#!/usr/local/bin/perl # For documentation for this module, please see the end of this file # or try `perldoc Apache::ASP` package Apache::ASP; $VERSION = 1.95; use MLDBM; use SDBM_File; use Data::Dumper; use Fcntl qw(:flock O_RDWR O_CREAT); use MD5; use HTTP::Date; use Carp qw(confess cluck); use strict; no strict qw(refs); use vars qw($LOADED $COUNT $VERSION %includes $StatINCReady $StatINCInit %NetConfig %LoadedModules %LoadModuleErrors %Compiled $OLESupport %StatINC %Codes %Includes %CompiledIncludes $SessionCookieName $SessionIDLength $DefaultStateDB $DefaultStateSerializer $MD5 @Objects $Register %ScriptSubs %XSLT $ServerID ); #use integer; # don't use screws up important numeric logic $MD5 = new MD5(); @Objects = ('Application', 'Session', 'Response', 'Server', 'Request'); $SessionCookieName = 'session-id'; $SessionIDLength = 32; $DefaultStateDB = 'SDBM_File'; $DefaultStateSerializer = 'Data::Dumper'; # ServerID creates a unique identifier for the server $MD5->add($$.rand().time().(-M('..')||'').(-M('/')||'')); $ServerID = substr($MD5->hexdigest, 0, 16); # X: not thread safe for now since $r changes between handler and register_cleanup # hash of Apache $r request keys to Apache::ASP values # hopefully this will work in threaded context # we need to keep ASP state around for lookup with $r for # $r->register_cleanup #$Apache::ASP::Register = undef; #@Apache::ASP::Cleanup = (); # DEFAULT VALUES $Apache::ASP::SessionTimeout = 1200; $Apache::ASP::StateManager = 10; $Apache::ASP::StartTime = time(); %Apache::ASP::LoadModuleErrors = ( 'Filter' => "Apache::Filter was not loaded correctly for using SSI filtering. ". "If you don't want to use filtering, make sure you turn the Filter ". "config option off whereever it's being used", Clean => undef, CreateObject => 'OLE-active objects not supported for this platform, '. 'try installing Win32::OLE', Gzip => 'Compress::Zlib is needed to make gzip content-encoding work, '. 'If you want to use this feature, get yourself the latest '. 'Compress::Zlib from CPAN. ', HiRes => undef, MailAlert => undef, # OrderCollections => 'Ordered collections require the Tie::IxHash '. # 'to be installed, which provides ordered perl hashes', SendMail => "No mailing support", StateDB => 'cannot load StateDB '. 'must be a valid perl module with a db tied hash interface '. 'such as: SDBM_File (default), or DB_File', StateSerializer => 'cannot load StateSerializer '. 'must be a valid serializing perl module for use with MLDBM '. 'such as Data::Dumper (default), or Storable', StatINC => "You need this module for StatINC, please download it from CPAN", 'Cache' => "You need this module for xml output caching", UndefRoutine => '', XSLT => 'Cannot load XML::XSLT. Try installing the module.', ); sub handler { my($package, $r) = @_; my $status = 200; # allows it to be called as an object method ref $package and $r = $package; # rarely happens, but just in case unless($r && $r->can('filename')) { # this could happen with a bad filtering sequence warn(<dir_config('TimeHiRes')) { # request time tracking eval "use Time::HiRes"; unless($@) { $start_time = &Time::HiRes::time(); } } # better error checking ? my $filename = $r->filename(); return(404) if (! -e $filename or -d $filename); # alias $0 to filename, bind to glob for bug workaround local *0 = \$filename; # ASP object creation, a lot goes on in there! my $self = new($r); $start_time and $self->{start_time} = $start_time; $self->Debug("start time ".($start_time || '')); $self->{stat_inc} && &StatINC($self); # there could be runtime errors in StatINC if(! $self->{errs} &IsChanged($self)) { my $script = &Parse($self); ! $self->{errs} && &Compile($self, $script); } my $response = $self->{Response}; if(! $self->{errs}) { #X: compensate for bug on Win32 that has this always set # screws with Apache::DBI $Apache::ServerStarting and $Apache::ServerStarting = 0; my $global_asa = $self->{GlobalASA}; $global_asa->{'exists'} && $global_asa->ScriptOnStart(); unless($response->{Ended}) { # execute only if an event handler hasn't already ended # things... this allows fine grain control of a response # and executing scripts &Execute($self); APACHE_ASP_EXECUTE_END: } $global_asa->{'exists'} && $global_asa->ScriptOnEnd(); ! $self->{errs} && $response->EndSoft(); } # moved print of object to the end, so we'll pick up all the # runtime config directives set while the code is running $self->{dbg} && $self->Debug('ASP Done Processing', { 'asp' => $self }); # error processing if($self->{errs}) { if($self->{dbg} >= 2) { $self->PrettyError(); } else { if($self->{Response}{header_done}) { $self->{r}->print(""); } # debug of 2+ and mail_errors_to are mutually exclusive, # since debugging 2+ is for development, and you don't need to # be emailed the error, if its right in your browser $self->{mail_alert_to} = $r->dir_config('MailAlertTo') || 0; $self->{mail_errors_to} = $r->dir_config('MailErrorsTo') || 0; $self->{mail_errors_to} && $self->MailErrors(); $self->{mail_alert_to} && $self->MailAlert(); $status = 500; } } # XX return code of 302 hangs server on WinNT # STATUS hook back to Apache if($status != 500 and defined $response->{Status} and $response->{Status} != 302) { # if still default then set to what has been set by the # developer $status = $response->{Status}; } # X: we DESTROY in register_cleanup, but if we are filtering, and we # handle a virtual request to an asp app, we need to free up the # the locked resources now, or the session requests will collide # a performance hack would be to share an asp object created between # virtual requests, but don't worry about it for now since using SSI # is not really performance oriented anyway. # # If we are not filtering, we let RegisterCleanup get it, since # there will be a perceived performance increase on the client side # since the connection is terminated before the garabage collection is run. # # Also need to destroy if we return a 500, as we could be serving an # error doc next, before the cleanup phase if($self->{filter} || ($status == 500)) { $self->DESTROY(); } $status; } sub Warn { shift if(ref($_[0]) or $_[0] eq 'Apache::ASP'); print STDERR "[ASP WARN] ", @_; } sub Loader { shift if(ref $_[0] or $_[0] eq 'Apache::ASP'); local $SIG{__WARN__} = \&Warn; my($file, $match, %args) = @_; unless(-e $file) { warn("$file does not exist for loading"); return; } $match ||= '.*'; # compile all by default # recurse down directories and compile the scripts if(-d $file) { $file =~ s|/$||; opendir(DIR, $file) || die("can't open $file for reading: $!"); my @files = readdir(DIR); unless(@files) { Apache::ASP::Loader->log_error("[asp] $$ [WARN] can't read files in $file"); return; } my $top; if(! defined $LOADED) { $top = 1; } defined $LOADED or (local $LOADED = 0); defined $COUNT or (local $COUNT = 0); for(@files) { chomp; next if /^\.\.?$/; &Loader("$file/$_", $match, %args); } if($top) { Apache::ASP::Loader->log_error("[asp] $$ (re)compiled $LOADED scripts of $COUNT loaded"); } return; } # now the real work unless($file =~ /$match/) { if($args{Debug} < 0) { Apache::ASP::Loader->log_error("skipping compile of $file no match $match"); } return; } unless($file =~ /$match/) { if($args{Debug} < 0) { warn("skipping compile of $file no match $match"); } return; } my $r = Apache::ASP::Loader::new($file); $r->dir_config('NoState', 1); $r->dir_config('Debug', $args{Debug}); $r->dir_config('DynamicIncludes', $args{DynamicIncludes}); $r->dir_config('IncludesDir', $args{IncludesDir}); $r->dir_config('Global', $args{Global}); $r->dir_config('GlobalPackage', $args{GlobalPackage}); $r->dir_config('StatINC', $args{StatINC}); $r->dir_config('StatINCMatch', $args{StatINCMatch}); $r->dir_config('UseStrict', $args{UseStrict}); eval { $COUNT++; my $asp = Apache::ASP::new($r); my $compiled_includes = $Compiled{$asp->{subid}}->{compiled_includes}; for(keys %$compiled_includes) { $asp->CompileInclude($_); } if(! $asp->IsChanged()) { $asp->DESTROY; return; } my $script = $asp->Parse(); $asp->Compile($script); if($asp->{errs}) { warn("$asp->{errs} errors compiling $file while loading"); $asp->DESTROY; return 0; } else { $asp->DESTROY; $LOADED++; if($args{Execute}) { local *Apache::ASP::Response::Flush = sub {}; $asp->Execute; } } }; $@ && warn($@); return 1; } sub new { my $r = shift; local $SIG{__DIE__} = \&Carp::confess; # like cgi, operate in the scripts directory my $filename = $r->filename(); $filename =~ m|^(.*?[/\\]?)([^/\\]+)$|; my $dirname = $1 || '.'; my $basename = $2; chdir($dirname) || die("can't chdir to $dirname: $!"); # global is the default for the state dir and also # a default lib path for perl, as well as where global.asa # can be found my $global = $r->dir_config('Global') || '.'; $global = &AbsPath($global, $dirname); # asp object is handy for passing state around my $self = bless { # moved to state config # app_state => (defined $r->dir_config('AllowApplicationState') ? # $r->dir_config('AllowApplicationState') : 1), 'basename' => $basename, # buffer output on by default # moved to Response # buffering_on => (defined $r->dir_config('BufferingOn')) ? $r->dir_config('BufferingOn') : 1, # if this is set we are parsing ourself through cgi # moved to parsing # cgi_do_self => $r->dir_config('CgiDoSelf') || 0, # parse self # moved to response # cgi_headers => $r->dir_config('CgiHeaders') || 0, # clean => $r->dir_config('Clean') || 0, # moved to session init # this is the server path that the client responds to # cookie_path => $r->dir_config('CookiePath') || '/', # moved to error # set for when we are executing from command line # command_line => $r->dir_config('CommandLine'), # these are set by the Compile routine # compile_error => undef, compile_includes => $r->dir_config('DynamicIncludes'), 'dbg' => $r->dir_config('Debug') || 0, # debug level # not needed to store # 'dirname' => $dirname, # will be defined when an error is created # errors_output => [], # null logic fine for errs # errs => 0, # filehandle => undef, filename => $filename, # moved to filter init # filter => 0, # id => undef, # parsed version of filename # where all the state and config files lie global => $global, global_package => $r->dir_config('GlobalPackage'), ## moved to session config # refresh group by some increment smaller than session timeout # to withstand DoS, bruteforce guessing attacks # defaults to checking the group once every 2 minutes # group_refresh => int($session_timeout / $state_manager), # name spaces which will have ASP objects initialized into # init_packages => undef, # additional path searched for includes when compiling scripts # includes_dir => $r->dir_config('IncludesDir'), includes_dir => [ '.', $global, split(/;/, $r->dir_config('IncludesDir') || '') ], # move to error # mail_alert_to => $r->dir_config('MailAlertTo'), # mail_errors_to => $r->dir_config('MailErrorsTo'), # moved to mailalert # mail_alert_period => $r->dir_config('MailAlertPeriod') || 20, # moved to sendmail # mail_host => $r->dir_config('MailHost'), # assume we already chdir'd to where the file is # mtime => ((stat($basename))[9]), # better than -M no_cache => $r->dir_config('NoCache'), # move to state config # no_session => ((defined $r->dir_config('AllowSessionState')) ? (! $r->dir_config('AllowSessionState')) : 0), # set this if you don't want an Application or Session object # available to your scripts no_state => $r->dir_config('NoState'), # took out until someone might use it # order_collections => $r->dir_config('OrderCollections'), # 'package' => undef, # moved to session config # paranoid_session => $r->dir_config('ParanoidSession') || 0, # moved to parse_config # default 1, should we parse out pod style commenting ? # pod_comments => defined($r->dir_config('PodComments')) ? $r->dir_config('PodComments') : 1, r => $r, # apache request object # moved to session config # remote_ip => $r->connection()->remote_ip(), # script_timeout => $r->dir_config('ScriptTimeout') || 90, # moved session to session config # secure_session => $r->dir_config('SecureSession'), # session_count => $r->dir_config('SessionCount'), # session_id => undef, # set only when we know session id # session_timeout => undef, # session_serialize => $r->dir_config('SessionSerialize'), # session_url => $r->dir_config('SessionQuery'), # move to redirect # soft_redirect => $r->dir_config('SoftRedirect'), stat_scripts => defined $r->dir_config('StatScripts') ? $r->dir_config('StatScripts') : 1, stat_inc => $r->dir_config('StatINC'), stat_inc_match => $r->dir_config('StatINCMatch'), # moved state to state config # state_cache => $r->dir_config('StateCache'), # state_db => $r->dir_config('StateDB') || 'SDBM_File', # state_dir => $state_dir, # state_manager => $state_manager, # moved ua to session config # 'ua' => $ENV{HTTP_USER_AGENT} || "UNKNOWN UA", unique_packages => $r->dir_config('UniquePackages'), use_strict => $r->dir_config('UseStrict'), # moved to parse_config # xml_subs_match => $r->dir_config('XMLSubsMatch'), xslt => $r->dir_config('XSLT'), # special objects for ASP app # set only when necessary # Application => undef, # GlobalASA => undef, # Internal => undef, # Request => undef, # Response => undef, # Session => undef, # Server => undef, }; # Only if debug is negative do we kick out all the internal stuff if($self->{dbg}) { if($self->{dbg} < 0) { *Debug = *Out; $self->{dbg} = -1 * $self->{dbg}; } else { *Debug = *Null; } $self->Debug('RUN ASP (v'. $VERSION .") for $self->{filename}"); # capture use strict errors if debug is 2 # if($self->{dbg}) { # $self->{sig_warn} = $SIG{__WARN__}; # $SIG{__WARN__} = sub { $self->Out(@_) }; # } } else { *Debug = *Null; } $self->{stat_inc_match} and $self->{stat_inc} = 1; # Ken said no need for seed ;) # unless($Apache::ASP::RandSeed) { # my $seed = $$.time; # $self->Debug("seed srand with $seed"); # srand($seed); # $Apache::ASP::RandSeed = 1; # } if($self->{no_cache}) { # this way subsequent recompiles overwrite each other $self->{id} = 'NoCache'; } else { # was call to FileId, removed decomp for speed my $id = $self->{filename}.'x'.($self->{compile_includes} ? 'DYN' : 'INL'); $id =~ s/\W/_/g; $self->{id} = $id; } # filtering support my $filter_config = $r->dir_config('Filter') || $Apache::ASP::Filter; if($filter_config && ($filter_config !~ /off/io)) { if($self->LoadModules('Filter', 'Apache::Filter') && $r->can('filter_input') && $r->can('get_handlers')) { $self->{filter} = 1; #X: do something with the return code, can't now because # apache constants aren't working on my win32 my($fh, $rc) = $r->filter_input(); $self->{filehandle} = $fh; } else { if(! $r->can('get_handlers')) { $self->Error("You need at least mod_perl 1.16 to use SSI filtering"); } else { $self->Error("Apache::Filter was not loaded correctly for using SSI filtering. ". "If you don't want to use filtering, make sure you turn the Filter ". "config option off whereever it's being used"); } } } # gzip content encoding option by ime@iae.nl 28/4/2000 my $compressgzip_config = $r->dir_config('CompressGzip') || $Apache::ASP::CompressGzip; if($compressgzip_config && $compressgzip_config !~ /off/io) { if($self->LoadModule('Gzip','Compress::Zlib')) { $self->{compressgzip} = 1; } } # must have global directory into which we put the global.asa # and possibly state files, optimize out the case of . or .. if($self->{global} !~ /^(\.|\.\.)$/) { -d $self->{global} or $self->Error("global path, $self->{global}, is not a directory"); } # register cleanup before the state files get set in InitObjects # this way DESTROY gets called every time this script is done # we must cache $self for lookups later $Register = $self; $r->register_cleanup(\&Apache::ASP::RegisterCleanup); #### WAS INIT OBJECTS, REMOVED DECOMP FOR SPEED # GLOBALASA, RESPONSE, REQUEST, SERVER # always create these # global_asa assigns itself to parent object automatically my $global_asa = &Apache::ASP::GlobalASA::new($self); $self->{subid} = $global_asa->{'package'}.'::'.$self->{id}; $self->{Response} = &Apache::ASP::Response::new($self); $self->{Request} = &Apache::ASP::Request::new($self); # Server::new() is just one line, so execute directly $self->{Server} = bless {asp => $self}, 'Apache::ASP::Server'; #&Apache::ASP::Server::new($self); # After GlobalASA Init, init the package that this script will execute in # must be here, and not end of new before things like Application_OnStart # get run if($self->{unique_packages}) { $self->{id} .= "::handler" unless($self->{no_cache}); my $package = $global_asa->{'package'}.'::'.$self->{id}; $package =~ s/::[^:]+$//; $self->{'package'} = $package; $self->{init_packages} = ['main', $global_asa->{'package'}, $self->{'package'}]; } else { $self->{'package'} = $global_asa->{'package'}; $self->{init_packages} = ['main', $global_asa->{'package'}]; } # WHY? cut out now before we get to the big objects # return if $self->{errs}; # if no state has been config'd, then set up none of the # state objects: Application, Internal, Session return($self) if $self->{no_state}; # my $r = $self->{'r'}; ## STATE INITS # what percent of the session_timeout's time do we garbage collect # state files and run programs like Session_OnEnd and Application_OnEnd $self->{state_manager} = $r->dir_config('StateManager') || $Apache::ASP::StateManager; # state is the path where state files are stored, like $Session, # $Application, etc. $self->{state_cache} = $r->dir_config('StateCache'); $self->{state_dir} = $r->dir_config('StateDir') || $self->{global}.'/.state'; $self->{state_dir} =~ /^(.*)$/; # untaint $self->{state_dir} = $1; # untaint $self->{no_session} = (defined $r->dir_config('AllowSessionState')) ? (! $r->dir_config('AllowSessionState')) : 0; if($self->{state_db} = $r->dir_config('StateDB')) { # StateDB - Check StateDB module support $Apache::ASP::State::DB{$self->{state_db}} || $self->Error("$self->{state_db} is not supported for StateDB, try: " . join(", ", keys %Apache::ASP::State::DB)); $self->{state_db} =~ /^(.*)$/; # untaint $self->{state_db} = $1; # untaint # load the state database module && serializer $self->LoadModule('StateDB', $self->{state_db}); } if($self->{state_serializer} = $r->dir_config('StateSerializer')) { $self->{state_serializer} =~ /^(.*)$/; # untaint $self->{state_serializer} = $1; # untaint $self->LoadModule('StateSerializer', $self->{state_serializer}); } # INTERNAL tie to the application internal info my %Internal; tie(%Internal, 'Apache::ASP::State', $self, 'internal', 'server', O_RDWR|O_CREAT) || $self->Error("can't tie to internal state"); my $internal = $self->{Internal} = bless \%Internal, 'Apache::ASP::State'; # APPLICATION create application object $self->{app_state} = (defined $r->dir_config('AllowApplicationState') ? $r->dir_config('AllowApplicationState') : 1); if($self->{app_state}) { ($self->{Application} = &Apache::ASP::Application::new($self)) || $self->Error("can't get application state"); if($self->{dbg}) { $self->{Application}->Lock(); $self->Debug('created $Application', $self->{Application}); $self->{Application}->UnLock(); } } else { $self->{dbg} && $self->Debug("no application allowed config"); } # SESSION if we are tracking state, set up the appropriate objects if(! $self->{no_session}) { ## SESSION INITS $self->{cookie_path} = $r->dir_config('CookiePath') || '/'; $self->{paranoid_session} = $r->dir_config('ParanoidSession') || 0; $self->{remote_ip} = $r->connection()->remote_ip(); $self->{session_count} = $r->dir_config('SessionCount'); # cookieless session support, cascading values $self->{session_url_parse_match} = $r->dir_config('SessionQueryParseMatch'); $self->{session_url_parse} = $self->{session_url_parse_match} || $r->dir_config('SessionQueryParse'); $self->{session_url_match} = $self->{session_url_parse_match} || $r->dir_config('SessionQueryMatch'); $self->{session_url} = $self->{session_url_parse} || $self->{session_url_match} || $r->dir_config('SessionQuery'); $self->{session_serialize} = $r->dir_config('SessionSerialize'); $self->{secure_session} = $r->dir_config('SecureSession'); # session timeout in seconds since that is what we work with internally $self->{session_timeout} = $r->dir_config('SessionTimeout') ? $r->dir_config('SessionTimeout') * 60 : $Apache::ASP::SessionTimeout; $self->{'ua'} = $ENV{HTTP_USER_AGENT} || 'UNKNOWN UA'; # refresh group by some increment smaller than session timeout # to withstand DoS, bruteforce guessing attacks # defaults to checking the group once every 2 minutes $self->{group_refresh} = int($self->{session_timeout} / $self->{state_manager}); # Session state is dependent on internal state my $session = $self->{Session} = &Apache::ASP::Session::new($self) || $self->Die("can't create session"); my $last_session_timeout; if($session->Started()) { # we only want one process purging at a time if($self->{app_state}) { $internal->LOCK(); if(($last_session_timeout = $internal->{LastSessionTimeout} || 0) < time()) { $internal->{'LastSessionTimeout'} = $self->{session_timeout} + time; $internal->UNLOCK(); if($self->CleanupGroups('PURGE')) { $last_session_timeout && $global_asa->ApplicationOnEnd(); $global_asa->ApplicationOnStart(); } } $internal->UNLOCK(); } $global_asa->SessionOnStart(); } if($self->{app_state}) { # The last session timeout should only be updated every group_refresh period # another optimization, rand() so not all at once either $internal->LOCK(); $last_session_timeout ||= $internal->{'LastSessionTimeout'}; if($last_session_timeout < $self->{session_timeout} + time + (rand() * $self->{group_refresh} / 2)) { $self->{dbg} && $self->Debug("updating LastSessionTimeout from $last_session_timeout"); $internal->{'LastSessionTimeout'} = $self->{session_timeout} + time() + $self->{group_refresh}; } $internal->UNLOCK(); } } else { $self->{dbg} && $self->Debug("no sessions allowed config"); } $self; } # registered in new() so that is called every end of connection sub RegisterCleanup { $Register && DESTROY($Register); } # called upon every end of connection by RegisterCleanup sub DESTROY { my $self = shift; return unless (defined($Register) and $self eq $Register); $Register = undef; $self->{dbg} && $self->Debug("destroying", $self); # do before undef'ing the object references in main if(@Apache::ASP::Cleanup) { for(@Apache::ASP::Cleanup) { $self->Debug("executing cleanup $_"); eval { &$_ }; $@ && $self->Error("executing cleanup $_ error: $@"); } @Apache::ASP::Cleanup = (); } local $^W = 0; # suppress untie while x inner references warnings select(STDOUT); untie *STDIN if tied *STDIN; # if($self->{dbg}) { # $SIG{__WARN__} = $self->{sig_warn} || \&warn; # } # undef objects in main set up in execute, do after cleanup, # so cleanup routine can still access objects # for $object (@Apache::ASP::Objects) { # for $package (@{$self->{init_packages}}) { # my $init_var = $package.'::'.$object; # undef $$init_var; # } # } # we try to clean up our own group each time, since this way the # cleanup load should be spread out amongst processes. If the # server is really busy, CleanupGroups() won't get to do anything, # but if the server is slow, CleanupGroups is essential so that # some Sessions actually get ended, and Session_OnEnd gets called if($self->{Session}) { $self->CleanupGroups(); # $self->CleanupGroup(); } # free file handles here. mod_perl tends to be pretty clingy # to memory for('Application', 'Internal', 'Session') { # all this stuff in here is very necessary for total cleanup # the DESTROY is the most important, as we need to explicitly free # state objects, just in case anyone else is keeping references to them # But the destroy won't work without first untieing, go figure next unless defined $self->{$_}; my $tied = tied %{$self->{$_}}; next unless $tied; untie %{$self->{$_}}; $tied->DESTROY(); # call explicit DESTROY } # $self->{'dbg'} && $self->Debug("END ASP DESTROY"); $self->{Request} && $self->{Request}->DESTROY(); %$self = (); 1; } sub RefreshSessionId { my($self, $id, $reset) = @_; $id || $self->Error("no id for refreshing"); my $internal = $self->{Internal}; my $idata = $internal->{$id}; my $refresh_timeout = $reset ? $self->{session_timeout} : $idata->{refresh_timeout} || $self->{session_timeout}; $idata->{'timeout'} = time() + $refresh_timeout; $internal->{$id} = $idata; $self->{dbg} && $self->Debug("refreshing $id with timeout $idata->{timeout}"); 1; } sub FileId { my $file = $_[1]; $file =~ s/\W/_/gso; $file; } sub IsChanged { my $self = shift; ## WHY ??? With proper reloading, the script and lib should ## be independent. And this is not consistent, all other scripts ## should also be reloaded after StatINC if one does. # do the StatINC if we are config'd for it # we return true if stat inc tells us that some # libraries had been changed, since a script is # new if the library is new under it. # if($self->{stat_inc}) { # return(1) if $self->StatINC(); # } # support for includes, changes to included files # cause script to recompile if($self->{stat_scripts} and my $includes = $Apache::ASP::Includes{$self->{id}}) { for my $k (keys %$includes) { my $v = $includes->{$k}; if((stat($k))[9] > $v) { return 1; } } } # always recompile if we are not supposed to cache if($self->{no_cache}) { return 1; } my $last_update = $Apache::ASP::Compiled{$self->{subid}}->{mtime} || 0; if(! $self->{stat_scripts} && $last_update) { $self->{dbg} && $self->Debug("no stat: script already compiled"); return 0; } if($self->{filter}) { $self->{r}->changed_since($last_update); } else { $self->{mtime} = (stat($self->{basename}))[9]; # we only get here if we have a chance of caching and all # our dependent components have not changed ($self->{mtime} > $last_update) ? 1 : 0; } } # defaults to parsing the script's file, or data from a file handle # in the case of filtering, but we can also pass in text to parse, # which is useful for doing includes separately for compiling sub Parse { my($self, $file) = @_; my $data; my $id = $self->{'id'}; # get script data, from varied data sources my $filehandle; if($file) { # file can be a filename, scalar ref, or scalar if(length($file) < 1024 and -e $file) { # filename has length < 1024, should be fine across OS's $self->{dbg} && $self->Debug("parsing $file"); $data = $self->ReadFile($file); } elsif(ref $file and $file =~ /SCALAR/) { $data = $$file; } else { $data = $file; } } else { if($filehandle = $self->{filehandle}) { local $/ = undef; $data = <$filehandle>; } else { $self->{dbg} && $self->Debug("parsing $self->{'basename'}"); $file = $self->{'basename'}; $data = $self->ReadFile($self->{'basename'}); # reset compiled includes for scripts $Compiled{$self->{subid}}->{compiled_includes} = {}; } } my $script_compiled_includes = $Compiled{$self->{subid}}->{compiled_includes}; if($self->{r}->dir_config('CgiDoSelf')) { $data =~ s/^(.*?)__END__//gso; } # moved parsing config here since not needed for normal # eval execution of scripts after compilation unless($self->{parse_config}) { my $r = $self->{r}; $self->{parse_config} = 1; $self->{pod_comments} = defined($r->dir_config('PodComments')) ? $r->dir_config('PodComments') : 1; $self->{xml_subs_match} = $r->dir_config('XMLSubsMatch'); } # do both before and after, so =pods can span includes with =pods if($self->{pod_comments}) { &PodComments($self, \$data); } # if compiling includes, then do now before includes conversion # each include will also have its Script_OnParse run on it. if($self->{compile_includes} && $self->{GlobalASA}{'exists'}) { $self->{Server}{ScriptRef} = \$data; $self->{GlobalASA}->Execute('Script_OnParse'); } # do includes as early as possible !! so included text gets done too # this section is for file includes, we do this here instead of ssi # so it can be parsed and compiled with the script local %includes; # trap recursive includes with this my $munge = $data; $data = ''; while($munge =~ s/^(.*?)\"; } } } # HEADERS AFTER CLEAN, so content-length would be calculated correctly # if this is the first writing from the page, flush a newline, to # get the headers out properly if(! $self->{header_done}) { # if no headers and the script has ended, we know that the # the script has not been flushed yet, which would at least # occur with buffering on if($self->{Ended}) { # gzip the buffer if CompressGzip && browser accepts it && # the script is flushed once if($self->{CompressGzip} && $asp->LoadModule('Gzip','Compress::Zlib')) { $self->{r}->header_out('Content-Encoding','gzip'); $$out = Compress::Zlib::memGzip($out); } $self->{r}->header_out('Content-Length', length($$out)); } $self->{header_done} = 1; &SendHeaders($self); } return unless $$out; if($asp->{filter}) { print STDOUT $$out; } else { # unless($self->{r}->connection->aborted) { # OK to print random ouput for 200's & 300's if(! defined $self->{Status} or ($self->{Status} >= 200 and $self->{Status} < 400)) { $self->{r}->print($$out); } # } } # supposedly this is more efficient than undeffing, since # the string does not let go of its allocated memory buffer $$out = ''; 1; } sub FlushXSLT { my $self = shift; my $asp = $self->{asp}; my $out = $self->{BinaryRef}; $asp->{xslt_cache_size} = $asp->{r}->dir_config('XSLTCacheSize'); $asp->{xslt_match} = $asp->{r}->dir_config('XSLTMatch') || '^.'; return unless ($asp->{filename} =~ /$asp->{xslt_match}/); # loading XSLT $asp->{dbg} && $asp->Debug("xslt processing with $asp->{xslt}"); eval { require XML::XSLT; }; if($@) { $asp->Error("failed to load XML::XSLT: $@"); return; } ## XSLT FETCH & CACHE my $xslt_dataref = $self->TrapInclude($asp->{xslt}); $asp->Debug(length($$xslt_dataref), $xslt_dataref); return if($asp->{errs}); my $xsl_dom = $asp->ParseXML($xslt_dataref); if($asp->{errs}) { $asp->Error("XSLT processing error for $asp->{xslt}: $@"); return; } ## XSLT XML RENDER eval { my $xml_dom = $asp->ParseXML($out) || return; if($asp->{xslt_cache_size}) { # caching output unless(tied %Apache::ASP::XSLTCacheOutput) { $asp->LoadModule('Cache', 'Tie::Cache'); tie %Apache::ASP::XSLTCacheOutput, 'Tie::Cache', $asp->{xslt_cache_size}; } my $cache_output = tied %Apache::ASP::XSLTCacheOutput; $cache_output->{max_count} = $asp->{xslt_cache_size}; my $cache_output_key = $xsl_dom.'_'.$xml_dom; my $output_ref = $Apache::ASP::XSLTCacheOutput{$cache_output_key}; unless($output_ref) { my $xslt = XML::XSLT->new($xsl_dom, 'DOM'); $xslt->transform_document($xml_dom, 'DOM'); my $result = $xslt->result_tree; my $output = $result->toString; $result->dispose; $Apache::ASP::XSLTCacheOutput{$cache_output_key} = $output_ref = \$output; } $$out = $$output_ref; } else { my $xslt = XML::XSLT->new($xsl_dom, 'DOM'); $xslt->transform_document($xml_dom, 'DOM'); my $result = $xslt->result_tree; $$out = $result->toString; $result->dispose; $xml_dom->dispose; $xsl_dom->dispose; } }; if($@) { $@ =~ s/^\s*//s; $asp->Error("XSLT/XML processing error: $@"); return; } 1; } # use the apache internal redirect? Thought that would be counter # to portability, but is still something to consider sub Redirect { my($self, $location) = @_; my $asp = $self->{asp}; &Clear($self); $asp->{dbg} && $asp->Debug('redirect called', {location=>$location}); if($asp->{Session} and $asp->{session_url_parse}) { $location = &SessionQueryParseURL($self, $location); $asp->Debug("new location after session query parsing $location"); } $self->{r}->header_out('Location', $location); $self->{Status} = 302; $self->{r}->status(302); &Flush($self); # if we have soft redirects, keep processing page after redirect unless($self->{r}->dir_config('SoftRedirect')) { &End($self); } else { $asp->Debug("redirect is soft"); } 1; } sub SendHeaders { my $self = shift; my $r = $self->{r}; my $asp = $self->{asp}; my $dbg = $asp->{dbg}; my $status = $self->{Status}; $dbg && $asp->Debug('building headers'); $r->status($status) if defined($status); # for command line script return if $r->dir_config('NoHeaders'); if(defined $status and $status == 401) { $dbg && $asp->Debug("status 401, note basic auth failure realm ".$r->auth_name); # we can't send out headers, and let Apache use the 401 error doc # But this is fine, once authorization is OK, then the headers # will go out correctly, so things like sessions will work fine. $r->note_basic_auth_failure; return; } else { $dbg && defined $status && $self->{asp}->Debug("status $status"); } if(defined $self->{Charset}) { $r->content_type($self->{ContentType}.'; charset='.$self->{Charset}); } else { $r->content_type($self->{ContentType}); # add content-type } if(%{$self->{'Cookies'}}) { &AddCookieHeaders($self); # do cookies } # do the expiration time if(defined $self->{Expires}) { my $ttl = $self->{Expires}; $r->header_out('Expires', &HTTP::Date::time2str(time()+$ttl)); $self->{asp}->Debug("expires in $self->{Expires}"); } elsif(defined $self->{ExpiresAbsolute}) { my $date = $self->{ExpiresAbsolute}; my $time = &HTTP::Date::str2time($date); if(defined $time) { $r->header_out('Expires', &HTTP::Date::time2str($time)); } else { confess("Response->ExpiresAbsolute(): date format $date not accepted"); } } # do the Cache-Control header $r->header_out('Cache-Control', $self->{CacheControl}); # do PICS header defined($self->{PICS}) && $r->header_out('PICS-Label', $self->{PICS}); # don't send headers with filtering, since filter will do this for # all the modules once # doug sanctioned this one unless($r->header_out("Content-type")) { # if filtering, we don't send out a header from ASP # this means that Filtered scripts can use CGI headers # we order the test this way in case Ken comes on # board with setting header_out, in which case the test # will fail early if(! $asp->{filter} && (! defined $status or $status >= 200 && $status < 400)) { $dbg && $asp->Debug("sending cgi headers"); if(defined $self->{header_buffer}) { # we have taken in cgi headers $r->send_cgi_header($self->{header_buffer} . "\n"); $self->{header_buffer} = undef; } else { $r->send_http_header(); } } } 1; } # do cookies, try our best to emulate cookie collections sub AddCookieHeaders { my $self = shift; my $cookies = $self->{'Cookies'}; my($cookie_name, $cookie); for $cookie_name (keys %{$cookies}) { # skip key used for session id if($Apache::ASP::SessionCookieName eq $cookie_name) { confess("You can't use $cookie_name for a cookie name ". "since it is reserved for session management" ); } my($k, $v, @data, $header, %dict, $is_ref, $cookie, $old_k); $cookie = $cookies->{$cookie_name}; unless(ref $cookie) { $cookie->{Value} = $cookie; } $cookie->{Path} ||= $self->{asp}{cookie_path}; for $k (sort keys %$cookie) { $v = $cookie->{$k}; $old_k = $k; $k = lc $k; if($k eq 'secure' and $v) { $data[4] = 'secure'; } elsif($k eq 'domain') { $data[3] = "$k=$v"; } elsif($k eq 'value') { # we set the value later, nothing for now } elsif($k eq 'expires') { my $time; # only the date form of expires is portable, the # time vals are nice features of this implementation if($v =~ /^\d+$/) { # if expires is a perl time val if($v > time()) { # if greater than time now, it is absolute $time = $v; } else { # small, relative time, add to time now $time = $v + time(); } } else { # it is a string format, PORTABLE use $time = &HTTP::Date::str2time($v); } my $date = &HTTP::Date::time2str($time); $self->{asp}->Debug("setting cookie expires", {from => $v, to=> $date} ); $v = $date; $data[1] = "$k=$v"; } elsif($k eq 'path') { $data[2] = "$k=$v"; } else { if(defined($cookie->{Value}) && ! (ref $cookie->{Value})) { # if the cookie value is just a string, its not a dict } else { # cookie value is a dict, add to it $cookie->{Value}{$old_k} = $v; } } } my $server = $self->{asp}{Server}; # for the URLEncode routine if(defined($cookie->{Value}) && (! ref $cookie->{Value})) { $cookie->{Value} = $server->URLEncode($cookie->{Value}); } else { my @dict; while(($k, $v) = each %{$cookie->{Value}}) { push(@dict, $server->URLEncode($k) . '=' . $server->URLEncode($v)); } $cookie->{Value} = join('&', @dict); } $data[0] = $server->URLEncode($cookie_name) . "=$cookie->{Value}"; # have to clean the data now of undefined values, but # keeping the position is important to stick to the Cookie-Spec my @cookie; for(0..4) { next unless $data[$_]; push(@cookie, $data[$_]); } my $cookie_header = join('; ', @cookie); $self->{r}->cgi_header_out("Set-Cookie", $cookie_header); $self->{asp}->Debug({cookie_header=>$cookie_header}); } } # with the WriteRef vs. Write abstration, direct calls # to write might slow a little, but more common static # html calls to WriteRef will be saved the HTML copy sub Write { my $self = shift; my $dataref; if(@_ > 1) { $, ||= ''; # non-standard use, so init here my $data = join($,, @_); $dataref = \$data; } else { # $_[0] ||= ''; $dataref = defined($_[0]) ? \$_[0] : \''; } &WriteRef($self, $dataref); } *WR = *WriteRef; sub WriteRef { my($self, $dataref) = @_; # allows us to end a response, but still execute code in event # handlers which might have output like Script_OnStart / Script_OnEnd return if $self->{Ended}; my $content_out = $self->{out}; # work on the headers while the header hasn't been done # and while we don't have anything in the buffer yet # # also added a test for the content type being text/html or # if($self->{CH} && ! $self->{header_done} && ! $$content_out && ($self->{ContentType} eq 'text/html')) { # -1 to catch the null at the end maybe my @headers = split(/\n/, $$dataref, -1); # first do status line my $status = $headers[0]; if($status =~ m|HTTP/\d\.\d\s*(\d*)|o) { $self->{Status} = $1; shift @headers; } while(@headers) { my $out = shift @headers; next unless $out; # skip the blank that comes after the last newline if($out =~ /^[^\s]+\: /) { # we are a header unless(defined $self->{header_buffer}) { $self->{header_buffer} .= ''; } $self->{header_buffer} .= "$out\n"; } else { unshift(@headers, $out); last; } } # if we found some headers, pop the first entry off # what to send @_ and continue if($self->{header_buffer}) { if(defined $headers[0]) { $$dataref = join("\n", @headers); } else { shift @_; } } } # add dataref to buffer $$content_out .= $$dataref; # do we flush now? not if we are buffering if(! $self->{Buffer}) { # we test for whether anything is in the buffer since # this way we can keep reading headers before flushing # them out &Flush($self); } 1; } *write = *Write; # alias printing to the response object sub TIEHANDLE { $_[1]; } *PRINT = *Write; sub PRINTF { my($self, $format, @list) = @_; my $output = sprintf($format, @list); $self->Write($output); } sub Null {}; sub TrapInclude { my($self, $file) = @_; my $out = ""; local $self->{out} = local $self->{BinaryRef} = \$out; local $self->{Ended} = 0; local *Apache::ASP::Response::Flush = *Null; $self->Include($file); \$out; } sub Include { my $self = shift; my $file = shift; my $asp = $self->{asp}; my $_CODE = $asp->CompileInclude($file); unless(defined $_CODE) { $asp->Error("error including $file, not compiled"); return; } my $eval = $_CODE->{code}; $asp->{dbg} && $asp->Debug("executing $eval"); my $rc = eval { &$eval(@_) }; if($@) { my $code = $_CODE; die "error executing code for include $code->{file}: $@; compiled to $code->{perl}"; } $rc; } sub ErrorDocument { my($self, $error_code, $uri) = @_; $self->{'r'}->custom_response($error_code, $uri); } sub SessionQueryParse { my $self = shift; # OPTIMIZE MATCH: a is first in the sort, so this is fairly well optimized, # putting img up at the front doesn't seem to make a different in the speed my $tags_grep = join('|', sort keys %LinkTags); my $new_content = ''; # we are going to rebuild this content my $content_ref = $self->{out}; my $asp = $self->{asp}; $asp->Debug("parsing session id into url query strings"); # update quoted links in script location.href settings too # if not quoted, then maybe script expressions $$content_ref =~ s/(\[^\<]*location\.href\s*\=[\"\'])([^\"\']+?)([\"\']) /$1.&SessionQueryParseURL($self, $2).$3 /isgex; while(1) { # my emacs perl mode doesn't like ${$doc->{content}} last unless ($$content_ref =~ s/ ^(.*?) # html head \< # start \s*($tags_grep)\s+ # tag itself ([^>]+) # descriptors \> # end //isxo ); my($head, $tag, $temp_attribs) = ($1, lc($2), $3); my $element = "<$2 $temp_attribs>"; my %attribs; while($temp_attribs =~ s/^\s*([^\s=]+)\s*\=?//so) { my $key = lc $1; my $value; if($temp_attribs =~ s/^\s*\"([^\"]*)\"\s*//so) { $value = $1; } elsif ($temp_attribs =~ s/^\s*\'([^\']*)\'\s*//so) { # apparently browsers support single quoting values $value = $1; } elsif($temp_attribs =~ s/^\s*([^\s]*)\s*//so) { # sometimes there are mal-formed URL's $value = $1; $value =~ s/\"//sgo; } $attribs{$key} = $value; } # GET URL from tag attribs finally my $rel_url = $attribs{$LinkTags{$tag}}; # $asp->Debug($rel_url, $element, \%attribs); if(defined $rel_url) { my $new_url = &SessionQueryParseURL($self, $rel_url); # escape all special characters so they are not interpreted if($new_url ne $rel_url) { $rel_url =~ s/([\W])/\\$1/sg; $element =~ s|($LinkTags{$tag}\s*\=\s*[\"\']?)$rel_url|$1$new_url|isg; # $asp->Debug("parsed new element $element"); } } $new_content .= $head . $element; } # $asp->Debug($$content_ref); $new_content .= $$content_ref; $$content_ref = $new_content; 1; } sub SessionQueryParseURL { my($self, $rel_url) = @_; my $asp = $self->{asp}; my $match = $asp->{session_url_parse_match}; if( # if we have match expression, try it ($match && $rel_url =~ /$match/) # then if server path, check matches cookie space || ($rel_url =~ m|^/| and $rel_url =~ m|^$asp->{cookie_path}|) # then do all local paths, matching NOT some URI PROTO || ($rel_url !~ m|^[^\?\/]+?:|) ) { my($query, $new_url); if($rel_url =~ /^([^\?]+)\?(.*)$/) { $new_url = $1; $query = $2; } else { $new_url = $rel_url; $query = ''; } my $new_query = join('&', (map { /^$Apache::ASP::SessionCookieName\=/ ? '' : $_ } split(/&/, $query) ), $Apache::ASP::SessionCookieName.'='.$asp->{session_id} ); $new_url .= '?'.$new_query; $asp->{dbg} && $asp->Debug("parsed session into $new_url"); $new_url; } else { $rel_url; } } 1; # Server Object package Apache::ASP::Server; sub new { bless {asp => $_[0]}; } sub CreateObject { my($self, $name) = @_; my $asp = $self->{asp}; # dynamically load OLE at request time, especially since # at server startup, this seems to fail with "start_mutex" error unless(defined $Apache::ASP::OLESupport) { eval 'use Win32::OLE'; if($@) { $Apache::ASP::OLESupport = 0; } else { $Apache::ASP::OLESupport = 1; } } unless($Apache::ASP::OLESupport) { die "OLE-active objects not supported for this platform, ". "try installing Win32::OLE"; } unless($name) { die "no object to create"; } Win32::OLE->new($name); } sub Execute { my($self, $file) = (shift, shift); $self->{asp}{Response}->Include($file, @_); } sub Transfer { my($self, $file) = @_; my $asp = $self->{'asp'}; my $_CODE = eval { $asp->CompileInclude($file) }; if(! $_CODE || $@) { die("error compiling transfer $file: $@"); } else { local *0 = \$_CODE->{file}; my $eval = $_CODE->{code}; $asp->{dbg} && $asp->Debug("executing $eval"); my $rc = eval { &$eval(@_) }; if($@) { my $code = $_CODE; die("error executing code for transfer $code->{file}: $@"); } } goto APACHE_ASP_EXECUTE_END; } # shamelessly ripped off from CGI.pm, by Lincoln D. Stein. sub URLEncode { my $toencode = $_[1]; $toencode =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/esg; $toencode; } # shamelessly ripped off from CGI.pm, by Lincoln D. Stein. sub HTMLEncode { my $toencode = $_[1]; $toencode=~s/&/&/sg; $toencode=~s/\"/"/sg; $toencode=~s/>/>/sg; $toencode=~s/{asp}->Error("$code need to be a perl sub reference, see README"); push(@Apache::ASP::Cleanup, $code); } sub MapPath { my($self, $path) = @_; my $subr = $self->{asp}{r}->lookup_uri($path); $subr ? $subr->filename : undef; } *SendMail = *Mail; sub Mail { shift->{asp}->SendMail(@_); } sub URL { my($self, $url, $params) = @_; my $asp = $self->{asp}; if($asp->{session_url} && $asp->{session_id} && ! $asp->{session_cookie}) { my $match = $asp->{session_url_match}; if( # if we have match expression, try it ($match && $url =~ /$match/) # then if server path, check matches cookie space || ($url =~ m|^/| and $url =~ m|^$asp->{cookie_path}|) # then do all local paths, matching NOT some URI PROTO || ($url !~ m|^[^\?\/]+?:|) ) { # this should overwrite an incorrectly passed in data $params->{$Apache::ASP::SessionCookieName} = $asp->{session_id}; } } my($k,$v, @query); while(($k, $v) = each %$params) { # inline the URLEncode function for speed $k =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/egs; $v =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/egs; push(@query, $k.'='.$v); } if(@query) { $url .= '?'.join('&', @query); } $url; } sub Config { my($self, $key, $value) = @_; if(defined $value) { $self->{asp}{r}->dir_config($key, $value); } else { $self->{asp}{r}->dir_config($key); } } 1; # Application Object package Apache::ASP::Application; use strict; no strict qw(refs); use vars qw(@ISA); @ISA = qw(Apache::ASP::Collection Apache::ASP::State); use Fcntl qw(:flock O_RDWR O_CREAT ); sub new { my($asp) = @_; my(%self); unless( tie( %self,'Apache::ASP::State', $asp, 'application', 'server', O_RDWR|O_CREAT) ) { $asp->Error("can't tie to application state"); return; } bless \%self; } sub Lock { shift->LOCK }; sub UnLock { shift->UNLOCK }; sub SessionCount { my $asp = tied(%{$_[0]})->{asp}; if($asp->{session_count}) { $asp->{Internal}{SessionCount}; } else { undef; } } sub GetSession { my($self, $id) = @_; my $asp = tied(%$self)->{'asp'}; unless(defined $id and $id) { $asp->Warn("session id not defined"); return; } unless(length($id) == 32) { $asp->Warn("session id must be of length 32"); return; } if($asp->{Session} and $asp->{Session}->SessionID() eq $id) { return $asp->{Session}; } else { my $new_session = Apache::ASP::Session::new($asp, $id, O_RDWR, 'NOERR'); if($new_session) { $asp->{r}->register_cleanup(sub { $new_session->DESTROY }); } $new_session; } } 1; # Session Object package Apache::ASP::Session; use strict; no strict qw(refs); use vars qw(@ISA); @ISA = qw(Apache::ASP::Collection); # allow to pass in id so we can cleanup other sessions with # the session manager sub new { my($asp, $id, $perms, $no_error) = @_; my($state, %self, $started); # if we are passing in the id, then we are doing a # quick session lookup and can bypass the normal checks # this is useful for the session manager and such if($id) { $state = Apache::ASP::State::new($asp, $id, undef, $perms, $no_error); # $state->Set() || $asp->Error("session state get failed"); if($state) { tie %self, 'Apache::ASP::Session', { state=>$state, asp=>$asp, id=>$id, }; return bless \%self; } else { return; } } # lock down so no conflict with garbage collection my $internal = $asp->{Internal}; $internal->LOCK(); if($id = $asp->SessionId()) { my $idata = $internal->{$id}; # $asp->Debug("internal data for session $id", $idata); if($idata) { # user is authentic, since the id is in our internal hash if($idata->{timeout} > time()) { # refresh and unlock as early as possible to not conflict # with garbage collection $asp->RefreshSessionId($id); $state = Apache::ASP::State::new($asp, $id); $internal->UNLOCK(); # session not expired $asp->{dbg} && $asp->Debug("session not expired",{'time'=>time(), timeout=>$idata->{timeout}}); # Assume it was created before, no errors, and don't get now, since it will be # created later with the State WriteLock() # unless($state->Get('NO_ERROR')) { # $asp->Log("session not timed out, but we can't tie to old session! ". # "report this as an error with the relevant log information for this ". # "session. We repair the session by default so the user won't notice." # ); # unless($state->Set()) { # $asp->Error("failed to re-initialize session"); # } # } if($asp->{paranoid_session}) { local $^W = 0; # by testing for whether UA was set to begin with, we # allow a smooth upgrade to ParanoidSessions $state->UserLock() if $asp->{session_serialize}; my $state_ua = $state->FETCH('_UA'); if(defined($state_ua) and $state_ua ne $asp->{'ua'}) { $asp->Log("[security] hacker guessed id $id; ". "user-agent ($asp->{'ua'}) does not match ($state_ua); ". "destroying session & establishing new session id" ); $state->Init(); undef $state; goto NEW_SESSION_ID; } } $started = 0; } else { # expired, get & reset $asp->RefreshSessionId($id, {}); # mark so it won't be run while we are running $internal->UNLOCK(); $asp->Debug("session timed out, clearing"); $asp->{GlobalASA}->SessionOnEnd($id); $internal->LOCK(); delete $internal->{$id}; $asp->RefreshSessionId($id); $internal->UNLOCK(); # we need to create a new state now after the clobbering # with SessionOnEnd $state = Apache::ASP::State::new($asp, $id); $state->Set() || $asp->Error("session state startup failed"); $started = 1; } } else { # never seen before, maybe session garbage collected already # or coming in from querystringed search engine # wish we could do more # but proxying + nat prevents us from securing via ip address goto NEW_SESSION_ID; } } else { # give user new session id, we must lock this portion to avoid # concurrent identical session key creation, this is the # only critical part of the session manager NEW_SESSION_ID: my($trys); for(1..10) { $trys++; $id = $asp->Secret(); if($internal->{$id}) { $id = ''; } else { last; } } $id && $asp->RefreshSessionId($id, {}); $asp->{Internal}->UNLOCK(); $asp->Log("[security] secret algorithm is no good with $trys trys") if ($trys > 3); $asp->Error("no unique secret generated") unless $id; $asp->{dbg} && $asp->Debug("new session id $id"); $asp->SessionId($id); $state = &Apache::ASP::State::new($asp, $id); $state->Set() || $asp->Error("session state set failed"); if($asp->{paranoid_session}) { $asp->Debug("storing user-agent $asp->{'ua'}"); $state->STORE('_UA', $asp->{'ua'}); } $started = 1; } if(! $state) { $asp->Error("can't get state for id $id"); return; } $state->UserLock() if $asp->{session_serialize}; $asp->Debug("tieing session $id"); tie %self, 'Apache::ASP::Session', { state=>$state, asp=>$asp, id=>$id, started=>$started, }; if($asp->{dbg}) { $state->UserLock(); $asp->Debug("tied session", \%self); $state->UserUnLock(); } if($started) { $asp->{dbg} && $asp->Debug("clearing starting session"); %self = (); } bless \%self; } sub TIEHASH { my($package, $self) = @_; bless $self; } # stub so we don't have to test for it in autoload sub DESTROY { my $self = shift; # avoid odd global destruction errors return unless tied($self->{state}); $self->{state}->UserUnLock() if $self->{asp}{session_serialize}; untie $self->{state}; undef $self->{state}; } # don't need to skip DESTROY since we have it here # return if ($AUTOLOAD =~ /DESTROY/); sub AUTOLOAD { my $self = shift; my $AUTOLOAD = $Apache::ASP::Session::AUTOLOAD; $AUTOLOAD =~ s/^(.*)::(.*?)$/$2/o; $self->{state}->$AUTOLOAD(@_); } sub FETCH { my($self, $index) = @_; # putting these comparisons in a regexp was a little # slower than keeping them in these 'eq' statements if($index eq '_SELF') { $self; } elsif($index eq '_STATE') { $self->{state}; } elsif($index eq 'SessionID') { $self->{id}; } elsif($index eq 'Timeout') { $self->Timeout(); } else { $self->{state}->FETCH($index); } } sub STORE { my($self, $index, $value) = @_; if($index eq 'Timeout') { $self->Timeout($value); } else { $self->{state}->STORE($index, $value); } } # firstkey and nextkey skip the _UA key so the user # we need to keep the ua info in the session db itself, # so we are not dependent on writes going through to Internal # for this very critical informatioh. _UA is used for security # validation / the user's user agent. sub FIRSTKEY { my $self = shift; my $value = $self->{state}->FIRSTKEY(); if(defined $value and $value eq '_UA') { $self->{state}->NEXTKEY($value); } else { $value; } } sub NEXTKEY { my($self, $key) = @_; my $value = $self->{state}->NEXTKEY($key); if($value eq '_UA') { $self->{state}->NEXTKEY($value); } else { $value; } } sub CLEAR { my $state = shift->{state}; my $ua = $state->FETCH('_UA'); my $rv = $state->CLEAR(); $ua && $state->STORE('_UA', $ua); $rv; } sub SessionID { my $self = shift; my $real_self; if($real_self = $self->{_SELF}) { $self = $real_self; } $self->{id}; } sub Timeout { my($self, $minutes) = @_; # I don't know why, but tied($self) didn't work in here my $real_self; if($real_self = $self->{_SELF}) { $self = $real_self; } if($minutes) { my($internal_session) = $self->{asp}{Internal}{$self->{id}}; $internal_session->{refresh_timeout} = $minutes * 60; $internal_session->{timeout} = time() + $minutes * 60; $self->{asp}{Internal}{$self->{id}} = $internal_session; } else { my($refresh) = $self->{asp}{Internal}{$self->{id}}{refresh_timeout}; $refresh ||= $self->{asp}{session_timeout}; $refresh / 60; } } sub Abandon { shift->Timeout(-1); } sub TTL { my $self = shift; $self = $self->{_SELF}; # time to live is current timeout - time... positive means # session is still active, returns ttl in seconds my $timeout = $self->{asp}{Internal}{$self->{id}}{timeout}; my $ttl = $timeout - time(); } sub Started { my $self = shift; $self->{_SELF}{started}; } # we provide these, since session serialize is not # the default... locking around writes will also be faster, # since there will be only one tie to the database and # one flush per lock set sub Lock { tied(%{$_[0]})->{state}->WriteLock(); } sub UnLock { tied(%{$_[0]})->{state}->UnLock(); } 1; package Apache::ASP::State; use strict; no strict qw(refs); use vars qw(%DB %CACHE $UNLOCK $DefaultGroupIdLength); use Fcntl qw(:flock O_RDWR O_CREAT); $DefaultGroupIdLength = 2; # Database formats supports and their underlying extensions %DB = ( SDBM_File => ['.pag', '.dir'], DB_File => [''] ); %CACHE = (); # About locking, we use a separate lock file from the SDBM files # generated because locking directly on the SDBM files occasionally # results in sdbm store errors. This is less efficient, than locking # to the db file directly, but having a separate lock file works for now. # # If there is no $group given, then the $group will be extracted from # the $id as the first 2 letters of that group. # # If the group and the id are the same length, then what was passed # was just a group id, and the object is being created for informational # purposes only. So, we don't create a lock file in this case, as this # is not a real State object # sub new { my($asp, $id, $group, $permissions, $no_error) = @_; if($id) { $id =~ /^(.*)$/; # untaint $id = $1; } else { $asp->Error("no id: $id passed into new State"); return; } # default group is first 2 characters of id, simple hashing if($group) { $group =~ /^(.*)$/; # untaint $group = $1; } else { $id =~ /^(..)/; $group = $1; } unless($group) { $asp->Error("no group defined for id $id"); return; } my $state_dir = $asp->{state_dir}; my $group_dir = $state_dir.'/'.$group; my $lock_file = $group_dir.'/'.$id.'.lock'; my $file = $group_dir.'/'.$id; # we only need SDBM_File for internal, and its faster so use it my($state_db, $state_serializer); if($id eq 'internal') { $state_db = $Apache::ASP::DefaultStateDB; $state_serializer = $Apache::ASP::DefaultStateSerializer; } else { # don't get data for dummy group id sessions my $internal = length($id) > $DefaultGroupIdLength ? $asp->{Internal} : {}; my $idata = $internal->{$id}; if(! $idata->{state_db} || ! $idata->{state_serializer}) { $state_db = $idata->{state_db} || $asp->{state_db} || $Apache::ASP::DefaultStateDB; $state_serializer = $idata->{state_serializer} || $asp->{state_serializer} || $Apache::ASP::DefaultStateSerializer; # INIT StateDB && StateSerializer if hitting for the first time # only if real id like a session id or application if(length($id) > $DefaultGroupIdLength) { my $diff = 0; if(($idata->{state_db} || $Apache::ASP::DefaultStateDB) ne $state_db) { $idata->{state_db} = $state_db; $diff = 1; } if(($idata->{state_serializer} || $Apache::ASP::DefaultStateSerializer) ne $state_serializer) { $idata->{state_serializer} = $state_serializer; $diff = 1; } # do not set if we are just getting the state if(! $permissions || $permissions ne O_RDWR) { if($diff) { $asp->Debug("setting internal data for state $id", $idata); $internal->{$id} = $idata; } } } } else { # this state has already been created $state_db = $idata->{state_db}; $state_serializer = $idata->{state_serializer}; } } # if the application does an onend during this time, we want # to update the state configs it to the appropriate values if($group eq 'server' and $asp->{state_cache}) { if(my $state = $CACHE{$file}) { $asp->{dbg} && $asp->Debug("returning state $state from cache for $id $group"); $state->{asp} = $asp; $state->{state_db} = $state_db; $state->{state_serializer} = $state_serializer; return $state; } } my $self = bless { asp=>$asp, dbm => undef, 'dir' => $group_dir, 'ext' => ['.lock'], id => $id, file => $file, group => $group, group_dir => $group_dir, num_locks => 0, lock_file => $lock_file, lock_file_fh => $lock_file, open_lock => 0, state_db => $state_db, state_serializer => $state_serializer, state_dir => $state_dir, total_locks => 0, total_unlocks => 0, write_locked => 0, }; push(@{$self->{'ext'}}, @{$DB{$self->{state_db}}}); # $self->{asp}->Debug("db ext: ".join(",", @{$self->{'ext'}})); # create state directory unless(-d $state_dir) { mkdir($state_dir, 0750) || $self->{asp}->Error("can't create state dir $state_dir"); } if(! $permissions || $permissions ne O_RDWR) { # create group directory unless(-d $group_dir) { if(mkdir($group_dir, 0750)) { $self->{asp}->Debug("creating group dir $group_dir"); } else { $self->{asp}->Error("can't create group dir $group_dir"); } } } # open lock file now, and once for performance # we skip this for $group_id eq $id since then this is # just a place holder empty state object used # for information purposes only if($permissions) { if($self->Do($permissions, $no_error)) { if($group eq 'server' and $asp->{state_cache}) { $CACHE{$file} = $self; } $self->OpenLock unless ($group eq $id); } else { return undef; } } else { $self->OpenLock unless ($group eq $id); } $self; } sub Get { shift->Do(O_RDWR, @_); } sub Set { shift->Do(O_RDWR|O_CREAT, @_); } sub Init { my $self = shift; $self->Set() || return; $self->{dbm}->CLEAR(); $self; } sub Do { my($self, $permissions, $no_error) = @_; # make sure we got all the right stuff unless($self->{id} && $self->{group} && (defined $permissions)) { $self->{asp}->Error("something is missing in doing state ". "id: $self->{id}; group: $self->{group}; ". "permissions: $permissions" ); return; } # Tie to MLDBM Database # set the params for MLDBM use, and tie to db, possible bug # fix to mixing settings for other app uses. # save the settings first and restore them afterwards # so developer can use MLDBM for other things. # # my @temp = ($MLDBM::UseDB, $MLDBM::Serializer); # $self->{state_db} =~ s/^//; # untaint local $MLDBM::UseDB = $self->{state_db}; local $MLDBM::Serializer = $self->{state_serializer}; # clear current tied relationship first, if any $self->{dbm} = undef; local $SIG{__WARN__} = sub {}; $self->{dbm} = &MLDBM::TIEHASH('MLDBM', $self->{file}, $permissions, 0640); # ($MLDBM::UseDB, $MLDBM::Serializer) = @temp; if($self->{dbm}) { # used to have locking code here # if($self->{state_db} eq 'DB_File') { # $self->{dbm}{cachesize} = 0; # } } else { unless($no_error) { $self->{asp}->Error("Can't tie to file $self->{file}, $permissions, $! !! \n". "Make sure you have the permissions on the \n". "directory set correctly, and that your \n". "version of Data::Dumper is up to date. \n". "Also, make sure you have set Global to \n". "to a good directory in the config file." ); } } $self->{dbm}; } sub Delete { my $self = shift; my $count = 0; unless($self->{file}) { $self->{asp}->Error("no state file to delete"); return; } # we open the lock file when we new, so must close # before unlinking it $self->CloseLock(); # manually unlink state files # all the file extensions so a switched StateDB will collect too for('.pag', '.dir', '', '.lock') { # for(@{$self->{'ext'}}) { my $unlink_file = $self->{file}.$_; next unless (-e $unlink_file); if(unlink($unlink_file)) { $count++; # $self->{asp}->Debug("deleted state file $unlink_file"); } else { $self->{asp}->Error("can't unlink state file $unlink_file: $!"); return; } } $count; } sub DeleteGroupId { my $self = shift; my $group_dir = $self->{group_dir}; if(-d $group_dir) { if(rmdir($group_dir)) { $self->{asp}->Debug("deleting group dir $group_dir"); } else { $self->{asp}->Log("cannot delete group dir $group_dir: $!"); } } } sub GroupId { shift->{group}; } sub GroupMembers { my $self = shift; local(*DIR); my(%ids, @ids); unless(-d $self->{group_dir}) { $self->{asp}->Log("no group dir:$self->{group_dir} to get group from"); return []; } unless(opendir(DIR, $self->{group_dir})) { $self->{asp}->Log("opening group $self->{group_dir} failed: $!"); return []; } for(readdir(DIR)) { next if /^\.\.?$/; $_ =~ /^(.*?)(\.[^\.]+)?$/; next unless $1; $ids{$1}++; } # need to explicitly close directory, or we get a file # handle leak on Solaris closedir(DIR); @ids = keys %ids; \@ids; } sub DefaultGroups { my $self = shift; my(@ids); local *STATEDIR; opendir(STATEDIR, $self->{state_dir}) || $self->{asp}->Error("can't open state dir $self->{state_dir}"); for(readdir(STATEDIR)) { next if /^\./; next unless (length($_) eq $DefaultGroupIdLength); push(@ids, $_); } closedir STATEDIR; \@ids; } sub DESTROY { my $self = shift; return unless %{$self}; return if $self->{destroyed}++; if($self->{num_locks} > 1) { # we set num locks down to 1, so UnLock # really unlocks the lock file, instead # of just popping a lock off $self->{num_locks} = 1; } if($CACHE{$self->{file}}) { $self->{destroyed} = 0; $self->UnLock(); } else { untie $self->{dbm} if $self->{dbm}; $self->{dbm} = undef; $self->UnLock(); $self->CloseLock(); } $self->{asp}{dbg} && $self->{asp}->Debug( "state $self->{id} locks: $self->{total_locks}, ". "unlocks: $self->{total_unlocks}" ); $self->{total_locks} = $self->{total_unlocks} = 0; } # don't need to skip DESTROY since we have it defined # return if ($AUTOLOAD =~ /DESTROY/); sub AUTOLOAD { my $self = shift; my $AUTOLOAD = $Apache::ASP::State::AUTOLOAD; $AUTOLOAD =~ s/^(.*)::(.*?)$/$2/o; my $value; $self->WriteLock(); $value = $self->{dbm}->$AUTOLOAD(@_); $self->UnLock(); $value; } sub TIEHASH { my $type = shift; # dual tie contructor, if we receive a State object to tie # then just return it, otherwise construct a new object # before tieing if((ref $_[0]) =~ /State/) { $_[0]; } else { bless &new(@_), $type; } } # FIRSTKEY / NEXTKEY is what makes references like %array # and each %array tick. What we do is take a snapshot of # the keys when first key is called and just pop from there # assuming sequencing NEXTKEYS... I used this method # for Tie::Cache and it works just fine. sub FIRSTKEY { my $self = shift; my @keys; $self->WriteLock(); my $key = $self->{dbm}->FIRSTKEY(); while(defined $key) { push(@keys, $key); $key = $self->{dbm}->NEXTKEY($key); } $self->UnLock(); $self->{'keys'} = \@keys; shift @{$self->{'keys'}}; } sub NEXTKEY { my $self = shift; shift @{$self->{'keys'}}; } sub FETCH { my($self, $index) = @_; my $value; if($index eq '_FILE') { $value = $self->{file}; } elsif($index eq '_SELF') { $value = $self; } else { $self->WriteLock(); $value = $self->{dbm}->FETCH($index); $self->UnLock(); } $value; } sub STORE { my $self = shift; $self->WriteLock(); $self->{dbm}->STORE(@_); $self->UnLock(); } sub LOCK { tied(%{(shift)})->WriteLock(); } sub UNLOCK { tied(%{(shift)})->UnLock(); } # the +> mode open a read/write w/clobber file handle. # the clobber is useful, since we don't have to create # the lock file first sub OpenLock { my $self = shift; return if $self->{open_lock}; my $lock_file = $self->{lock_file}; $self->{open_lock} = 1; my $mode = (-e $lock_file) ? "+<" : "+>"; $self->{asp}{dbg} && $self->{asp}->Debug("opening lock file $self->{lock_file}"); open($self->{lock_file_fh}, $mode . $lock_file) || $self->{asp}->Error("Can't open $self->{lock_file}: $!"); } sub CloseLock { my $self = shift; return if ($self->{open_lock} == 0); $self->{open_lock} = 0; # suppress errors, as this can screw up in global # destruction sometimes; saw this with perl5.004_04, Linux 2.0.34 local $^W = 0; close($self->{lock_file_fh}); } sub WriteLock { my $self = shift; my $file = $self->{lock_file_fh}; $self->{num_locks}++; if($self->{write_locked}) { # $self->{asp}->Log("writelock: already write locked $file"); 1; } else { # $self->{asp}->Log("write locking"); $self->{write_locked} = 1; $self->{total_locks}++; local $^W = 0; my $rv = eval { flock($file, LOCK_EX) }; if($rv) { # success, typical, first test for speed } elsif($@ and $^O eq 'MSWin32') { $self->{asp}->Debug("flock() doesn't work on this platform, likely Win95: $!"); } else { $self->{asp}->Error("can't write lock $file: $!"); } $self->Set(); } } sub UnLock { my $self = shift; my $file = $self->{lock_file_fh}; if(($self->{num_locks} == 1) and $self->{write_locked}) { # locks only work when they were locked before # we started erroring, because file locking will # will hang a system if locking doesn't work properly $self->{write_locked} = 0; $self->{total_unlocks}++; $self->{dbm} = undef; if(eval { flock($file, ($UNLOCK || LOCK_UN)) }) { # unlock success } else { local $^W = 0; if($@ and $^O eq 'MSWin32') { $self->{asp}->Debug("flock() unlocking doesn't work on this platform, likely Win95: $!"); } else { $self->{asp}->Debug("basic unlock of $file failed: $!"); # we try a flock work around here for QNX my $err = $!; eval { $UNLOCK ||=&Fcntl::F_UNLCK; }; if($UNLOCK) { unless(flock($file, $UNLOCK)) { $self->{asp}->Error("Can't unlock $file even with backup flock: $err, $!"); } } else { $self->{asp}->Error("Can't unlock $file: $err"); } } } } else { # don't debug about this, since we'll always get some # of these since we are a bit over zealous about unlocking # better to unlock to much than too little } # $self->{asp}->Log("unlock called with $self->{num_locks} acquired"); $self->{num_locks} && $self->{num_locks}--; 1; } *UserLock = *WriteLock; *UserUnLock = *UnLock; 1; # this package emulates an Apache request object with a CGI backend package Apache::ASP::CGI; use strict; no strict qw(refs); use vars qw($StructsDefined); $StructsDefined = 0; sub do_self { my %config = @_; my $r = &init($0, @ARGV); $r->dir_config('CgiDoSelf', 1); $r->dir_config('NoState', 0); # init passed in config for(keys %config) { $r->dir_config($_, $config{$_}); } # $r->dir_config('Debug', -1); &Apache::ASP::handler($r); } sub init { my($filename, @args) = @_; $filename ||= $0; for('CGI.pm', 'Class/Struct.pm') { next if require $_; die("can't load the $_ library. please make sure you installed it"); } # we define structs here so modperl users don't incur a runtime / memory unless($StructsDefined) { $StructsDefined = 1; &Class::Struct::struct( 'Apache::ASP::CGI::connection' => { 'remote_ip' => "\$", 'auth_type' => "\$", 'user' => "\$", 'aborted' => "\$", } ); &Class::Struct::struct( 'Apache::ASP::CGI' => { 'cgi' => "\$", 'connection'=>'Apache::ASP::CGI::connection', 'content_type' => "\$", 'dir_config'=> "\%", 'env' => "\%", 'filename' => "\$", 'get_basic_auth_pw' => "\$", 'header_in' => "\%", 'header_out'=> "\%", 'method' => "\$", 'sent_header' => "\$", } ); } # create struct my $self = new(); my $cgi; if(defined $ENV{GATEWAY_INTERFACE} and $ENV{GATEWAY_INTERFACE} =~ /cgi/i) { if($ENV{CONTENT_TYPE}=~ m|^multipart/form-data|) { # let ASP pick it up later via CGI $cgi = new CGI({}); } else { # reading form input here $cgi = new CGI; } } else { $cgi = CGI->new({@args}); } $self->cgi($cgi); $self->filename($filename); $self->header_in('Cookie', $ENV{HTTP_COOKIE}); $self->connection->remote_ip($ENV{REMOTE_HOST} || $ENV{REMOTE_ADDR} || '0.0.0.0'); $self->connection->aborted(0); # $self->dir_config('Global') || $self->dir_config('Global', '.'); # we kill the state for now stuff for now, as it's just leaving .state # directories everywhere you run this stuff defined($self->dir_config('NoState')) || $self->dir_config('NoState', 1); $self->method($cgi->request_method()); $self->{env} = \%ENV; $self->env('SCRIPT_NAME') || $self->env('SCRIPT_NAME', $filename); $self; } sub status { $_[0]->header_out('status', $_[1]); } sub cgi_env { %{$_[0]->env} ; } sub cgi_header_out { my($self, $name, $value) = @_; if($name =~ /^set\-cookie$/i) { my $cookie = $self->header_out('Set-Cookie'); $cookie ||= []; if(ref $cookie) { # if there is already an array of cookies, push another one push(@$cookie, $value); } else { $cookie = [$cookie, $value]; } $self->header_out('Set-Cookie', $cookie); } else { $self->header_out($name, $value); } } sub send_http_header { my($self) = @_; my($k, $v, $header, $value); $self->sent_header(1); $header = "Content-Type: " .$self->content_type()."\n"; my $headers = $self->header_out(); while(($k, $v) = each %$headers) { next if ($k =~ /^content\-type$/i); if(ref $v) { # if ref, then we have an array for cgi_header_out for cookies for $value (@$v) { $header .= "$k: $value\n"; } } else { $header .= "$k: $v\n"; } } $header .= "\n"; $self->print($header); } sub send_cgi_header { my($self, $header) = @_; $self->sent_header(1); my(@left); for(split(/\n/, $header)) { my($name, $value) = split(/\:\s*/, $_, 2); if($name =~ /content-type/i) { $self->content_type($value); } else { push(@left, $_); } } $self->print(join("\n", @left, '')); $self->send_http_header(); } sub print { shift; print STDOUT @_; } sub args { my($self) = @_; my(%params, @pieces); my @params = $self->cgi()->param(); for (@params) { $params{$_} = $self->cgi()->param($_); my @values = $self->cgi()->param($_); my $value; for $value (@values) { push(@pieces, Apache::ASP::Server->URLEncode($_).'='. Apache::ASP::Server->URLEncode($value) ); } } if(wantarray) { %params; } else { join('&', @pieces); } } *content = *args; sub log_error { my($self, @args) = @_; print STDERR @args, "\n"; } sub register_cleanup { 1; } # do nothing as cgi will cleanup anyway sub soft_timeout { 1; }; 1; package Apache::ASP::Collection; sub Contents { my($self, $key) = @_; if(defined $key) { $self->Item($key); } else { $self; } } sub Item { my($self, $key, $value) = @_; if(defined $value) { if(ref($self->{$key}) and $self->{$key} =~ /HASH/) { # multi leveled collection go two levels down $self->{$key}{$value}; } else { $self->{$key} = $value; } } elsif(defined $key) { my $value = $self->{$key}; defined($value) || return $value; if(wantarray) { (ref($value) =~ /ARRAY/o) ? @{$value} : $value; } else { (ref($value) =~ /ARRAY/o) ? $value->[0] : $value; } } else { # returns hash to self by default, so compat with # $Request->Form() & such null collection calls. $self; } } sub SetProperty { my($self, $property, $key, $value) = @_; if($property =~ /property/io) { # do this to avoid recursion die("can't get the property $property for $self"); } else { $self->$property($key, $value); } } sub GetProperty { my($self, $property, $key) = @_; if($property =~ /property/io) { # do this to avoid recursion die("can't get the property $property for $self"); } else { $self->$property($key); } } 1; package Apache::ASP::Loader; use strict; no strict qw(refs); use vars qw(@Days @Months $AUTOLOAD); @Days = qw(Sun Mon Tue Wed Thu Fri Sat); @Months = qw(Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec); # we need a different class from Apache::ASP::CGI because we don't # want to force use of CGI & Class::Struct when loading ASP in Apache # also a nasty bug doesn't allow us to eval require's or use's, we # get a can't start_mutex sub new { my($file) = @_; bless { filename => $file, remote_ip => '127.0.0.1', user => undef, method => 'GET', NoState => 1, }; } sub AUTOLOAD { $AUTOLOAD =~ s/^(.*)::([^:]*)$/$2/; shift->{$AUTOLOAD}; } sub log_error { shift; my @times = localtime; printf STDERR ('[%s %s %02d %02d:%02d:%02d %d] [error] '.join('', @_)."\n", $Days[$times[6]], $Months[$times[4]], $times[3], $times[2], $times[1], $times[0], $times[5] + 1900 ); } sub dir_config { my($self, $key, $value) = @_; if(defined $value) { $self->{$key} = $value; } else { $self->{$key}; } } sub connection { shift; } 1; =pod =head1 NAME Apache::ASP - Active Server Pages for Apache with mod_perl =head1 SYNOPSIS SetHandler perl-script PerlHandler Apache::ASP PerlSetVar Global /tmp/asp =head1 DESCRIPTION This perl module provides an Active Server Pages port to the Apache Web Server with perl as the host scripting language. Active Server Pages is a web application platform that originated with the Microsoft NT/IIS server. Under Apache for Unix and Win32 platforms it allows a developer to create dynamic web applications with session management and embedded perl code. =begin html Apache::ASP's features include: =end html This module works under the Apache Web Server with the mod_perl module enabled. See http://www.apache.org and http://perl.apache.org for further information. This is a portable solution, similar to ActiveState's PerlScript for NT/IIS ASP. Work has been done and will continue to make ports to and from this implementation as smooth as possible. For Apache::ASP downloading and installation, please read the INSTALL section. For installation troubleshooting check the FAQ and the SUPPORT sections. For database access, ActiveX, scripting languages, and other miscellaneous issues please read the FAQ section. =head1 WEBSITE The Apache::ASP web site is at http://www.nodeworks.com/asp/ which you can also find in the ./site directory of the source distribution. =head1 INSTALL The latest Apache::ASP can be found at your nearest CPAN, and also: http://www.perl.com/CPAN-local/modules/by-module/Apache/ As a perl user, you should make yourself familiar with the CPAN.pm module, and how it may be used to install Apache::ASP, and other related modules. Once you have downloaded it, Apache::ASP installs easily using the make or nmake commands as shown below. Otherwise, just copy ASP.pm to $PERLLIB/site/Apache > perl Makefile.PL > make > make test > make install * use nmake for win32 Please note that you must first have the Apache Web Server & mod_perl installed before using this module in a web server environment. The offline mode for building static html may be used with just perl. =head2 Need Help Often, installing the mod_perl part of the Apache server can be the hardest part. If this is the case for you, check out the FAQ and SUPPORT sections for further help. =head2 RedHat Issues If you have a RedHat Linux server with an RPM style Apache + mod_perl, seriously consider building a static version of the httpd server yourself, not DSO. DSO is marked as experimental for mod_perl, and often does not work, resulting in "no request object" error messages. =head2 Quick Start Once you have successfully built the Apache Web Server with mod_perl, copy the ./site/eg/ directory from the Apache::ASP installation to your Apache document tree and try it out! You must put "AllowOverride All" in your httpd.conf config section to let the .htaccess file in the ./site/eg installation directory do its work. If you want a starter config file for Apache::ASP, just look at the .htaccess file in the ./site/eg/ directory. You will know that Apache::ASP is working normally if you can run the scripts in ./site/eg/ without any errors. =head1 CONFIG You may use a generic directive in your httpd.conf Apache configuration file to make Apache::ASP start ticking. Configure the optional setting if you want, the defaults are fine to get started. The settings are documented below. Make sure Global is set to where your web applications global.asa is if you have one! SetHandler perl-script PerlHandler Apache::ASP PerlSetVar Global /tmp NOTE: do not use this for the examples in ./site/eg. To get the examples working, check out the Quick Start section of INSTALL You may also use the tag in the httpd.conf Apache configuration file or .htaccess, which allows a developer to mix other file types in the application, static or otherwise. This method is more natural for ASP coding, with mixed media per directory. =head2 Core =item Global Global is the nerve center of an ASP application, in which the global.asa may reside, which defines the web application's event handlers. This directory is pushed onto @INC, you will be able to "use" and "require" files in this directory, so perl modules developed for this application may be dropped into this directory, for easy use. Unless StateDir is configured, this directory must be some writeable directory by the web server. $Session and $Application object state files will be stored in this directory. If StateDir is configured, then ignore this paragraph, as it overrides the Global directory for this purpose. Includes, specified with or $Response->Include() syntax, may also be in this directory, please see section on includes for more information. PerlSetVar Global /tmp =item GlobalPackage Perl package namespace that all scripts, includes, & global.asa events are compiled into. By default, GlobalPackage is some obscure name that is uniquely generated from the file path of the Global directory, and global.asa file. The use of explicitly naming the GlobalPackage is to allow scripts access to globals and subs defined in a perl module that is included with commands like: in perl script: use Some::Package; in apache conf: PerlModule Some::Package PerlSetVar GlobalPackage Some::Package =item UniquePackages default 0. Set to 1 to emulate pre-v.10 ASP script compilation behavior, which compiles each script into its own perl package. Before v.10, ASP scripts were compiled into their own perl package namespace. This allowed ASP scripts in the same ASP application to defined subroutines of the same name without a problem. As of v.10, ASP scripts in a web application are compiled into the *same* perl package by default, so these scripts, their includes, and the global.asa events all share common globals & subroutines defined by each other. The problem for some developers was that they would at times define a subroutine of the same name in 2+ scripts, and one subroutine definition would redefine the other one because of the namespace collision. PerlSetVar UniquePackages 0 =item DynamicIncludes default 0. SSI file includes are normally inlined in the calling script, and the text gets compiled with the script as a whole. With this option set to TRUE, file includes are compiled as a separate subroutine and called when the script is run. The advantage of having this turned on is that the code compiled from the include can be shared between scripts, which keeps the script sizes smaller in memory, and keeps compile times down. PerlSetVar DynamicIncludes 0 =item IncludesDir no defaults. If set, this directory will also be used to look for includes when compiling scripts. By default the directory the script is in, and the Global directory are checked for includes. This extension was added so that includes could be easily shared between ASP applications, whereas placing includes in the Global directory only allows sharing between scripts in an application. PerlSetVar IncludesDir . =head2 State Management =item NoState default 0, if true, neither the $Application nor $Session objects will be created. Use this for a performance increase. Please note that this setting takes precedence over the AllowSessionState and AllowApplicationState settings. PerlSetVar NoState 0 =item AllowSessionState Set to 0 for no session tracking, 1 by default If Session tracking is turned off, performance improves, but the $Session object is inaccessible. PerlSetVar AllowSessionState 1 Note that if you want to dissallow session creation for certain non web browser user agents, like search engine spiders, you can use an init handler like: PerlInitHandler "sub { $_[0]->dir_config('AllowSessionState', 0) }" =item AllowApplicationState Default 1. If you want to leave $Application undefined, then set this to 0, for a performance increase of around 2-3%. Allowing use of $Application is less expensive than $Session, as there is more work for the StateManager associated with $Session garbage collection so this parameter should be only used for extreme tuning. PerlSetVar AllowApplicationState 1 =item StateDir default $Global/.state. State files for ASP application go to this directory. Where the state files go is the most important determinant in what makes a unique ASP application. Different configs pointing to the same StateDir are part of the same ASP application. The default has not changed since implementing this config directive. The reason for this config option is to allow operating systems with caching file systems like Solaris to specify a state directory separately from the Global directory, which contains more permanent files. This way one may point StateDir to /tmp/myaspapp, and make one's ASP application scream with speed. PerlSetVar StateDir ./.state =item StateManager default 10, this number specifies the numbers of times per SessionTimeout that timed out sessions are garbage collected. The bigger the number, the slower your system, but the more precise Session_OnEnd's will be run from global.asa, which occur when a timed out session is cleaned up, and the better able to withstand Session guessing hacking attempts. The lower the number, the faster a normal system will run. The defaults of 20 minutes for SessionTimeout and 10 times for StateManager, has dead Sessions being cleaned up every 2 minutes. PerlSetVar StateManager 10 =item StateDB default SDBM_File, this is the internal database used for state objects like $Application and $Session. Because an %sdbm_file hash has a limit on the size of a record / key value pair, usually 1024 bytes, you may want to use another tied database like DB_File. With lightweight $Session and $Application use, you can get away with SDBM_File, but if you load it up with complex data like $Session{key} = { # very large complex object } you might max out the 1024 limit. Currently StateDB can only be: SDBM_File, DB_File Please let me know if you would like to add any more to this list. As of version .18, you may change this setting in a live production environment, and new state databases created will be of this format. With a prior version if you switch to a new StateDB, you would want to delete the old StateDir, as there will likely be incompatibilities between the different database formats, including the way garbage collection is handled. PerlSetVar StateDB SDBM_File =item StateCache Default 0, set to 1 for lock files that are acquired for $Application and an internal database used for session management to be cached and held open between requests, for up to a 10% performance gain. Per ASP application this is will keep up to 2 extra file handles open per httpd process, one for the internal database, and one for $Application. The only problem with this caching is that you can only delete the StateDir if you have first shutdown the web server, as the lock files will not be recreated between requests. Not that you should be deleting your StateDir anyway, but if you are, there is more to worry about. PerlSetVar StateCache 0 =item StateSerializer default Data::Dumper, you may set this to Storable for faster serialization and storage of data into state objects. This is particularly useful when storing large objects in $Session and $Application, as the Storable.pm module has a faster implementation of freezing and thawing data from and to perl structures. Note that if you are storing this much data in your state databases, you may want to use DB_File since it does not have the default 1024 byte limit that SDBM_File has on key/value lengths. This configuration setting may be changed in production as the state database's serializer type is stored in the internal state manager which will always use Data::Dumper & SDBM_File to store data. PerlSetVar StateSerializer Data::Dumper =head2 Sessions =item CookiePath URL root that client responds to by sending the session cookie. If your asp application falls under the server url "/asp", then you would set this variable to /asp. This then allows you to run different applications on the same server, with different user sessions for each application. PerlSetVar CookiePath / =item SessionTimeout Default 20 minutes, when a user's session has been inactive for this period of time, the Session_OnEnd event is run, if defined, for that session, and the contents of that session are destroyed. PerlSetVar SessionTimeout 20 =item SecureSession default 0. Sets the secure tag for the session cookie, so that the cookie will only be transmitted by the browser under https transmissions. PerlSetVar SecureSession 1 =item ParanoidSession default 0. When true, stores the user-agent header of the browser that creates the session and validates this against the session cookie presented. If this check fails, the session is killed, with the rationale that there is a hacking attempt underway. This config option was implemented to be a smooth upgrade, as you can turn it off and on, without disrupting current sessions. Sessions must be created with this turned on for the security to take effect. This config option is to help prevent a brute force cookie search from being successful. The number of possible cookies is huge, 2^128, thus making such a hacking attempt VERY unlikely. However, on the off chance that such an attack is successful, the hacker must also present identical browser headers to authenticate the session, or the session will be destroyed. Thus the User-Agent acts as a backup to the real session id. The IP address of the browser cannot be used, since because of proxies, IP addresses may change between requests during a session. There are a few browsers that will not present a User-Agent header. These browsers are considered to be browsers of type "Unknown", and this method works the same way for them. Most people agree that this level of security is unnecessary, thus it is titled paranoid :) PerlSetVar ParanoidSession 0 =item SessionSerialize default 0, if true, locks $Session for duration of script, which serializes requests to the $Session object. Only one script at a time may run, per user $Session, with sessions allowed. Serialized requests to the session object is the Microsoft ASP way, but is dangerous in a production environment, where there is risk of long-running or run-away processes. If these things happen, a session may be locked for an indefinite period of time. A user STOP button should safely quit the session however. PerlSetVar SessionSerialize 0 =head2 Cookieless Sessions =item SessionQueryParse default 0, if true, will automatically parse the $Session session id into the query string of each local URL found in the $Response buffer. For this setting to work therefore, buffering must be enabled. This parsing will only occur when a session cookie has not been sent by a browser, so the first script of a session enabled site, and scripts viewed by web browsers that have cookies disabled will trigger this behavior. Although this runtime parsing method is computationally expensive, this cost should be amortized across most users that will not need this URL parsing. This is a lazy programmer's dream. For something more efficient, look at the SessionQuery setting. For more information about this solution, please read the SESSIONS section. PerlSetVar SessionQueryParse 0 =item SessionQueryParseMatch default 0, set to a regexp pattern that matches all URLs that you want to have SessionQueryParse parse in session ids. By default SessionQueryParse only modifies local URLs, but if you name your URLs of your site with absolute URLs like http://localhost then you will need to use this setting. So to match http://localhost URLs, you might set this pattern to ^http://localhost. Note that by setting this config, you are also setting SessionQueryParse. PerlSetVar SessionQueryParseMatch ^https?://localhost =item SessionQuery default 0, if set, the session id will be initialized from the $Request->QueryString if not first found as a cookie. You can use this setting coupled with the $Server->URL($url, \%params) API extension to generate local URLs with session ids in their query strings, for efficient cookieless session support. Note that if a browser has cookies disabled, every URL to any page that needs access to $Session will need to be created by this method, unless you are using SessionQueryParse which will do this for you automatically. PerlSetVar SessionQuery 0 =item SessionQueryMatch default 0, set to a regexp pattern that will match URLs for $Server->URL() to add a session id to. SessionQuery normally allows $Server->URL() to add session ids just to local URLs, so if you use absolute URL references like http://localhost/ for your web site, then just like with SessionQueryParseMatch, you might set this pattern to ^http://localhost If this is set, then you don't need to set SessionQuery, as it will be set automatically. PerlSetVar SessionQueryMatch ^http://localhost =head2 Developer Environment =item UseStrict default 0, if set to 1, will compile all scripts, global.asa and includes with "use strict;" inserted at the head of the file, saving you from the painful process of strictifying code that was not strict to begin with. Because of how essential "use strict" programming is in a mod_perl environment, this default might be set to 1 one day, but this will be up for discussion before that decision is made. Note too that errors triggered by "use strict" are now captured as part of the normal Apache::ASP error handling when this configuration is set, otherwise "use strict" errors will not be handled properly, so using UseStrict is better than your own "use strict" statements. PerlSetVar UseStrict 1 =item Debug 1 for server log debugging, 2 for extra client html output Use 1 for production debugging, use 2 for development. Turn off if you are not debugging. PerlSetVar Debug 2 =item DebugBufferLength Default 100, set this to the number of bytes of the buffered output's tail you want to see when an error occurs and Debug 2 or MailErrorsTo is set, and when BufferingOn is enabled. With buffering the script output will not naturally show up when the script errors, as it has been buffered by the $Response object. It helps to see where in the script output an error halted the script, so the last bytes of the buffered output are included with the rest of the debugging information. For a demo of this functionality, try the ./site/eg/syntax_error.htm script, and turn buffering on. =item PodComments default 1. With pod comments turned on, perl pod style comments and documentation are parsed out of scripts at compile time. This make for great documentation and a nice debugging tool, and it lets you comment out perl code and html in blocks. Specifically text like this: =pod text or perl code here =cut will get ripped out of the script before compiling. The =pod and =cut perl directives must be at the beginning of the line, and must be followed by the end of the line. PerlSetVar PodComments 1 =head2 XML / XSLT =item XMLSubsMatch default not defined, set to some regexp pattern that will match all XML and HTML tags that you want to have perl subroutines handle. The is Apache::ASP's custom tag technology, and can be used to create powerful extensions to your XML and HTML rendering. Please see XML/XSLT section for instructions on its use. PerlSetVar XMLSubsMatch ^my: =item XSLT default not defined, if set to a file, ASP scripts will be regarded as XML output and transformed with the given XSL file with XML::XSLT. This XSL file will also be executed as an ASP script first, and its output will be the XSL data used for the transformation. This XSL file will be executed as a dynamic include, so may be located in the current directory, Global, or IncludesDir. Please see the XML/XSLT section for an explanation of its use. PerlSetVar XSLT template.xsl =item XSLTMatch default .*, if XSLT is set by default all ASP scripts will be XSL transformed by the specified XSL template. This regexp setting will tell XSLT which file names to match with doing XSL transformations, so that regular HTML ASP scripts and XML ASP scripts can be configured with the same configuration block. Please see ./site/eg/.htaccess for an example of its use. PerlSetVar XSLTMatch \.xml$ =item XSLTCacheSize default 0, if set greater than 0, will cache that many XML and XSL parsed objects and their transformations' output. XML::XSLT transformations are computationally expensive, requiring first XML DOM objects be created from the XML & XSL outputs, and then the final XSLT rendering is non-trivial too, so every effort is made to cache various steps in the process for enormous speed benefits if the same XML / XSL combination is being hit on the same web server process. Efforts will be made in the future to provide a mechanism for pre-caching these computations at server startup prefork so that they may be shared with the child Apache httpds. This setting requires that Tie::Cache be first installed. PerlSetVar XSLTCacheSize 100 =head2 Miscellaneous =item BufferingOn default 1, if true, buffers output through the response object. $Response object will only send results to client browser if a $Response->Flush() is called, or if the asp script ends. Lots of output will need to be flushed incrementally. If false, 0, the output is immediately written to the client, CGI style. There will be a performance hit server side if output is flushed automatically to the client, but is probably small. I would leave this on, since error handling is poor, if your asp script errors after sending only some of the output. PerlSetVar BufferingOn 1 =item StatINC default 0, if true, reloads perl libraries that have changed on disk automatically for ASP scripts. If false, the www server must be restarted for library changes to take effect. A known bug is that any functions that are exported, e.g. confess Carp qw(confess), will not be refreshed by StatINC. To refresh these, you must restart the www server. This setting should be used in development only because it is so slow. For a production version of StatINC, see StatINCMatch. PerlSetVar StatINC 1 =item StatINCMatch default undef, if defined, it will be used as a regular expression to reload modules that match as in StatINC. This is useful because StatINC has a very high performance penalty in production, so if you can narrow the modules that are checked for reloading each script execution to a handful, you will only suffer a mild performance penalty. The StatINCMatch setting should be a regular expression like: Struct|LWP which would match on reloading Class/Struct.pm, and all the LWP/.* libraries. If you define StatINCMatch, you do not need to define StatINC. PerlSetVar StatINCMatch .* =item StatScripts default 1, if set to 0, changed scripts, global.asa, and includes will not be reloaded. Coupled with Apache mod_perl startup and restart handlers executing Apache::ASP->Loader() for your application this allows your application to be frozen, and only reloaded on the next server restart or stop/start. There are a few advantages for not reloading scripts and modules in production. First there is a slight performance improvement by not having to stat() the script, its includes and the global.asa every request. From an application deployment standpoint, you also gain the ability to deploy your application as a snapshot taken when the server starts and restarts. This provides you with the reassurance that during a production server update from development sources, you do not have to worry with sources being used for the wrong libraries and such, while they are all being copied over. Finally, though you really should not do this, you can work on a live production application, with a test server reloading changes, but your production server does see the changes until you restart or stop/start it. This saves your public from syntax errors while you are just doing a quick bug fix. PerlSetVar StatScripts 1 =item SoftRedirect default 0, if true, a $Response->Redirect() does not end the script. Normally, when a Redirect() is called, the script is ended automatically. SoftRedirect 1, is a standard way of doing redirects, allowing for html output after the redirect is specified. PerlSetVar SoftRedirect 0 =item Filter On/Off, default Off. With filtering enabled, you can take advantage of full server side includes (SSI), implemented through Apache::SSI. SSI is implemented through this mechanism by using Apache::Filter. A sample configuration for full SSI with filtering is in the ./site/eg/.htaccess file, with a relevant example script ./site/eg/ssi_filter.ssi. You may only use this option with modperl v1.16 or greater installed and PERL_STACKED_HANDLERS enabled. Filtering may be used in conjunction with other handlers that are also "filter aware". If in doubt, try building your mod_perl with perl Makefile.PL EVERYTHING=1 With filtering through Apache::SSI, you should expect near a a 20% performance decrease. PerlSetVar Filter Off =item CgiHeaders default 0. When true, script output that looks like HTTP / CGI headers, will be added to the HTTP headers of the request. So you could add: Set-Cookie: test=message ... to the top of your script, and all the headers preceding a newline will be added as if with a call to $Response->AddHeader(). This functionality is here for compatibility with raw cgi scripts, and those used to this kind of coding. When set to 0, CgiHeaders style headers will not be parsed from the script response. PerlSetVar CgiHeaders 0 =item Clean default 0, may be set between 1 and 9. This setting determine how much text/html output should be compressed. A setting of 1 strips mostly white space saving usually 10% in output size, at a performance cost of less than 5%. A setting of 9 goes much further saving anywhere 25% to 50% typically, but with a performance hit of 50%. This config option is implemented via HTML::Clean. Per script configuration of this setting is available via the $Response->{Clean} property, which may also be set between 0 and 9. PerlSetVar Clean 0 =item CompressGzip default 0, if true will gzip compress HTML output on the fly if Compress::Zlib is installed, and the client browser supports it. Depending on the HTML being compressed, the client may see a 50% to 90% reduction in HTML output. I have seen 40K of HTML squeezed down to just under 6K. This will come at a 5%-20% hit to CPU usage per request compressed. Note there are some cases when a browser says it will accept gzip encoding, but then not render it correctly. This behavior has been seen with IE5 when set to use a proxy but not using a proxy, and the URL does not end with a .html or .htm. No work around has yet been found for this case so use at your own risk. PerlSetVar CompressGzip 1 =item TimeHiRes default 0, if set and Time::HiRes is installed, will do sub second timing of the time it takes Apache::ASP to process a request. This will not include the time spent in the session manager, nor modperl or Apache, and is only a rough approximation at best. If Debug is set also, you will get a comment in your HTML output that indicates the time it took to process that script. If system debugging is set with Debug -1 or -2, you will also get this time in the Apache error log with the other system messages. =head2 Mail Administration Apache::ASP has some powerful administrative email extensions that let you sleep at night, knowing full well that if an error occurs at the web site, you will know about it immediately. With these features already enabled, it was also easy to provide the $Server->Mail(\%mail) API extension which you can read up about in the OBJECTS section. =item MailHost The mail host is the smtp server that the below Mail* config directives will use when sending their emails. By default Net::SMTP uses smtp mail hosts configured in Net::Config, which is set up at install time, but this setting can be used to override this config. The mail hosts specified in the Net::Config file will be used as backup smtp servers to the MailHost specified here, should this primary server not be working. PerlSetVar MailHost smtp.yourdomain.com.foobar =item MailFrom Default NONE, set this to specify the default mail address placed in the From: mail header for the $Server->Mail() API extension, as well as MailErrorsTo and MailAlertTo. PerlSetVar MailFrom youremail@yourdomain.com.foobar =item MailErrorsTo No default, if set, ASP server errors, error code 500, that result while compiling or running scripts under Apache::ASP will automatically be emailed to the email address set for this config. This allows an administrator to have a rapid response to user generated server errors resulting from bugs in production ASP scripts. Other errors, such as 404 not found will be handled by Apache directly. An easy way to see this config in action is to have an ASP script which calls a die(), which generates an internal ASP 500 server error. The Debug config of value 2 and this setting are mutually exclusive, as Debug 2 is a development setting where errors are displayed in the browser, and MailErrorsTo is a production setting so that errors are silently logged and sent via email to the web admin. PerlSetVar MailErrorsTo youremail@yourdomain.com =item MailAlertTo The address configured will have an email sent on any ASP server error 500, and the message will be short enough to fit on a text based pager. This config setting would be used to give an administrator a heads up that a www server error occurred, as opposed to MailErrorsTo would be used for debugging that server error. This config does not work when Debug 2 is set, as it is a setting for use in production only, where Debug 2 is for development use. PerlSetVar MailAlertTo youremail@yourdomain.com =item MailAlertPeriod Default 20 minutes, this config specifies the time in minutes over which there may be only one alert email generated by MailAlertTo. The purpose of MailAlertTo is to give the admin a heads up that there is an error at the www server. MailErrorsTo is for to aid in speedy debugging of the incident. PerlSetVar MailAlertPeriod 20 =head2 File Uploads =item FileUploadMax default 0, if set will limit file uploads to this size in bytes. This is currently implemented by setting $CGI::POST_MAX before handling the file upload. Prior to this, a developer would have to hardcode a value for $CGI::POST_MAX to get this to work. PerlSetVar 100000 =item FileUploadTemp default 0, if set will leave a temp file on disk during the request, which may be helpful for processing by other programs, but is also a security risk in that other users on the operating system could potentially read this file while the script is running. The path to the temp file will be available at $Request->{FileUpload}{$form_field}{TempFile}. The regular use of file uploads remains the same with the <$filehandle> to the upload at $Request->{Form}{$form_field}. Please see the CGI section for more information on file uploads, and the $Request section in OBJECTS. PerlSetVar FileUploadTemp 0 =head1 SYNTAX ASP embedding syntax allows one to embed code in html in 2 simple ways. The first is the <% xxx %> tag in which xxx is any valid perl code. The second is <%= xxx %> where xxx is some scalar value that will be inserted into the html directly. An easy print. A simple asp page would look like: For loop incrementing font size:

<% for(1..5) { %> Size = <%=$_%>
<% } %> Notice that your perl code blocks can span any html. The for loop above iterates over the html without any special syntax. =head1 EVENTS The ASP platform allows developers to create Web Applications. In fulfillment of real software requirements, ASP allows event-triggered actions to be taken, which are defined in a global.asa file. The global.asa file resides in the Global directory, defined as a config option , and may define the following actions: Action Event ------ ------ Script_OnStart * Beginning of Script execution Script_OnEnd * End of Script execution Script_OnFlush * Before $Response being flushed to client. Application_OnStart Beginning of Application Application_OnEnd End of Application Session_OnStart Beginning of user Session. Session_OnEnd End of user Session. * These are API extensions that are not portable, but were added because they are incredibly useful These actions must be defined in the $Global/global.asa file as subroutines, for example: sub Session_OnStart { $Application->{$Session->SessionID()} = started; } Sessions are easy to understand. When visiting a page in a web application, each user has one unique $Session. This session expires, after which the user will have a new $Session upon revisiting. A web application starts when the user visits a page in that application, and has a new $Session created. Right before the first $Session is created, the $Application is created. When the last user $Session expires, that $Application expires also. =head2 Script_OnStart & Script_OnEnd The script events are used to run any code for all scripts in an application defined by a global.asa. Often, you would like to run the same code for every script, which you would otherwise have to add by hand, or add with a file include, but with these events, just add your code to the global.asa, and it will be run. There is one caveat. Code in Script_OnEnd is not guaranteed to be run when the user hits a STOP button, since the program execution ends immediately at this event. To always run critical code, use the API extension: $Server->RegisterCleanup() =head2 Session_OnStart Triggered by the beginning of a user's session, Session_OnStart gets run before the user's executing script, and if the same session recently timed out, after the session's triggered Session_OnEnd. The Session_OnStart is particularly useful for caching database data, and avoids having the caching handled by clumsy code inserted into each script being executed. =head2 Session_OnEnd Triggered by a user session ending, Session_OnEnd can be useful for cleaning up and analyzing user data accumulated during a session. Sessions end when the session timeout expires, and the StateManager performs session cleanup. The timing of the Session_OnEnd does not occur immediately after the session times out, but when the first script runs after the session expires, and the StateManager allows for that session to be cleaned up. So on a busy site with default SessionTimeout (20 minutes) and StateManager (10 times) settings, the Session_OnEnd for a particular session should be run near 22 minutes past the last activity that Session saw. A site infrequently visited will only have the Session_OnEnd run when a subsequent visit occurs, and theoretically the last session of an application ever run will never have its Session_OnEnd run. Thus I would not put anything mission-critical in the Session_OnEnd, just stuff that would be nice to run whenever it gets run. =head2 Script_OnFlush API extension. This event will be called prior to flushing the $Response buffer to the web client. At this time, the $Response->{BinaryRef} buffer reference may be used to modify the buffered output at runtime to apply global changes to scripts output without having to modify all the scripts. sub Script_OnFlush { my $ref = $Response->{BinaryRef}; $$ref =~ s/\s+/ /sg; # to strip extra white space } Check out the ./site/eg/global.asa for an example of its use. =head2 Application_OnStart This event marks the beginning of an ASP application, and is run just before the Session_OnStart of the first Session of an application. This event is useful to load up $Application with data that will be used in all user sessions. =head2 Application_OnEnd The end of the application is marked by this event, which is run after the last user session has timed out for a given ASP application. =head1 OBJECTS The beauty of the ASP Object Model is that it takes the burden of CGI and Session Management off the developer, and puts them in objects accessible from any ASP script & include. For the perl programmer, treat these objects as globals accessible from anywhere in your ASP application. Currently the Apache::ASP object model supports the following: Object - Function ------ -------- $Session - user session state $Response - output to browser $Request - input from browser $Application - application state $Server - general support methods These objects, and their methods are further defined in the following sections. =head2 $Session Object The $Session object keeps track of user and web client state, in a persistent manner, making it relatively easy to develop web applications. The $Session state is stored across HTTP connections, in database files in the Global or StateDir directories, and will persist across web server restarts. The user session is referenced by a 128 bit / 32 byte MD5 hex hashed cookie, and can be considered secure from session id guessing, or session hijacking. When a hacker fails to guess a session, the system times out for a second, and with 2**128 (3.4e38) keys to guess, a hacker will not be guessing an id any time soon. If an incoming cookie matches a timed out or non-existent session, a new session is created with the incoming id. If the id matches a currently active session, the session is tied to it and returned. This is also similar to the Microsoft ASP implementation. The $Session reference is a hash ref, and can be used as such to store data as in: $Session->{count}++; # increment count by one %{$Session} = (); # clear $Session data The $Session object state is implemented through MLDBM, and a user should be aware of the limitations of MLDBM. Basically, you can read complex structures, but not write them, directly: $data = $Session->{complex}{data}; # Read ok. $Session->{complex}{data} = $data; # Write NOT ok. $Session->{complex} = {data => $data}; # Write ok, all at once. Please see MLDBM for more information on this topic. $Session can also be used for the following methods and properties: =over =item $Session->{CodePage} Not implemented. May never be until someone needs it. =item $Session->{LCID} Not implemented. May never be until someone needs it. =item $Session->{SessionID} SessionID property, returns the id for the current session, which is exchanged between the client and the server as a cookie. =item $Session->{Timeout} [= $minutes] Timeout property, if minutes is being assigned, sets this default timeout for the user session, else returns the current session timeout. If a user session is inactive for the full timeout, the session is destroyed by the system. No one can access the session after it times out, and the system garbage collects it eventually. =item $Session->Abandon() The abandon method times out the session immediately. All Session data is cleared in the process, just as when any session times out. =item $Session->Lock() API extension. If you are about to use $Session for many consecutive reads or writes, you can improve performance by explicitly locking $Session, and then unlocking, like: $Session->Lock(); $Session->{count}++; $Session->{count}++; $Session->{count}++; $Session->UnLock(); This sequence causes $Session to be locked and unlocked only 1 time, instead of the 6 times that it would be locked otherwise, 2 for each increment with one to read and one to write. Because of flushing issues with SDBM_File and DB_File databases, each lock actually ties fresh to the database, so the performance savings here can be considerable. Note that if you have SessionSerialize set, $Session is already locked for each script invocation automatically, as if you had called $Session->Lock() in Script_OnStart. Thus you do not need to worry about $Session locking for performance. Please read the section on SessionSerialize for more info. =item $Session->UnLock() API Extension. Unlocks the $Session explicitly. If you do not call this, $Session will be unlocked automatically at the end of the script. =back =head2 $Response Object This object manages the output from the ASP Application and the client web browser. It does not store state information like the $Session object but does have a wide array of methods to call. =over =item $Response->{BinaryRef} API extension. This is a perl reference to the buffered output of the $Response object, and can be used in the Script_OnFlush global.asa event to modify the buffered output at runtime to apply global changes to scripts output without having to modify all the scripts. These changes take place before content is flushed to the client web browser. sub Script_OnFlush { my $ref = $Response->{BinaryRef}; $$ref =~ s/\s+/ /sg; # to strip extra white space } Check out the ./site/eg/global.asa for an example of its use. =item $Response->{Buffer} Default 1, when TRUE sends output from script to client only at the end of processing the script. When 0, response is not buffered, and client is sent output as output is generated by the script. =item $Response->{CacheControl} Default "private", when set to public allows proxy servers to cache the content. This setting controls the value set in the HTTP header Cache-Control =item $Response->{Charset} This member when set appends itself to the value of the Content-Length HTTP header. If $Response->{Charset} = 'ISO-LATIN-1' is set, the corresponding header would look like: Content-Type: text/html; charset=ISO-LATIN-1 =item $Response->{Clean} = 0-9; API extension. Set the Clean level, default 0, on a per script basis. Clean of 1-9 compresses text/html output. Please see the Clean config option for more information. =item $Response->{ContentType} = "text/html" Sets the MIME type for the current response being sent to the client. Sent as an HTTP header. =item $Response->{Expires} = $time Sends a response header to the client indicating the $time in SECONDS in which the document should expire. A time of 0 means immediate expiration. The header generated is a standard HTTP date like: "Wed, 09 Feb 1994 22:23:32 GMT". =item $Response->{ExpiresAbsolute} = $date Sends a response header to the client with $date being an absolute time to expire. Formats accepted are all those accepted by HTTP::Date::str2time(), e.g. "Wed, 09 Feb 1994 22:23:32 GMT" -- HTTP format "Tuesday, 08-Feb-94 14:15:29 GMT" -- old rfc850 HTTP format "08-Feb-94" -- old rfc850 HTTP format "09 Feb 1994" -- proposed new HTTP format "Feb 3 1994" -- Unix 'ls -l' format "Feb 3 17:03" -- Unix 'ls -l' format =item $Response->{IsClientConnected} Not implemented, but returns 1 currently for portability. This is value is not yet relevant, and may not be until apache 1.3.6, which will be tested shortly. Apache versions less than 1.3.6 abort the perl code immediately upon the client dropping the connection. =item $Response->{PICS} If this property has been set, a PICS-Label HTTP header will be sent with its value. For those that do not know, PICS is a header that is useful in rating the internet. It stands for Platform for Internet Content Selection, and you can find more info about it at: http://www.w3.org =item $Response->{Status} = $status Sets the status code returned by the server. Can be used to set messages like 500, internal server error =item $Response->AddHeader($name, $value) Adds a custom header to a web page. Headers are sent only before any text from the main page is sent, so if you want to set a header after some text on a page, you must turn BufferingOn. =item $Response->AppendToLog($message) Adds $message to the server log. Useful for debugging. =item $Response->BinaryWrite($data) Writes binary data to the client. The only difference from $Response->Write() is that $Response->Flush() is called internally first, so the data cannot be parsed as an html header. Flushing flushes the header if has not already been written. If you have set the $Response->{ContentType} to something other than text/html, cgi header parsing (see CGI notes), will be automatically be turned off, so you will not necessarily need to use BinaryWrite for writing binary data. For an example of BinaryWrite, see the binary_write.htm example in ./site/eg/binary_write.htm Please note that if you are on Win32, you will need to call binmode on a file handle before reading, if its data is binary. =item $Response->Clear() Erases buffered ASP output. =item $Response->Cookies($name, [$key,] $value) Sets the key or attribute of cookie with name $name to the value $value. If $key is not defined, the Value of the cookie is set. ASP CookiePath is assumed to be / in these examples. $Response->Cookies('name', 'value'); --> Set-Cookie: name=value; path=/ $Response->Cookies("Test", "data1", "test value"); $Response->Cookies("Test", "data2", "more test"); $Response->Cookies( "Test", "Expires", &HTTP::Date::time2str(time+86400) ); $Response->Cookies("Test", "Secure", 1); $Response->Cookies("Test", "Path", "/"); $Response->Cookies("Test", "Domain", "host.com"); --> Set-Cookie:Test=data1=test%20value&data2=more%20test; \ expires=Fri, 23 Apr 1999 07:19:52 GMT; \ path=/; domain=host.com; secure The latter use of $key in the cookies not only sets cookie attributes such as Expires, but also treats the cookie as a hash of key value pairs which can later be accesses by $Request->Cookies('Test', 'data1'); $Request->Cookies('Test', 'data2'); Because this is perl, you can (NOT PORTABLE) reference the cookies directly through hash notation. The same 5 commands above could be compressed to: $Response->{Cookies}{Test} = { Secure => 1, Value => { data1 => 'test value', data2 => 'more test' }, Expires => 86400, # not portable, see above Domain => 'host.com', Path => '/' }; and the first command would be: # you don't need to use hash notation when you are only setting # a simple value $Response->{Cookies}{'Test Name'} = 'Test Value'; I prefer the hash notation for cookies, as this looks nice, and is quite perlish. It is here to stay. The Cookie() routine is very complex and does its best to allow access to the underlying hash structure of the data. This is the best emulation I could write trying to match the Collections functionality of cookies in IIS ASP. For more information on Cookies, please go to the source at http://home.netscape.com/newsref/std/cookie_spec.html =item $Response->Debug(@args) API Extension. If the Debug config option is set greater than 0, this routine will write @args out to server error log. refs in @args will be expanded one level deep, so data in simple data structures like one-level hash refs and array refs will be displayed. CODE refs like $Response->Debug(sub { "some value" }); will be executed and their output added to the debug output. This extension allows the user to tie directly into the debugging capabilities of this module. While developing an app on a production server, it is often useful to have a separate error log for the application to catch debugging output separately. One way of implementing this is to use the Apache ErrorLog configuration directive to create a separate error log for a virtual host. If you want further debugging support, like stack traces in your code, consider doing things like: $Response->Debug( sub { Carp::longmess('debug trace') }; $SIG{__WARN__} = \&Carp::cluck; # then warn() will stack trace The only way at present to see exactly where in your script an error occurred is to set the Debug config directive to 2, and match the error line number to perl script generated from your ASP script. However, as of version 0.10, the perl script generated from the asp script should match almost exactly line by line, except in cases of inlined includes, which add to the text of the original script, pod comments which are entirely yanked out, and <% # comment %> style comments which have a \n added to them so they still work. If you would like to see the HTML preceding an error while developing, consider setting the BufferingOn config directive to 0. =item $Response->End() Sends result to client, and immediately exits script. Automatically called at end of script, if not already called. =item $Response->ErrorDocument($code, $uri) API extension that allows for the modification the Apache ErrorDocument at runtime. $uri may be a on site document, off site URL, or string containing the error message. This extension is useful if you want to have scripts set error codes with $Response->{Status} like 401 for authentication failure, and to then control from the script what the error message looks like. For more information on the Apache ErrorDocument mechanism, please see ErrorDocument in the CORE Apache settings, and the Apache->custom_response() API, for which this method is a wrapper. =item $Response->Flush() Sends buffered output to client and clears buffer. =item $Response->Include($filename, @args) This API extension calls the routine compiled from asp script in $filename with the args @args. This is a direct translation of the SSI tag Please see the SSI section for more on SSI in general. This API extension was created to allow greater modularization of code by allowing includes to be called with runtime arguments. Files included are compiled once, and the anonymous code ref from that compilation is cached, thus including a file in this manner is just like calling a perl subroutine. =item $Response->Redirect($url) Sends the client a command to go to a different url $url. Script immediately ends. =item $Response->Write($data) Write output to the HTML page. <%=$data%> syntax is shorthand for a $Response->Write($data). All final output to the client must at some point go through this method. =back =head2 $Request Object The request object manages the input from the client browser, like posts, query strings, cookies, etc. Normal return results are values if an index is specified, or a collection / perl hash ref if no index is specified. WARNING, the latter property is not supported in ActiveState PerlScript, so if you use the hashes returned by such a technique, it will not be portable. A normal use of this feature would be to iterate through the form variables in the form hash... $form = $Request->Form(); for(keys %{$form}) { $Response->Write("$_: $form->{$_}
\n"); } Please see the ./site/eg/server_variables.htm asp file for this method in action. Note that if a form POST or query string contains duplicate values for a key, those values will be returned through normal use of the $Request object: @values = $Request->Form('key'); but you can also access the internal storage, which is an array reference like so: $array_ref = $Request->{Form}{'key'}; @values = @{$array_ref}; Please read the PERLSCRIPT section for more information on how things like $Request->QueryString() & $Request->Form() behave as collections. =over =item $Request->{TotalBytes} The amount of data sent by the client in the body of the request, usually the length of the form data. This is the same value as $Request->ServerVariables('CONTENT_LENGTH') =item $Request->BinaryRead($length) Returns a scalar whose contents are the first $length bytes of the form data, or body, sent by the client request. This data is the raw data sent by the client, without any parsing done on it by Apache::ASP. =item $Request->ClientCertificate() Not implemented. =item $Request->Cookies($name [,$key]) Returns the value of the Cookie with name $name. If a $key is specified, then a lookup will be done on the cookie as if it were a query string. So, a cookie set by: Set-Cookie: test=data1=1&data2=2 would have a value of 2 returned by $Request->Cookies('test','data2'). If no name is specified, a hash will be returned of cookie names as keys and cookie values as values. If the cookie value is a query string, it will automatically be parsed, and the value will be a hash reference to these values. When in doubt, try it out. Remember that unless you set the Expires attribute of a cookie with $Response->Cookies('cookie', 'Expires', $xyz), the cookies that you set will only last until you close your browser, so you may find your self opening & closing your browser a lot when debugging cookies. For more information on cookies in ASP, please read $Response->Cookies() =item $Request->FileUpload($form_field, $key) API extension. The FileUpload interface to file upload data is stabilized. The internal representation of the file uploads is a hash of hashes, one hash per file upload found in the $Request->Form() collection. This collection of collections may be queried through the normal interface like so: $Request->FileUpload('upload_file', 'ContentType'); $Request->FileUpload('upload_file', 'FileHandle'); $Request->FileUpload('upload_file', 'BrowserFile'); $Request->FileUpload('upload_file', 'Mime-Header'); $Request->FileUpload('upload_file', 'TempFile'); * note that TempFile must be use with the UploadTempFile configuration setting. The above represents the old slow collection interface, but like all collections in Apache::ASP, you can reference the internal hash representation more easily. my $fileup = $Request->{FileUpload}{upload_file}; $fileup->{ContentType}; $fileup->{BrowserFile}; $fileup->{FileHandle}; $fileup->{Mime-Header}; $fileup->{TempFile}; =item $Request->Form($name) Returns the value of the input of name $name used in a form with POST method. If $name is not specified, returns a ref to a hash of all the form data. File upload data will be loaded into $Request->Form('file_field'), where the value is the actual file name of the file uploaded, and the contents of the file can be found by reading from the file name as a file handle as in: while(read($Request->Form('file_field_name'), $data, 1024)) {}; For more information, please see the CGI / File Upload section, as file uploads are implemented via the CGI.pm module. An example can be found in the installation samples ./site/eg/file_upload.asp =item $Request->QueryString($name) Returns the value of the input of name $name used in a form with GET method, or passed by appending a query string to the end of a url as in http://localhost/?data=value. If $name is not specified, returns a ref to a hash of all the query string data. =item $Request->ServerVariables($name) Returns the value of the server variable / environment variable with name $name. If $name is not specified, returns a ref to a hash of all the server / environment variables data. The following would be a common use of this method: $env = $Request->ServerVariables(); # %{$env} here would be equivalent to the cgi %ENV in perl. =back =head2 $Application Object Like the $Session object, you may use the $Application object to store data across the entire life of the application. Every page in the ASP application always has access to this object. So if you wanted to keep track of how many visitors there where to the application during its lifetime, you might have a line like this: $Application->{num_users}++ The Lock and Unlock methods are used to prevent simultaneous access to the $Application object. =over =item $Application->Lock() Locks the Application object for the life of the script, or until UnLock() unlocks it, whichever comes first. When $Application is locked, this guarantees that data being read and written to it will not suddenly change on you between the reads and the writes. This and the $Session object both lock automatically upon every read and every write to ensure data integrity. This lock is useful for concurrent access control purposes. Be careful to not be too liberal with this, as you can quickly create application bottlenecks with its improper use. =item $Application->UnLock() Unlocks the $Application object. If already unlocked, does nothing. =item $Application->GetSession($sess_id) This NON-PORTABLE API extension returns a user $Session given a session id. This allows one to easily write a session manager if session ids are stored in $Application during Session_OnStart, with full access to these sessions for administrative purposes. Be careful not to expose full session ids over the net, as they could be used by a hacker to impersonate another user. So when creating a session manager, for example, you could create some other id to reference the SessionID internally, which would allow you to control the sessions. This kind of application would best be served under a secure web server. The ./site/eg/global_asa_demo.asp script makes use of this routine to display all the data in current user sessions. =item $Application->SessionCount() This NON-PORTABLE method returns the current number of active sessions, in the application. This method is not implemented as part of the ASP object model, but is implemented here because it is useful. In particular, when accessing databases with license requirements, one can monitor usage effectively through accessing this value. This is a new feature as of v.06, and if run on a site with previous versions of Apache::ASP, the count may take a while to synch up. To ensure a correct count, you must delete all the current state files associated with an application, usually in the $Global/.state directory. =back =head2 $Server Object The server object is that object that handles everything the other objects do not. The best part of the server object for Win32 users is the CreateObject method which allows developers to create instances of ActiveX components, like the ADO component. =over =item $Server->{ScriptTimeout} = $seconds Not implemented. May never be. Please see the Apache Timeout configuration option, normally in httpd.conf. =item $Server->Config($setting) API extension. Allows a developer to read the CONFIG settings, like Global, GlobalPackage, StateDir, etc. Currently implemented as a wrapper around Apache->dir_config($setting) =item $Server->CreateObject($program_id) Allows use of ActiveX objects on Win32. This routine returns a reference to an Win32::OLE object upon success, and nothing upon failure. It is through this mechanism that a developer can utilize ADO. The equivalent syntax in VBScript is Set object = Server.CreateObject(program_id) For further information, try 'perldoc Win32::OLE' from your favorite command line. =item $Server->Execute($file, @args) New method from ASP 3.0, this does the same thing as $Response->Include($file, @args) and internally is just a wrapper for such. Seems like we had this important functionality before the IIS/ASP camp! =item $Server->GetLastError() Not implemented, will likely not ever be because this is dependent on how IIS handles errors and is not relevant in Apache. =item $Server->HTMLEncode($string) Returns an HTML escapes version of $string. &, ", >, <, are each escapes with their HTML equivalents. Strings encoded in this nature should be raw text displayed to an end user, as HTML tags become escaped with this method. " =item $Server->MapPath($url); Given the url $url, absolute, or relative to the current executing script, this method returns the equivalent filename that the server would translate the request to, regardless or whether the request would be valid. Only a $url that is relative to the host is valid. Urls like "." and "/" are fine arguments to MapPath, but http://localhost would not be. To see this method call in action, check out the sample ./site/eg/server.htm script. =item $Server->Mail(\%mail, %smtp_args); With the Net::SMTP and Net::Config modules installed, which are part of the perl libnet package, you may use this API extension to send email. The \%mail hash reference that you pass in must have values for at least the To, From, and Subject headers, and the Body of the mail message. You could send an email like so: $Server->Mail({ To => 'somebody@yourdomain.com.foobar', From => 'youremail@yourdomain.com.foobar', Subject => 'Subject of Email', Body => 'Body of message. '. 'You might have a lot to say here!', Organization => 'Your Organization', }); Any extra fields specified for the email will be interpreted as headers for the email, so to send an HTML email, you could set 'Content-Type' => 'text/html' in the above example. If you have MailFrom configured, this will be the default for the From header in your email. For more configuration options like the MailHost setting, check out the CONFIG section. The return value of this method call will be boolean for success of the mail being sent. If you would like to specially configure the Net::SMTP object used internally, you may set %smtp_args and they will be passed on when that object is initialized. "perldoc Net::SMTP" for more into on this topic. =item $Server->Transfer($file) New method from ASP 3.0. Transfers control to another script. The Response buffer will not be cleared automatically, so if you want this to serve as a faster $Response->Redirect(), you will need to call $Response->Clear() before calling this method. This new script will take over current execution and the current script will not continue to be executed afterwards. It differs from Execute() because the original script will not pick up where it left off. =item $Server->URLEncode($string) Returns the URL-escaped version of the string $string. +'s are substituted in for spaces and special characters are escaped to the ascii equivalents. Strings encoded in this manner are safe to put in urls... they are especially useful for encoding data used in a query string as in: $data = $Server->URLEncode("test data"); $url = "http://localhost?data=$data"; $url evaluates to http://localhost?data=test+data, and is a valid URL for use in anchor tags and redirects, etc. =item $Server->RegisterCleanup($sub) non-portable extension Sets a subroutine reference to be executed after the script ends, whether normally or abnormally, the latter occurring possibly by the user hitting the STOP button, or the web server being killed. This subroutine must be a code reference created like: $Server->RegisterCleanup(sub { $main::Session->{served}++; }); or sub served { $main::Session->{served}++; } $Server->RegisterCleanup(\&served); The reference to the subroutine passed in will be executed. Though the subroutine will be executed in anonymous context, instead of the script, all objects will still be defined in main::*, that you would reference normally in your script. Output written to $main::Response will have no affect at this stage, as the request to the www client has already completed. Check out the ./site/eg/register_cleanup.asp script for an example of this routine in action. =item $Server->URL($url, \%params) Will return a URL with %params serialized into a query string like: $url = $Server->URL('test.asp', { test => value }); which would give you a URL of test.asp?test=value Used in conjunction with the SessionQuery* settings, the returned URL will also have the session id inserted into the query string, making this a critical part of that method of implementing cookieless sessions. For more information on that topic please read on the setting in the CONFIG section, and the SESSIONS section too. =back =head1 SSI SSI is great! One of the main features of SSI is to include other files in the script being requested. In Apache::ASP, this is implemented in a couple ways, the most crucial of which is implemented in the file include. Formatted as ,the .inc being merely a convention, text from the included file will be inserted directly into the script being executed and the script will be compiled as a whole. Whenever the script or any of its includes change, the script will be recompiled. Includes go a great length to promote good decomposition and code sharing in ASP scripts, but they are still fairly static. As of version .09, includes may have dynamic runtime execution, as subroutines compiled into the global.asa namespace. The first way to invoke includes dynamically is If @args is specified, Apache::ASP knows to execute the include at runtime instead of inlining it directly into the compiled code of the script. It does this by compiling the script at runtime as a subroutine, and caching it for future invocations. Then the compiled subroutine is executed and has @args passed into its as arguments. This is still might be too static for some, as @args is still hardcoded into the ASP script, so finally, one may execute an include at runtime by utilizing this API extension $Response->Include("filename.inc", @args); which is a direct translation of the dynamic include above. Although inline includes should be a little faster, runtime dynamic includes represent great potential savings in httpd memory, as includes are shared between scripts keeping the size of each script to a minimum. This can often be significant saving if much of the formatting occurs in an included header of a www page. By default, all includes will be inlined unless called with an args parameter. However, if you want all your includes to be compiled as subs and dynamically executed at runtime, turn the DynamicIncludes config option on as documented above. That is not all! SSI is full featured. One of the things missing above is the tag. This and many other SSI code extensions are available by filtering Apache::ASP output through Apache::SSI via the Apache::Filter and the Filter config options. For more information on how to wire Apache::ASP and Apache::SSI together, please see the Filter config option documented above. Also please see Apache::SSI for further information on the capabilities it offers. =head1 EXAMPLES Use with Apache. Copy the ./site/eg directory from the ASP installation to your Apache document tree and try it out! You have to put "AllowOverride All" in your config section to let the .htaccess file in the ./site/eg installation directory do its work. IMPORTANT (FAQ): Make sure that the web server has write access to that directory. Usually a chmod -R 0777 eg will do the trick :) =head1 SESSIONS Cookies are used by default for user $Session support ( see OBJECTS ). In order to track a web user and associate server side data with that client, the web server sets, and the web client returns a 32 byte session id identifier cookie. This implementation is very secure and may be used in secure HTTPS transactions, and made stronger with SecureSession and ParanoidSession settings (see CONFIG ). However good cookies are for this kind of persistent state management between HTTP requests, they have long been under fire for security risks associated with JavaScript security exploits and privacy abuse by large data tracking companies. Because of these reasons, web users will sometimes turn off their cookies, rendering normal ASP session implementations powerless, resulting in a new $Session generated every request. This is not good for ASP style sessions. =head2 Cookieless Sessions *** See WARNING Below *** So we now have more ways to track sessions with the SessionQuery* CONFIG settings, that allow a web developer to embed the session id in URL query strings when use of cookies is denied. The implementations work such that if a user has cookies turned on, then cookies will be used, but for those users with cookies turned off, the session ids will be parsed into document URLs. The first and easiest method that a web developer may use to implement cookieless sessions are with SessionQueryParse* directives which enable Apache::ASP to the parse the session id into document URLs on the fly. Because this is resource inefficient, there is also the SessionQuery* directives that may be used with the $Server->URL($url,\%params) method to generate custom URLs with the session id in its query string. To see an example of these cookieless sessions in action, check out the ./site/eg/cookieless_session.asp example. *** WARNING *** If you do use these methods, then be VERY CAREFUL of linking offsite from a page that was accessed with a session id in a query string. This is because this session id will show up in the HTTP_REFERER logs of the linked to site, and a malicious hacker could use this information to compromise the security of your site's $Sessions, even if these are run under a secure web server. In order to shake a session id off an HTTP_REFERER for a link taking a user offsite, you must point that link to a redirect page that will redirect a user, like so: <% # "cross site scripting bug" prevention my $sanitized_url = $Server->HTMLEncode($Response->QueryString('OffSiteUrl')); %> Redirecting you offsite to >here... Because the web browser visits a real page before being redirected with the tag, the HTTP_REFERER will be set to this page. Just be sure to not link to this page with a session id in its query string. Unfortunately a simple $Response->Redirect() will not work here, because the web browser will keep the HTTP_REFERER of the original web page if only a normal redirect is used. =head1 XML/XSLT =head2 Custom Tags with XMLSubsMatch Before XML, there was the need to make HTML markup smarter. Apache::ASP gives you the ability to have a perl subroutine handle the execution of any predefined tag, taking the tag descriptors, and the text contained between, as arguments of the subroutine. This custom tag technology can be used to extend a web developer's abilities to add dynamic pieces without having to visibly use <% %> style code entries. So, lets say that you have a table that you want to insert for an employee with contact info and the like, you could set up a tag like: Jane Doe has been here since 1998. To render it with a custom tag, you would tell the Apache::ASP parser to render the tag with a subroutine: PerlSetVar XMLSubsMatch my:employee Any colons, ':', in the XML custom tag will turn into '::', a perl package separator, so the my:employee tag would translate to the my::employee subroutine, or the employee subroutine in the my package. Then you would create the my::employee subroutine in the my perl package or whereever like so sub my::employee { my($attributes, $body) = @_; $Response->Include('employee.inc', $attributes, $body); } <% my($attributes, $body) = @_; %> <% for('name', 'last', 'phone') { %> <% } %>
<%=ucfirst $_ %>: <%= $attributes->{$_} %>
<%= $body %>
The $Response->Include() would then delegate the rendering of the employee to the employee.inc ASP script include. Though XML purists would not like this custom tag technology to be related to XML, the reality is that a careful site engineer could render full XML documents with this technology, applying all the correct styles that one might otherwise do with XSLT. Custom tags defined in this way can be used as XML tags are defined with both a body and without as it ... and just These tags are very powerful in that they can also enclose normal ASP logic, like: <% my $birthday = &HTTP::Date::time2str(time - 25 * 86400 * 365); %> This employee has been online for <%= int(rand()*600)+1 %> seconds, and was born near <%= $birthday %>. For an example of this custom XML tagging in action, please check out the ./site/eg/xml_subs.asp script. Note the one limitation that currently exists is that tags of the same name may not be used in each other, but otherwise customs tags may be used in other custom tags. =head2 XSLT Tranformations XML is good stuff, but what can you use it for? The principle is that by having data and style separated in XML and XSL files, you can reformat your data more easily in the future, and you can render your data in multiple formats, just as easily as for your web site, so you might render your site to a PDA, or a cell phone just as easily as to a browser, and all you have to do is set up the right XSL stylesheets to do the transformation (XSLT). In the first release of XML/XSLT support, ASP scripts may be the source of XML data that the XSL file transforms, and the XSL file itself will be first executed as an ASP script also. The XSLT transformation is handled by XML::XSLT, a perl module, and you can see an example of it in action at the ./site/eg/xslt.xml XML script. Because both the XML and XSL datasources are executed first To specify a XSL stylesheet, use the setting: PerlSetVar XSLT template.xsl where template.xsl could be any file. By default this will XSLT transform all ASP scripts so configured, but you can separate xml scripts from the rest with the setting: PerlSetVar XSLTMatch xml$ where all files with the ending xml would undergo a XSLT transformation. XSLT tranformations are slow however, so to cache XSLT transformations from XML scripts with consistent output, turn on caching: PerlSetVar XSLTCacheSize 100 which would allow for the output of 100 transformations to be cached. If the XML data is consistently different as it might be if it were database driven, then the caching will have little effect, but for mostly static pages like real XML docs, this will be a huge win. Note that XSLT depends on the installation of XML::XSLT, which in turn depends on XML::DOM, and XML::Parser. The caching feature depends on Tie::Cache being installed. =head2 Reference OSS Implementations For their huge ground breaking XML efforts, these other XML OSS projects need mention: Cocoon - XML-based web publishing, in Java http://xml.apache.org/cocoon/ AxKit - XML web publishing with Apache & mod_perl http://www.axkit.org/ XML::XSLT - Core engine that Apache::ASP uses for XSLT http://xmlxslt.sourceforge.net/ =head1 CGI CGI has been the standard way of deploying web applications long before ASP came along. CGI.pm is a very useful module that aids developers in the building of these applications, and Apache::ASP has been made to be compatible with function calls in CGI.pm. Please see cgi.htm in the ./site/eg directory for a sample ASP script written almost entirely in CGI. As of version 0.09, use of CGI.pm for both input and output is seamless when working under Apache::ASP. Thus if you would like to port existing cgi scripts over to Apache::ASP, all you need to do is wrap <% %> around the script to get going. This functionality has been implemented so that developers may have the best of both worlds when building their web applications. Following are some special notes with respect to compatibility with CGI. Use of CGI.pm in any of these ways was made possible through a great amount of work, and is not guaranteed to be portable with other perl ASP implementations, as other ASP implementations will likely be more limited. =over =item Query Object Initialization You may create a CGI.pm $query object like so: use CGI; my $query = new CGI; As of Apache::ASP version 0.09, form input may be read in by CGI.pm upon initialization. Before, Apache::ASP would consume the form input when reading into $Request->Form(), but now form input is cached, and may be used by CGI.pm input routines. =item CGI headers Not only can you use the CGI.pm $query->header() method to put out headers, but with the CgiHeaders config option set to true, you can also print "Header: value\n", and add similar lines to the top of your script, like: Some-Header: Value Some-Other: OtherValue Script body starts here. Once there are no longer any cgi style headers, or the there is a newline, the body of the script begins. So if you just had an asp script like: print join(":", %{$Request->QueryString}); You would likely end up with no output, as that line is interpreted as a header because of the semicolon. When doing basic debugging, as long as you start the page with you will avoid this problem. =item print()ing CGI CGI is notorious for its print() statements, and the functions in CGI.pm usually return strings to print(). You can do this under Apache::ASP, since print just aliases to $Response->Write(). Note that $| has no affect. print $query->header(); print $query->start_form(); =item File Upload CGI.pm is used for implementing reading the input from file upload. You may create the file upload form however you wish, and then the data may be recovered from the file upload by using $Request->Form(). Data from a file upload gets written to a file handle, that may in turn be read from. The original file name that was uploaded is the name of the file handle. my $filehandle = $Request->Form('file_upload_field_name'); print $filehandle; # will get you the file name my $data; while(read($filehandle, $data, 1024)) { # data from the uploaded file read into $data }; Please see the docs on CGI.pm (try perldoc CGI) for more information on this topic, and ./site/eg/file_upload.asp for an example of its use. There is a $Request->FileUpload() API extension that you can use to get more data about a file upload, so that the following properties are available for querying: my $file_upload = $Request->{FileUpload}{upload_field}; $file_upload->{BrowserFile} $file_upload->{FileHandle} $file_upload->{ContentType} # only if FileUploadTemp is set $file_upload->{TempFile} # whatever mime headers are sent with the file upload # just "keys %$file_upload" to find out $file_upload->{?Mime-Header?} Please see the $Request section in OBJECTS for more information. =back =head1 PERLSCRIPT Much work has been done to bring compatibility with ASP applications written in PerlScript under IIS. Most of that work revolved around bringing a Win32::OLE Collection interface to many of the objects in Apache::ASP, which are natively written as perl hashes. The following objects in Apache::ASP respond as Collections: $Application $Session $Request->FileUpload * $Request->FileUpload('upload_file') * $Request->Form $Request->QueryString $Request->Cookies $Response->Cookies $Response->Cookies('some_cookie') * FileUpload API Extensions And as such may be used with the following syntax, as compared with the Apache::ASP native calls. Please note the native Apache::ASP interface is compatible with the deprecated PerlScript interface. C = PerlScript Compatibility N = Native Apache::ASP ## Collection->Contents($name) [C] $Application->Contents('XYZ') [N] $Application->{XYZ} ## Collection->SetProperty($property, $name, $value) [C] $Application->Contents->SetProperty('Item', 'XYZ', "Fred"); [N] $Application->{XYZ} = "Fred" ## Collection->GetProperty($property, $name) [C] $Application->Contents->GetProperty('Item', 'XYZ') [N] $Application->{XYZ} ## Collection->Item($name) [C] print $Request->QueryString->Item('message'), "
\n\n"; [N] print $Request->{QueryString}{'message'}, "
\n\n"; ## Working with Cookies [C] $Response->SetProperty('Cookies', 'Testing', 'Extra'); [C] $Response->SetProperty('Cookies', 'Testing', {'Path' => '/'}); [C] print $Request->Cookies(Testing) . "
\n"; [N] $Response->{Cookies}{Testing} = {Value => Extra, Path => '/'}; [N] print $Request->{Cookies}{Testing} . "
\n"; Several incompatibilities exist between PerlScript and Apache::ASP: > Collection->{Count} property has not been implemented. > VBScript dates may not be used for Expires property of cookies. > Win32::OLE::in may not be used. Use keys() to iterate over. > The ->{Item} property does not work, use the ->Item() method. =head1 FAQ The following are some frequently asked questions about Apache::ASP. =head2 Installation =item Apache errors on the PerlHandler directive ? You do not have mod_perl correctly installed for Apache. The PerlHandler directive in Apache *.conf files is an extension enabled by mod_perl and will not work if mod_perl is not correctly installed. Common user errors are not doing a 'make install' for mod_perl, which installs the perl side of mod_perl, and not starting the right httpd after building it. The latter often occurs when you have an old apache server without mod_perl, and you have built a new one without copying over to its proper location. To get mod_perl, go to http://perl.apache.org =item Error: no request object (Apache=SCALAR(0x???????):) Your Apache + mod_perl build is not working properly, and is likely a RedHat Linux RPM DSO build. Make sure you statically build your Apache + mod_perl httpd, recompiled fresh from the sources. =item I am getting a tie or MLDBM / state error message, what do I do? Make sure the web server or you have write access to the eg directory, or to the directory specified as Global in the config you are using. Default for Global is the directory the script is in (e.g. '.'), but should be set to some directory not under the www server document root, for security reasons, on a production site. Usually a chmod -R -0777 eg will take care of the write access issue for initial testing purposes. Failing write access being the problem, try upgrading your version of Data::Dumper and MLDBM, which are the modules used to write the state files. =head2 Sessions =item How can I use $Session to store complex data structures. Very carefully. Please read the $Session documentation in the OBJECTS section. You can store very complex objects in $Session, but you have to understand the limits, and the syntax that must be used to make this happen. In particular, stay away from statements that that have more than one level of indirection on the left side of an assignment like: $Session->{complex}{object} = $data; =item How can I keep search engine spiders from killing the session manager? If you want to dissallow session creation for certain non web browser user agents, like search engine spiders, you can use an init handler like: PerlInitHandler "sub { $_[0]->dir_config('NoState', 1) }" This will configure your environment before Apache::ASP executes and sees the configuration settings. You can use the mod_perl API in this way to configure Apache::ASP at runtime. =item Insecure dependency in eval while running with - T switch ? If you are running your mod_perl with "PerlTaintCheck On", which is recommended if you are highly concerned about security issues, you may get errors like "Insecure dependency ... with - T switch". Apache::ASP automatically untaints data internally so that you may run scripts with PerlTaintCheck On, but if you are using state objects like $Session or $Application, you must also notify MLDBM, which Apache::ASP uses internally, to also untaint data read from disk, with this setting: $MLDBM::RemoveTaint = 1; You could put the above line in your global.asa, which is just like a perl module, outside any event handlers you define there. =item How can I use $Session to store a $dbh database handle ? You cannot use $Session to store a $dbh handle. This can be awkward for those coming from the IIS/NT world, where you could store just about anything in $Session, but this boils down to a difference between threads vs. processes. Database handles often have per process file handles open, which cannot be shared between requests, so though you have stored the $dbh data in $Session, all the other initializations are not relevant in another httpd process. All is not lost! Apache::DBI can be used to cache database connections on a per process basis, and will work for most cases. =head2 Development =item How is database connectivity handled? Database connectivity is handled through perl's DBI & DBD interfaces. Please see http://www.symbolstone.org/technology/perl/DBI/ for more information. In the UNIX world, it seems most databases have cross platform support in perl. DBD::ODBC is often your ticket on Win32. On UNIX, commercial vendors like OpenLink Software (http://www.openlinksw.com/) provide the nuts and bolts for ODBC. Database connections can be cached per process with Apache::DBI. =item What is the best way to debug an ASP application ? There are lots of perl-ish tricks to make your life developing and debugging an ASP application easier. For starters, you will find some helpful hints by reading the $Response->Debug() API extension, and the Debug configuration directive. =item How are file uploads handled? Please see the CGI section. File uploads are implemented through CGI.pm which is loaded at runtime only for this purpose. This is the only time that CGI.pm will be loaded by Apache::ASP, which implements all other cgi-ish functionality natively. The rationale for not implementing file uploads natively is that the extra 100K in memory for CGI.pm shouldn't be a big deal if you are working with bulky file uploads. =item How do I access the ASP Objects in general? All the ASP objects can be referenced through the main package with the following notation: $main::Response->Write("html output"); This notation can be used from anywhere in perl, including routines registered with $Server->RegisterCleanup(). You use the normal notation in your scripts, includes, and global.asa: $Response->Write("html output"); =item Can I print() in ASP? Yes. You can print() from anywhere in an ASP script as it aliases to the $Response->Write() method. Using print() is portable with PerlScript when using Win32::ASP in that environment. =item Do I have access to ActiveX objects? Only under Win32 will developers have access to ActiveX objects through the perl Win32::OLE interface. This will remain true until there are free COM ports to the UNIX world. At this time, there is no ActiveX for the UNIX world. =item Can I script in VBScript or JScript ? Yes, but not with this perl module. For ASP with other scripting languages besides perl, you will need to go with a commercial vendor in the UNIX world. ChiliSoft at http://www.chilisoft.com/ has one such solution. Of course on NT, you get this for free with IIS. =head2 Support and Production =item How do I get things I want done?! If you find a problem with the module, or would like a feature added, please mail support, as listed in the SUPPORT section, and your needs will be promptly and seriously considered, then implemented. =item What is the state of Apache::ASP? Can I publish a web site on it? Apache::ASP has been production ready since v.02. Work being done on the module is on a per need basis, with the goal being to eventually have the ASP API completed, with full portability to ActiveState PerlScript and MKS PScript. If you can suggest any changes to facilitate these goals, your comments are welcome. =head1 TUNING A little tuning can go a long way, and can make the difference between a web site that gets by, and a site that screams with speed. With Apache::ASP, you can easily take a poorly tuned site running at 5 hits/second to 25+ hits/second just with the right configuration. Documented below are some simple things you can do to make the most of your site. For more tips & tricks on tuning Apache and mod_perl, please see the tuning documents at: Stas Bekman's mod_perl guide http://perl.apache.org/guide/ Vivek Khera's mod_perl performance tuning http://perl.apache.org/tuning/ =head2 $Application & $Session State Use NoState 1 setting if you don't need the $Application or $Session objects. State objects such as these tie to files on disk and will incur a performance penalty. If you need the state objects $Application and $Session, and if running an OS that caches files in memory, set your "StateDir" directory to a cached file system. On WinNT, all files may be cached, and you have no control of this. On Solaris, /tmp is cached and would be a good place to set the "StateDir" config setting to. When cached file systems are used there is little performance penalty for using state files. =head2 High MaxRequests Set your max requests per child thread or process (in httpd.conf) high, so that ASP scripts have a better chance being cached, which happens after they are first compiled. You will also avoid the process fork penalty on UNIX systems. Somewhere between 100 - 1000 is probably pretty good. =head2 Precompile Scripts Precompile your scripts by using the Apache::ASP->Loader() routine documented below. This will at least save the first user hitting a script from suffering compile time lag. On UNIX, precompiling scripts upon server startup allows this code to be shared with forked child www servers, so you reduce overall memory usage, and use less CPU compiling scripts for each separate www server process. These savings could be significant. On my PII300, it takes a couple seconds to compile 28 scripts upon server startup, with an average of 50K RAM per compiled script, and this savings is passed on to the child httpd servers. Apache::ASP->Loader() can be called to precompile scripts and even entire ASP applications at server startup. Note also that in modperl, you can precompile modules with the PerlModule config directive, which is highly recommended. Apache::ASP->Loader($path, $pattern, %config) This routine takes a file or directory as its first argument. If a file, that file will be compiled. If a directory, that directory will be recursed, and all files in it whose file name matches $pattern will be compiled. $pattern defaults to .*, which says that all scripts in a directory will be compiled by default. The %config args, are the config options that you want set that affect compilation. These options include Debug, Global, GlobalPackage, DynamicIncludes, StatINC, and StatINCMatch. If your scripts are later run with different config options, your scripts may have to be recompiled. Here is an example of use in a *.conf file: Apache::ASP->Loader( 'c:/proj/site', "(asp|htm)\$", Global => '/proj/perllib', Debug => 1, # see output when starting apache # OPTIONAL configs if you use them in your apache configuration # these settings affect how the scripts are compiled and loaded GlobalPackage => SomePackageName, DynamicIncludes => 1, StatINC => 1, ); This config section tells the server to compile all scripts in c:/proj/site that end in asp or htm, and print debugging output so you can see it work. It also sets the Global directory to be /proj/perllib, which needs to be the same as your real config since scripts are cached uniquely by their Global directory. You will probably want to use this on a production server, unless you cannot afford the extra startup time. To see precompiling in action, set Debug to 1 for the Loader() and for your application in general and watch your error_log for messages indicating scripts being cached. =head2 No .htaccess or StatINC Don't use .htaccess files or the StatINC setting in a production system as there are many more files touched per request using these features. I've seen performance slow down by half because of using these. For eliminating the .htaccess file, move settings into *.conf Apache files. Instead of StatINC, try using the StatINCMatch config, which will check a small subset of perl libraries for changes. This config is fine for a production environment, and if used well might only incur a 10-20% performance penalty. =head2 Turn off Debugging Turn debugging off by setting Debug to 0. Having the debug config option on slows things down immensely. =head2 RAM Sparing If you have a lot of scripts, and limited memory, set NoCache to 1, so that compiled scripts are not cached in memory. You lose about 10-15% in speed for small scripts, but save at least 10K per cached script. These numbers are very rough. If you use includes, you can instead try setting DynamicIncludes to 1, which will share compiled code for includes between scripts. =head1 SEE ALSO perl(1), mod_perl(3), Apache(3), MLDBM(3), HTTP::Date(3), CGI(3), Win32::OLE(3) =head1 KEYWORDS Apache, ASP, perl, apache, mod_perl, asp, Active Server Pages, perl, asp, web application, ASP, session management, Active Server, scripting, dynamic html, asp, perlscript, Unix, Linux, Solaris, Win32, WinNT, cgi compatible, asp, response, ASP, request, session, application, server, Active Server Pages =head1 NOTES Many thanks to those who helped me make this module a reality. ASP + Apache, web development could not be better! Kudos go out to: :) Doug MacEachern, for moral support and of course mod_perl :) Ryan Whelan, for boldly testing on Unix in the early infancy of ASP :) Lupe Christoph, for his immaculate and stubborn testing skills :) Bryan Murphy, for being a PerlScript wiz :) Francesco Pasqualini, for bringing ASP to CGI :) Michael Rothwell, for his love of Session hacking :) Lincoln Stein, for his blessed CGI.pm module :) Alan Sparks, for knowing when size is more important than speed :) Jeff Groves, who put a STOP to user stop button woes :) Matt Sergeant, for his great tutorial on PerlScript and love of ASP :) Ken Williams, for great teamwork bringing full SSI to the table :) Darren Gibbons, the biggest cookie-monster I have ever known. :) Doug Silver, for finding most of the bugs. :) Marc Spencer, who brainstormed dynamic includes. :) Greg Stark, for endless enthusiasm, pushing the module to its limits. :) Richard Rossi, for his need for speed & boldly testing dynamic includes. :) Bill McKinnon, who understands the finer points of running a web site. :) Russell Weiss, for being every so "strict" about his code. :) Paul Linder, who is Mr. Clean... not just the code, its faster too ! Boy was that just the beginning. Work with him later facilitated better session management and XMLSubsMatch custom tag technology. :) Tony Merc Mobily, inspiring tweaks to compile scripts 10 times faster :) Russell Weiss again, for finding the internal session garbage collection behaving badly with DB_File sensitive i/o flushing requirements. :) Dmitry Beransky, for sharable web application includes, ASP on the big. :) Adi, who thought to have full admin control over sessions :) Matt Arnold, for the excellent graphics ! :) Remi Fasol + Serge Sozonoff who inspired cookieless sessions. :) Matt Sergeant, again, for ever the excellent XML critique. :) Stas Bekman, for his beloved guide, and keeping us all worldly. :) Gerald Richter, for his Embperl, collaboration and competition! :) Geert Josten, for his wonderful work on XML::XSLT :) Craig Samuel, at LRN, for his faith in open source for his LCEC. :) Vee McMillen, for his tried and true patience. =head1 SUPPORT =head2 MAILING LIST ARCHIVE The mod_perl mailing list archives are located at: http://forum.swarthmore.edu/epigone/modperl http://www.geocrawler.com/lists/3/web/182/0/ http://www.egroups.com/group/modperl/ and allow searching for previously asked Apache::ASP and mod_perl questions. Often times what may seem to be an Apache::ASP issue is really a mod_perl issue. =head2 EMAIL Please send any questions or comments to the Apache mod_perl mailing list at modperl@apache.org with at least Apache::ASP in the subject line. Note that answers to these questions will be archived at the above mailing archives, and you may be able to find your answer there. =head2 COMMERCIAL We are considering a commercial support offering for Apache::ASP, with varying levels of service, ranging from 24x7 incident support packages, high priority module development, web application tuning and basic guaranteed email support. If you are interested in any of the above commercial support offerings, please email asp@chamas.com and we will pursue an official support channel if there is enough interest. =head1 SITES USING What follows is a list of public sites that are using Apache::ASP. If you use the software for your site, and would like to show your support of the software by being listed, please send your URL to me at joshua@chamas.com and I'll be sure to add it to the list. Anime Wallpapers dot com http://www.animewallpapers.com/ Chamas Enterprises Inc. http://www.chamas.com Direct.it http://www.direct.it/ HCST http://www.hcst.net International Telecommunication Union http://www.itu.int Integra http://www.integra.ru/ Internetowa Gielda Samochodowa http://www.gielda.szczecin.pl Money FM http://www.moneyfm.gr Motorsport.com http://www.motorsport.com Multiple Listing Service of Greater Cincinnati http://www.cincymls.com NodeWorks - web link monitoring http://nodeworks.com OnTheWeb Services http://www.ontheweb.nu Provillage http://www.provillage.com Prices for Antiques http://www.p4a.com redhat.com | support http://www.redhat.com/apps/support/ Samara.RU http://portal.samara.ru/ Sex Shop Online http://www.sex.shop.pl Spotlight http://www.spotlight.com.au USCD Electrical & Computer Engineering http://ece-local.ucsd.edu =head1 RESOURCES Here are some important resources listed related to the use of Apache::ASP for publishing web applications: mod_perl Apache web module http://perl.apache.org mod_perl Guide http://perl.apache.org/guide/ mod_perl book http://www.modperl.com Perl Programming Language http://www.perl.com Apache Web Server http://www.apache.org PerlMonth Online Magazine http://www.perlmonth.com Apache & mod_perl Reference Cards http://www.refcards.com/ Perl DBI Database Access http://www.symbolstone.org/technology/perl/DBI/ =head1 TODO There is no specific time frame in which these things will be implemented. Please let me know if any of these is of particular interest to you, and I will give it higher priority. =head2 WILL BE DONE + Database storage of $Session & $Application, so web clusters may scale better than the current NFS StateDir implementation allows, maybe via Apache::Session. + Dumping state of Apache::ASP during an error, and being able to go through it with the perl debugger. + Investigating possibility of hooking $Session timeout into client/server 401 authentication failure. Seems like IE caches passwords which makes things tough + $Request->ClientCertificate() + asp.pl, CGI method of doing asp =head2 MAY BE DONE + VBScript, ECMAScript interpreters + allow use of Apache::Session for session management + Close integration with HTML::Embperl + BerkeleyDB2 integration for state management, maybe getting shared memory to work. + MailErrorsPower, sends duplicate errors every 1,10,100... occurences + MailErrorsPowerPeriod, resets the duplicate errors counter. =head1 CHANGES + = improvement; - = bug fix =item $VERSION = 1.95; $DATE="07/10/00"; !!!!! EXAMPLES SECURITY BUG FOUND & FIXED !!!!! --FIXED: distribution example ./site/eg/source.asp now parses out special characters of the open() call when reading local files. This bug would allow a malicious user possible writing of files in the same directory as the source.asp script. This writing exploit would only have effect if the web server user has write permission on those files. Similar bug announced by openhack.org for minivend software in story at: http://www.zdnet.com/eweek/stories/general/0,11011,2600258,00.html !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -$0 now set to transfered file, when using $Server->Transfer -Fix for XMLSubMatch parsing on cases with 2 or more args passed to tag sub that was standalone like =item $VERSION = 1.93; $DATE="07/03/00"; -sub second timing with Time::HiRes was adding comments by HTML by default, which would possibly break specific programs looking for precise HTML output. Now this behavior must be explicitly turned on with the TimeHiRes config setting. These comments will only appear in HTML only if Debug is enabled as well. Timed log entries will only occur if system debugging is enabled, with Debug -1 or -2 =item $VERSION = 1.91; $DATE="07/02/00"; +Documented XMLSubsMatch & XSLT* configuration settings in CONFIG section. +XSLT XSL template is now first executed as an ASP script just like the XML scripts. This is just one step away now from implementing XSP logic. +$Server->Execute and $Server->Transfer API extensions implemented. Execute is the same as $Request->Include() and $Server->Transfer is like an apache internal redirect but keeps the current ASP objects for the next script. Added examples, transfer.htm, and modified dynamic_includes.htm. +Better compile time error debugging with Debug 2 or -2. Will hilite/link the buggy line for global.asa errors, include errors, and XML/XSLT errors just like with ASP scripts before. +Nice source hiliting when viewing source for the example scripts. +Runtime string writing optimization for static HTML going through $Response. +New version numbering just like everyone else. Starting at 1.91 since I seem to be off by a factor of 10, last release would have been 1.9. =item $VERSION = 0.19; $DATE="NOT RELEASED"; +XMLSubsMatch and XSLT* settings documented in the XML/XSLT section of the site/README. -XMLSubsMatch will strip parens in a pattern match so it does not interfere with internal matching use. +XSLT integration allowing XML to be rendered by XSLT on the fly. XSLT specifies XSL file to transform XML. XSLTMatch is a regexp that matches XML file names, like \.xml$, which will be transformed by XSLT setting, default .* XSLTCacheSize when specified uses Tie::Cache to cached XML DOMs internally and cache XSLT transformations output per XML/XSL combination. XML DOM objects can take a lot of RAM, so use this setting judiciously like setting to 100. Definitely experiment with this value. +More client info in the error mail feature, including client IP, form data, query string, and HTTP_* client headers +With Time::HiRes loaded, and Debug set to non 0, will add a to text/html output, similar to Cocoon, per user request Will also add this to the system debug error log output when Debug is < 0 -bug fix on object initialization optimization earlier in this release, that was introduced for faster event handler execution. +Apache::ASP::Parse() takes a file name, scalar, or scalar ref for arguments of data to parse for greater integration ability with other applications. +PodComments optimization, small speed increase at compilation time. +String optimization on internal rendering that avoids unnecessary copying of static html, by using refs. Should make a small difference on sites with large amounts of static html. +CompressGzip setting which, when Compress::Zlib is installed, will compress text/html automatically going out to the web browser if the client supports gzip encoding. ++Script_OnFlush event handler, and auxiliary work optimizing asp events in general. $Response->{BinaryRef} created which is a reference to outgoing output, which can be used to modify the data at runtime before it goes out to the client. +Some code optimizations that boost speed from 22 to 24 hits per second when using Sessions without $Application, on a simple hello world benchmark on a WinNT PII300. ++Better SessionManagement, more aware of server farms that don't have reliable NFS locking. The key here is to have only one process on one server in charge of session garbage collection at any one time, and try to create this situation with a snazzy CleanupMaster routine. This is done by having a process register itself in the internal database with a server key created at apache start time. If this key gets stale, another process can become the master, and this period will not exceed the period SessionTimeout / StateManager. ** Work on session manager sponsored by LRN, http://www.lrn.com. ** ** This work was used to deploy a server farm in production with ** ** NFS mounted StateDir. Thanks to Craig Samuel for his belief in ** ** open source. :) ** Future work for server farm capabilities might include breaking up the internal database into one of 256 internal databases hashed by the first 2 chars of the session id. Also on the plate is Apache::Session like abilities with locking and/or data storage occuring in a SQL database. The first dbs to be done will include MySQL & Oracle. +Better session security which will create a new session id for an incoming session id that does not match one already seen. This will help for those with Search engines that have bookmarked pages with the session ids in the query strings. This breaks away from standard ASP session id implementation which will automatically use the session id presented by the browser, now a new session id will be returned if the presented one is invalid or expired. -$Application->GetSession will only return a session if one already existed. It would create one before by default. +Script_OnFlush global.asa event handler, and $Response->{BinaryRef} member which is a scalar reference to the content about to be flushed. See ./site/eg/global.asa for example usage, used in this case to insert font tags on the fly into the output. +Highlighting and linking of line error when Debug is set to 2 or -2. --removed fork() call from flock() backup routine? How did that get in there? Oh right, testing on Win32. :( Very painful lesson this one, sorry to whom it may concern. +$Application->SessionCount support turned off by default must enable with SessionCount config option. This feature puts an unnecessary load on busy sites, so not default behavior now. ++XMLSubsMatch setting that allows the developer to create custom tags XML style that execute perl subroutines. See ./site/eg/xml_subs.asp +MailFrom config option that defaults the From: field for mails sent via the Mail* configs and $Server->Mail() +$Server->Mail(\%mail, %smtp_args) API extension +MailErrorsTo & MailAlertTo now can take comma separated email addresses for multiple recipients. -tracking of subroutines defined in scripts and includes so StatINC won't undefine them when reloading the GlobalPackage, and so an warning will be logged when another script redefines the same subroutine name, which has been the bane of at least a few developers. -Loader() will now recompile dynamic includes that have changed, even if main including script has not. This is useful if you are using Loader() in a PerlRestartHandler, for reloading scripts when gracefully restarting apache. -Apache::ASP used to always set the status to 200 by default explicitly with $r->status(). This would be a problem if a script was being used to as a 404 ErrorDocument, because it would always return a 200 error code, which is just wrong. $Response->{Status} is now undefined by default and will only be used if set by the developer. Note that by default a script will still return a 200 status, but $Response->{Status} may be used to override this behavior. +$Server->Config($setting) API extension that allows developer to access config settings like Global, StateDir, etc., and is a wrapper around Apache->dir_config($setting) +Loader() will log the number of scripts recompiled and the number of scripts checked, instead of just the number of scripts recompiled, which is misleading as it reports 0 for child httpds after a parent fork that used Loader() upon startup. -Apache::ASP->Loader() would have a bad error if it didn't load any scripts when given a directory, prints "loaded 0 scripts" now =item $VERSION = 0.18; $DATE="02/03/00"; +Documented SessionQuery* & $Server->URL() and cleaned up formatting some, as well as redoing some of the sections ordering for better readability. Document the cookieless session functionality more in a new SESSIONS section. Also documented new FileUpload configs and $Request->FileUpload collection. Documented StatScripts. +StatScripts setting which if set to 0 will not reload includes, global.asa, or scripts when changed. +FileUpload file handles cleanup at garbage collection time so developer does not have to worry about lazy coding and undeffing filehandles used in code. Also set uploaded filehandles to binmode automatically on Win32 platforms, saving the developer yet more typing. +FileUploadTemp setting, default 0, if set will leave a temp file on disk during the request, which may be helpful for processing by other programs, but is also a security risk in that others could potentially read this file while the script is running. The path to the temp file will be available at $Request->{FileUpload}{$form_field}{TempFile}. The regular use of file uploads remains the same with the <$filehandle> to the upload at $Request->{Form}{$form_field}. +FileUploadMax setting, default 0, currently an alias for $CGI::POST_MAX, which determines the max size for a file upload in bytes. +SessionQueryParse only auto parses session-ids into links when a session-id COOKIE is NOT found. This feature is only enabled then when a user has disabled cookies, so the runtime penalty of this feature won't drag down the whole site, since most users will have cookies turned on. -StatINC & StatINCMatch will not undef Fnctl.pm flock functions constants like O_RDWR, because the code references are not well trackable. This would result in sporadic 500 server errors when a changed module was reloaded that imported O_* flock functions from Fnctl. +SessionQueryParse & SessionQueryParseMatch settings that enable auto parsing session ids into URLs for cookieless sessions. Will pick up URLs in , ,

, ,