httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <c...@force-elite.com>
Subject Re: mod_lua and libapreq2
Date Mon, 23 Feb 2009 00:56:05 GMT
Bertrand Mansion wrote:
> On Sat, Feb 21, 2009 at 1:23 PM, Bertrand Mansion <bmansion@mamasam.net> wrote:
>> Hello,
>> I was wondering why support of libapreq2 was removed from mod_lua?
>>
>> The way mod_lua currently deals with cookies, querystring and POST
>> data is not very robust nor complete.
>> Actually it would be nice to have something like libapreq2 available
>> in Apache directly :) I wouldn't be interested by the perl bindings or
>> the module, but the library itself would be very useful for mod_lua I
>> think, unless you have better plans for this functionalities?
> 
> The changes introduced in revision 723652 by pquerna broke the API
> (for the worse). It used to be possible to have two form fields with
> the same key, the values were returned in a table, now they are
> overwritten. Furthermore, the values are not escaped anymore.
> 
> I really don't understand why support for libapreq was removed. Even
> the author of these changes calls them a bad and inefficient hack. As
> mentioned by someone else, they also open a DoS security hole.
> 
> So again, if the author of these changes could let me know why he made
> them and what he had in mind, I would be thankful.

They are made because pulling in all of libapreq as a dependency to
httpd didn't make sense.

There as been talk of importing large chunks of libapreq into the core
httpd, and I think that makes sense, but no one has committed to
finishing this work, SO, thats why the horrible hacks I wrote went into
mod_lua.

-Paul


Mime
View raw message