are probably typos. Its hard to say without context.

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.
Re: NMS, London PM?
gellyfish
created: 2006-04-10 16:52:27
perlmonks
prlmnks

Firstly perlmonks is not an ideal place to be asking questions about the NMS programs, we have a support mailling list which is read by the developers at mailto:nms-cgi-support@lists.sourceforge.net, I can't speak for any of the other project members but I certainly don't have time to scan every possible place that Perl might be discussed in order to answer questions about NMS.

Yes there was what would appear to be a copy and paste error in the cookielib that has gone undetected for quite a long period of time. This code was contributed as-is by a single developer and it was only subsequently amended to conform to the 'house style' and to fix an obvious bug.

The typo in the cookie creation code poses no security risk, it simply means that it doesn't work in the way that is described in the README. As you noted above after you pointed this out on the mailing list I fixed this mistake and made a new release.

If you wish to contribute to the NMS project please feel free to contact us in the manner described on the project web site.

/J\

perlmonks.org content © perlmonks.org and gellyfish, InfiniteSilence, PodMaster

prlmnks.org © 2006 edmund von der burg (eccles & toad)

v 0.03