Apache-AppSamurai
view release on metacpan or search on metacpan
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# <Proxy> sections are duplicated. Pay close attention to <IfDefine>
# sections for your version of mod_perl (!MODPERL2 for mod_perl 1 and
# MODPERL2 for mod_perl 2)
# The following modules are required for this setup:
#LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so
#LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
#LoadModule perl_module /usr/lib/apache/modules/mod_perl.so
# Load the main AppSamurai module and the mod_perl registry,
# and also enable taint and warnings
PerlModule Apache::AppSamurai
<IfDefine !MODPERL2>
PerlModule Apache::Registry
PerlWarn On
PerlTaintCheck On
</IfDefine>
<IfDefine MODPERL2>
PerlModule ModPerl::Registry
PerlSwitches -wT
</IfDefine>
lib/Apache/AppSamurai.pm view on Meta::CPAN
## Apache 1.x/mod_perl 1.x settings are enabled with Apache 2.x/mod_perl 2.x
## config alternatives commented out. ("*FOR MODPERL2 USE:" precedes
## the Apache 2.x/mod_perl 2.x version of any alternative config items.)
## Note that example configs in examples/conf/ use IfDefine to support
## both version sets without having to comment out items. Also note that it
## is far too ugly looking to include in this example.
## General mod_perl setup
# Apache::AppSamurai is always strict, warn, and taint clean. (Unless
# I mucked something up ;)
PerlWarn On
PerlTaintCheck On
PerlModule Apache::Registry
#*FOR MODPERL2 USE:
# PerlSwitches -wT
# PerlModule ModPerl::Registry
# Load the main module and define configuration options for the
# "Example" auth_name
lib/Apache/AppSamurai/Session/Serialize/CryptBase64.pm view on Meta::CPAN
my %allowedcl = map { $_ => 1 } @allowedciphers;
sub serialize {
my $session = shift;
# Setup crypt engine
my $c = &setup_crypt($session);
# Turn off Crypt::CBC automatic salt creation - (Note: This is done to
# avoid a taint bug related to Crypt::CBC and some cipher modules.
# Eventually this should be fixed and all salt handling should be done
# by Crypt::CBC)
$c->{make_random_salt} = 0;
# Use existing salt or create one if not set
unless ($session->{args}->{salt}) {
$session->{args}->{salt} = $c->random_bytes(8);
}
# Check for valid salt and untaint
($session->{args}->{salt} =~ /^(.{8})$/s) or die "Invalid salt value (must be 8 bytes)";
$c->salt($1);
# Enfruzen!! Enkryptor!!! Enmimeor!!! (Crypt it then Base64 encode)
(my $serialized = encode_base64($c->encrypt(nfreeze($session->{data})),'')) or die "Problem while serializing data: $!";
$session->{serialized} = $serialized;
}
sub unserialize {
lib/Apache/AppSamurai/Util.pm view on Meta::CPAN
sub CheckSidFormat {
my $sid = shift;
(defined($sid)) || (return undef);
my $tlen = $IDLEN * 2;
# Check that the ID is a hex string of length $IDLEN bytes
($sid =~ /^([a-f0-9]{$tlen})$/i) ? (return $1) : (return undef);
}
# Check full URL (host + args). Untaints as it cleans. Returns undef if it
# ain't clean.
sub CheckUrlFormat {
my $url = shift;
# Following check pulled out of OWASP FAQ, and converted for Perl
($url =~ /((((https?|ftps?|gopher|telnet|nntp):\/\/)|(mailto:|news:))(%[0-9A-Fa-f]{2}|[\-\(\)_\.!\~\*\';\/\?:\@\&=\+\$,A-Za-z0-9])+)([\)\.!\';\/\?:,][[:blank:]])?$/) ? (return $1) : (return undef);
}
# Check host address or DNS name. NOT A STRICT TEST! This will allow in
# IPv4 and v6 and most DNS names. Use CheckHostIP for a strict IPv4 check.
sub CheckHostName {
lib/Apache/AppSamurai/Util.pm view on Meta::CPAN
$expirets = time() + 3600;
$expire = expires($expire);
# Get a random session authentication key.
$newkey = CreateSessionAuthKey();
# Compute a session authentication key from input.
$junk = 'stuffySTUFFthing';
$newkey = CreateSessionAuthKey($junk);
# Untaint and check for valid session ID or session auth key format.
if ($id = CheckSidFormat($id)) { print "ROCK ON!\n"; }
# Check for a valid "passphrase" (must be all printables and normal
# whitespace), then return a hash of input.
$passphrase = "The quick brown cow jumped into the A&W root beer.";
($passkey = HashPass($passphrase)) or die "Bad passphrase";
# Just hash the input, even if empty, and return hash.
$hashstruff = HashAny('stuff');
# Compute the real session ID by computing a HMAC of the user's session
# authentication key and the server's key.
$authkey = '628b49d96dcde97a430dd4f597705899e09a968f793491e4b704cae33a40dc02';
$servkey = 'c44474038d459e40e4714afefa7bf8dae9f9834b22f5e8ec1dd434ecb62b512e';
($sessid = ComputeSessionId($authkey, $servkey)) or die "Bad input!";
# Untaint and check for a valid session ID, session authentication key,
# or server key value. (All should be hex strings of a proper length.)
($authkey = CheckSidFormat($authkey)) or die "Bad authentication key!";
# Untaint and check (loosely) for a properly formatted URL.
$url = 'http://jerryonly.mil/TheApp?test=1';
($url = CheckUrlFormat($url)) or die "You call that an URL?";
# Untaint and check for a decent looking hostname/DNS name
$hn = 'jerryonly.mil';
($hn = CheckHostName($hn)) or die "Bad name, man.";
# Untaint and check for a valid IP. IPv4 only supported at this time :(
$ip = '10.11.12.13';
($ip = CheckHostIP($ip)) or die "That is no kind of dotted quad....";
# Untaint and then X out the second half of the input. This is used
# for various debugging output to (hopefully) protect sensitive info from
# ending up in logs.
$msg = "Who stole my notebook? Was it you Larry?";
$msg = XHalf($msg);
print $msg, "\n";
# Prints out: Who stole my notebookXXXXXXXXXXXXXXXXXXXX
=head1 DESCRIPTION
This is a set of utility methods for L<Apache::AppSamurai|Apache::AppSamurai>
and related sub-modules to use. All methods should be called with a full
module path, (Apache::AppSamurai::Util::CheckHostIp(), etc), or be imported
into the current namespace.
Almost all the methods return a clean, untainted value on success, or undef
on failure.
=head1 METHODS
=head2 expires()
Convert a UNIX timestamp to a valid cookie expire stamp. (Copied from
L<CGI::Util|CGI::Util>).
=head2 CreateSessionAuthKey()
lib/Apache/AppSamurai/Util.pm view on Meta::CPAN
This method of looking up the real (local) session ID allows for keeping the
session authentication key a secret to the web server while it is not
being actively used. This is important because the session authentication key
is used (in part) to encrypt the user's session data. Without the session
authentication key, a hacker can not steal information from a stale session
file, remnant data on a hard drive, or from a hacked database.
=head2 CheckSidFormat()
Check input scalar for proper ID format. (Characters and length.) Returns
the untainted input, or undef on failure.
Apache::AppSamurai currently uses SHA256 for all digest and ID functions.
All are represented as hex strings with a length of 32 characters. (256 bits
divided by 4 characters per nibble.) This magic number is set in the C<$IDLEN>
global in the Util.pm file. Future versions may be more flexible and allow
alternate digest algorithms.
=head2 CheckUrlFormat()
Check the scalar for proper URL formatting. Returns the untainted URL or undef
on failure.
This is just a basic check, and allows through ftp:, gopher:, etc in addition
to http: and https:. It is just a sanity check. Apply more extensive
filtering using mod_rewrite or other means, as needed.
=head2 CheckHostName()
Check scalar for basic hostname/domain name syntax. Returns an untainted
version of the input, or undef on failure.
=head2 CheckHostIP()
Check input scalar for proper text IP format. Returns the untainted input
on success, or undef on failure.
IPv4 dotted quads are only supported at this time. IPv6 support will be
added, but considering the ungodly tangled mess that can represent an
IPv6 address, the motivation to tackle it is not currently present.
=head2 XHalf()
Check that input scalar is text, then convert the second half of the string
to a string of 'X's and return the new string.
( run in 0.405 second using v1.01-cache-2.11-cpan-d6f9594c0a5 )