all your uri are belong to us
play

All Your URI are Belong to Us Geoffrey Young - PowerPoint PPT Presentation

Nov 08, 2022 •245 likes •529 views

All Your URI are Belong to Us Geoffrey Young geoff@modperlcookbook.org 1 http://www.modperlcookbook.org/~geoff/ Apache Request Cycle Client Request Logging URI-based Init Content URI Translation Fixups File-Based Init Resource Control

  1. All Your URI are Belong to Us Geoffrey Young geoff@modperlcookbook.org 1 http://www.modperlcookbook.org/~geoff/

  2. Apache Request Cycle Client Request Logging URI-based Init Content URI Translation Fixups File-Based Init Resource Control Mime Setting 2 http://www.modperlcookbook.org/~geoff/

  3. Apache Request Cycle Client Request Client Request URI-based Init URI-based Init URI Translation 3 http://www.modperlcookbook.org/~geoff/

  4. URI Translation • Apache needs to map the URI to a physical file on disk • Default is to prepend DocumentRoot to the URI DocumentRoot /usr/local/apache/htdocs 4 http://www.modperlcookbook.org/~geoff/

  5. URI Translation • Directives like Alias override the default DocumentRoot /usr/local/apache/htdocs Alias /manual/ /usr/local/apache/manual/ <Directory /usr/local/apache/manual> ... </Directory> • Some URIs have no associated file, but Apache tries anyway <Location server-status> ... </Location> 5 http://www.modperlcookbook.org/~geoff/

  6. PerlTransHandler Client Request Client Request URI-based Init URI-based Init PerlTransHandler 6 http://www.modperlcookbook.org/~geoff/

  7. PerlTransHandler • Useful for overriding the Apache default • Allows you to be extremely devious • There are a few pitfalls of which to be aware 7 http://www.modperlcookbook.org/~geoff/

  8. Simple PerlTransHandler • Be rid of those silly favicon.ico requests that end up 404 • Translate the incoming URI to a common place if it matches favicon.ico 8 http://www.modperlcookbook.org/~geoff/

  9. package Cookbook::Favicon; use Apache::Constants qw(DECLINED); use strict; sub handler { my $r = shift; $r->uri("/images/favicon.ico") if $r->uri =~ m!/favicon\.ico$!; return DECLINED; } 1; 9 http://www.modperlcookbook.org/~geoff/

  10. Client Request GET /foo/bar/baz/biff/favicon.ico HTTP/1.1 Host: www.example.com 10 http://www.modperlcookbook.org/~geoff/

  11. Client Request Client Request URI-based Init URI-based Init PerlTransHandler URI: /foo/bar/baz/biff/favicon.ico 11 http://www.modperlcookbook.org/~geoff/

  12. Client Request Client Request URI-based Init URI-based Init PerlTransHandler core translation FILE: /usr/local/apache/htdocs/images/favicon.ico 12 http://www.modperlcookbook.org/~geoff/

  13. Setup • add Favicon.pm to @INC ServerRoot /lib/perl/Cookbook/Favicon.pm • add to httpd.conf PerlModule Cookbook::Favicon PerlTransHandler Cookbook::Favicon • that's it! 13 http://www.modperlcookbook.org/~geoff/

  14. Winner Takes All • The first URI translation handler to return OK ends the phase –mod_perl or otherwise • Perl handlers usually return DECLINED –lets Apache's core translation engine do the filesystem mapping • Return OK only when you map the file to disk yourself 14 http://www.modperlcookbook.org/~geoff/

  15. Why Not Use mod_rewrite? • our Cookbook::Favicon is pretty much the same as RewriteRule /favicon.ico$ /images/favicon.ico • We did it in Perl • With Perl comes great power 15 http://www.modperlcookbook.org/~geoff/

  16. URI-based Sessions • A simple cookie-less session scheme stores the session in the URI • Storage can occur in the PATH_INFO http://manual/index.html/a92c5e • Or at the start of the URI http://a92c5e/manual/index.html • The second form has some distinct advantages 16 http://www.modperlcookbook.org/~geoff/

  17. package Cookbook::URISessionManager; use Apache::Constants qw(DECLINED OK); use Apache::URI; sub get_session { my $r = shift; my $uri = $r->parsed_uri; # Separate the MD5 session from the real path. my ($session, $path) = $uri->path =~ m!^/([a-fA-F0-9]{32})(/.*)!; return DECLINED unless $session; # Now, put the session in a note... $r->notes(SESSION => $session); # ... and set the URI to the proper path. $r->uri($path); return DECLINED; } 1; 17 http://www.modperlcookbook.org/~geoff/

  18. Advantages • Session parsing is done up front –everyone else gets the session from notes my $session = $r->notes('SESSION'); –even C handlers! –true even if you use PATH_INFO • Browsers take care of adding the session to relative links for you 18 http://www.modperlcookbook.org/~geoff/

  19. Disadvantages • The main problem with URI-based sessions is "session leakage" • Session data will show up in Referer logs whenever someone clicks offsite • A simple PerlTransHandler takes care of that 19 http://www.modperlcookbook.org/~geoff/

  20. package Cookbook::URISessionManager; sub get_session { ... } sub clean_uri { my $r = shift; my ($uri) = $r->uri =~ m!.*(http://.*)!; $r->send_http_header('text/html'); print<<EOF; <html> <head> <meta http-equiv="refresh" content="0;URL=$uri"> </head> <body> you should be going <a href="$uri">here</a> soon </body> </html> EOF return OK; } 1; 20 http://www.modperlcookbook.org/~geoff/

  21. httpd.conf PerlModule Cookbook::URISessionManager PerlTransHandler Cookbook::URISessionManager::get_session <Location /goodbye> SetHandler perl-script PerlHandler Cookbook::URISessionManager::clean_uri </Location> 21 http://www.modperlcookbook.org/~geoff/

  22. Mischievous Behavior • Simple URI re-mapping is only the beginning • Apache has this neat, built-in functionality called proxying –provided you have mod_proxy installed • With mod_perl and mod_proxy you can proxy just about anything... 22 http://www.modperlcookbook.org/~geoff/

  23. Advanced PerlTransHandler • Create a proxy that uses our local Apache documentation instead of ASF servers • Intercept proxy requests and silently replace calls to http://httpd.apache.org/docs with /usr/local/apache/htdocs/manual 23 http://www.modperlcookbook.org/~geoff/

  24. Client Setup 24 http://www.modperlcookbook.org/~geoff/

  25. Server Setup • Add this to httpd.conf PerlModule My::ManualProxy PerlTransHandler My::ManualProxy 25 http://www.modperlcookbook.org/~geoff/

  26. package My::ManualProxy; use Apache::Constants qw(OK DECLINED); use strict; sub handler { my $r = shift; return DECLINED unless $r->proxyreq; my (undef, $file) = $r->uri =~ m!^http://(www|httpd).apache.org/(.*)!; if ($file =~ m!^docs/!) { $file =~ s!^docs/!manual/!; $file = join "/", ($r->document_root, $file); if (-f $file) { $r->filename($file); # use local disk return OK; } } return DECLINED; } 1; 26 http://www.modperlcookbook.org/~geoff/

  27. Apache Request Cycle Client Request Logging URI-based Init Content URI Translation Fixups File-Based Init Resource Control Mime Setting 27 http://www.modperlcookbook.org/~geoff/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Polygon Filling Goal intensify the pixels that belong to the polygon Issues which pixels belong

Polygon Filling Goal intensify the pixels that belong to the polygon Issues which pixels belong

Polygon Filling Goal intensify the pixels that belong to the polygon Issues which pixels belong to the polygon Approach use a (horizontal) scan line that traverses the polygon intensify the pixels along the spans (the segments of

895 views • 50 slides
Three peaks, but which 2) Measure FT-IR &gt; peaks belong to which molecule? Crosspeaks between

Three peaks, but which 2) Measure FT-IR &gt; peaks belong to which molecule? Crosspeaks between

2D IR EXAMPLE COMPARISON WITH FT-IR 1) Take a mixture 1 IR mode + 2 IR modes of two compounds Three peaks, but which 2) Measure FT-IR &gt; peaks belong to which molecule? Crosspeaks between vibrations mean they belong 3) Measure 2D

179 views • 7 slides
Be.Belong.Give. Parish Town Halls October 9, 2016 Theme Be. Be whoever you are and whatever

Be.Belong.Give. Parish Town Halls October 9, 2016 Theme Be. Be whoever you are and whatever

St. Marks Episcopal Church Capitol Hill 2017 Canvass: Be.Belong.Give. Parish Town Halls October 9, 2016 Theme Be. Be whoever you are and whatever you believe. Belong. Joi us. We aet lookig to chage ou, 2017

532 views • 17 slides
BELONG A family support programme promoting a sense of belonging for black &amp; minority ethnic

BELONG A family support programme promoting a sense of belonging for black &amp; minority ethnic

BELONG A family support programme promoting a sense of belonging for black &amp; minority ethnic children through: Cultural Confidence &amp; Competence Anti-Bullying &amp; Anti-Racial Bullying Education BELONG Beginnings

301 views • 18 slides
All Your Rule Base Are Belong to Me Jewel H. Ward

All Your Rule Base Are Belong to Me Jewel H. Ward

All Your Rule Base Are Belong to Me Jewel H. Ward Doctoral Student, UNC-CH SILS &amp; DICE iRODS User Mee,ng February 17-18, 2011

406 views • 15 slides
All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg,

All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg,

All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg, Ben Karel, Benjamin Pierce, Greg Morrisett, and more) 2012-11-05 -- WG 2.8 meeting in Annapolis Information Flow Control [Fenton, 1974] Static

326 views • 18 slides
Why Are We Here? Access/ metro and backbone networks may belong to different carriers or

Why Are We Here? Access/ metro and backbone networks may belong to different carriers or

GIBSON: Global IP-Based Service-Oriented Network Ping Pan, Tom Nolle August 2006, IMS Workshop Why Are We Here? Access/ metro and backbone networks may belong to different carriers or business entities: Different technologies among

439 views • 12 slides
Diversity and National Identity Sampoorna Biswas What does it mean to belong to your

Diversity and National Identity Sampoorna Biswas What does it mean to belong to your

Diversity and National Identity Sampoorna Biswas What does it mean to belong to your country? (And important to Pakistan too) Grown Born up/lived According to Google Autocomplete Culturally/ linguistically from here 29

519 views • 27 slides
A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years

A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years

A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years The Indiana Masonic Home was established to care for widows and orphaned children of Masons in 1915. Through the years, the community grew and demand

402 views • 25 slides
1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &amp;

737 views • 45 slides
Chapter 3 Business Organizations Economics and You Do you work at a business? Belong to a

Chapter 3 Business Organizations Economics and You Do you work at a business? Belong to a

Chapter 3 Business Organizations Economics and You Do you work at a business? Belong to a church? Participate in a club? Chances are these institutions play a significant role in your life. Click the Speaker button to listen to Economics

532 views • 30 slides
All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring Systems Andrei Costin EURECOM, France 1 st Workshop on Security &amp; Privacy in the Cloud (SPC) 30 Sep 2015, Florence Italy Agenda

640 views • 63 slides
NETWORKS Maria Agroti EPL682 1 1: All Your r Conta tacts ts Are Belong ng to Us: Aut

NETWORKS Maria Agroti EPL682 1 1: All Your r Conta tacts ts Are Belong ng to Us: Aut

SOCIAL NETWORKS Maria Agroti EPL682 1 1: All Your r Conta tacts ts Are Belong ng to Us: Aut utomated ted Identi tity The heft t At Attac acks on Social al Networ orks by: Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin

702 views • 47 slides
Authorship identification in large email collections: Experiments using features that belong to

Authorship identification in large email collections: Experiments using features that belong to

Authorship identification in large email collections: Experiments using features that belong to different linguistic levels George K. Mikros &amp; Kostas Perifanos National and Kapodistrian University of Athens 2 PAN 2011 Lab, 19-22

259 views • 13 slides
and useful for people Krastsvetmet refines all 100% of Krastsvetmet shares belong to the

and useful for people Krastsvetmet refines all 100% of Krastsvetmet shares belong to the

We make precious metals available and useful for people Krastsvetmet refines all 100% of Krastsvetmet shares belong to the Krasnoyarsk precious metals on an Region, a constituent entity industrial scale, processes of the Russian Federation

533 views • 25 slides
I ndigo Partners Branding www.IndigoHQ.com Why branding? Strong brands do not belong to

I ndigo Partners Branding www.IndigoHQ.com Why branding? Strong brands do not belong to

I ndigo Partners Branding www.IndigoHQ.com Why branding? Strong brands do not belong to corporations, but to people Mark Gobe, Author of Emotional Branding They: Create a sense of ownership for those who use and love

692 views • 8 slides
Test-Driven Web APIs http://ian S robinson.com @ian S robinson Web

Test-Driven Web APIs http://ian S robinson.com @ian S robinson Web

Test-Driven Web APIs http://ian S robinson.com @ian S robinson Web is like 1950s office Domain work as side-effect of shuffling docs around HTTP is the

893 views • 41 slides
Malicious URI resolving in PDFs Valen6n HAMON Opera&amp;onal

Malicious URI resolving in PDFs Valen6n HAMON Opera&amp;onal

Malicious URI resolving in PDFs Valen6n HAMON Opera&amp;onal cryptology and virology laboratory (C+V) valen6n.hamon@et.esiea-ouest.fr h&lt;p://cvo-lab.blogspot.fr/

1.07k views • 72 slides
Tel-URI Enhancements DAI, CPC, OLI updates + M. Patel, M. Dolly, R. Jesske, D. Hancock, S.

Tel-URI Enhancements DAI, CPC, OLI updates + M. Patel, M. Dolly, R. Jesske, D. Hancock, S.

Tel-URI Enhancements DAI, CPC, OLI updates + M. Patel, M. Dolly, R. Jesske, D. Hancock, S. Channabasappa IETF#78 Maastricht Scope Updates of drafts: draft-yu-tel-dai-08 draft-patel-dispatch-cpc-oli-parameter-03 Liaison Statement

222 views • 10 slides
Uri Braun and Margo Seltzer Harvard University Adriane Chapman, Barbara Blaustein, M. David

Uri Braun and Margo Seltzer Harvard University Adriane Chapman, Barbara Blaustein, M. David

Uri Braun and Margo Seltzer Harvard University Adriane Chapman, Barbara Blaustein, M. David Allen and Len Seligman MITRE Data Interoperability OPM Syntactic Interoperability XML Query Interoperability Data Interoperability OPM Syntactic

660 views • 34 slides
Beyond Worst-Case Analysis in Algorithmic Game Theory Inbal Talgam-Cohen, Technion CS Games,

Beyond Worst-Case Analysis in Algorithmic Game Theory Inbal Talgam-Cohen, Technion CS Games,

Beyond Worst-Case Analysis in Algorithmic Game Theory Inbal Talgam-Cohen, Technion CS Games, Optimization &amp; Optimism: Workshop in Honor of Uri Feige Weizmann Institute, January 2020 Uri as an advisor Q1: What did you appreciate most

555 views • 41 slides
Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * ,

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * ,

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * , Kristopher K. Micinski * , Jeffrey A. Vaughan # , Ari Fogel + , Nikhilesh Reddy + , Jeffrey S. Foster * , and Todd Millstein + . * University of Maryland,

536 views • 26 slides
A brief history of the Web ...and how one architectural choice got us into a very big mess Tara

A brief history of the Web ...and how one architectural choice got us into a very big mess Tara

A brief history of the Web ...and how one architectural choice got us into a very big mess Tara Vancil @taravancil taravancil.com bluelinklabs.com beakerbrowser.com What is the Web? 1-1 Ted Nelson coins hypertext A

851 views • 50 slides
Ontology Design Pa/ern-driven Linked Data Publishing Adila Krisnadhi Data Seman1cs Lab (a.k.a.

Ontology Design Pa/ern-driven Linked Data Publishing Adila Krisnadhi Data Seman1cs Lab (a.k.a.

Ontology Design Pa/ern-driven Linked Data Publishing Adila Krisnadhi Data Seman1cs Lab (a.k.a. DaSeLab) Wright State University, Dayton, OH E-mail: krisnadhi@gmail.com GitHub: krisnadhi 2016 ESIP Summer Mee1ng, Durham, NC This talk is about

454 views • 34 slides

More recommend