1 package Catalyst::Request;
3 use IO::Socket qw[AF_INET inet_aton];
16 use namespace::clean -except => 'meta';
18 with 'MooseX::Emulate::Class::Accessor::Fast';
20 has env => (is => 'ro', writer => '_set_env', predicate => '_has_env');
21 # XXX Deprecated crap here - warn?
22 has action => (is => 'rw');
23 # XXX: Deprecated in docs ages ago (2006), deprecated with warning in 5.8000 due
24 # to confusion between Engines and Plugin::Authentication. Remove in 5.8100?
25 has user => (is => 'rw');
26 sub snippets { shift->captures(@_) }
28 has _read_position => (
29 # FIXME: work around Moose bug RT#75367
32 writer => '_set_read_position',
36 # FIXME: work around Moose bug RT#75367
41 $self->header('Content-Length') || 0;
46 has address => (is => 'rw');
47 has arguments => (is => 'rw', default => sub { [] });
48 has cookies => (is => 'ro', builder => 'prepare_cookies', lazy => 1);
53 if ( my $header = $self->header('Cookie') ) {
54 return { CGI::Simple::Cookie->parse($header) };
59 has query_keywords => (is => 'rw');
60 has match => (is => 'rw');
61 has method => (is => 'rw');
62 has protocol => (is => 'rw');
63 has query_parameters => (is => 'rw', lazy=>1, default => sub { shift->_use_hash_multivalue ? Hash::MultiValue->new : +{} });
64 has secure => (is => 'rw', default => 0);
65 has captures => (is => 'rw', default => sub { [] });
66 has uri => (is => 'rw', predicate => 'has_uri');
67 has remote_user => (is => 'rw');
70 isa => 'HTTP::Headers',
71 handles => [qw(content_encoding content_length content_type header referer user_agent)],
72 builder => 'prepare_headers',
80 my $headers = HTTP::Headers->new();
82 for my $header (keys %{ $env }) {
83 next unless $header =~ /^(HTTP|CONTENT|COOKIE)/i;
84 (my $field = $header) =~ s/^HTTPS?_//;
86 $headers->header($field => $env->{$header});
99 predicate=>'_has_io_fh',
101 builder=>'_build_io_fh');
105 return $self->env->{'psgix.io'}
107 $self->env->{'net.async.http.server.req'} &&
108 $self->env->{'net.async.http.server.req'}->stream) ## Until I can make ioasync cabal see the value of supportin psgix.io (jnap)
109 || die "Your Server does not support psgix.io";
112 has data_handlers => ( is=>'ro', isa=>'HashRef', default=>sub { +{} } );
117 builder=>'_build_body_data');
119 sub _build_body_data {
121 my $content_type = $self->content_type;
122 my ($match) = grep { $content_type =~/$_/i }
123 keys(%{$self->data_handlers});
126 my $fh = $self->body;
128 return $self->data_handlers->{$match}->($fh, $self);
134 has _use_hash_multivalue => (
139 # Amount of data to read from input on each pass
140 our $CHUNKSIZE = 64 * 1024;
143 my ($self, $maxlength) = @_;
144 my $remaining = $self->_read_length - $self->_read_position;
145 $maxlength ||= $CHUNKSIZE;
147 # Are we done reading?
148 if ( $remaining <= 0 ) {
152 my $readlen = ( $remaining > $maxlength ) ? $maxlength : $remaining;
153 my $rc = $self->read_chunk( my $buffer, $readlen );
155 if (0 == $rc) { # Nothing more to read even though Content-Length
156 # said there should be.
159 $self->_set_read_position( $self->_read_position + $rc );
163 Catalyst::Exception->throw(
164 message => "Unknown error reading input: $!" );
170 return $self->env->{'psgi.input'}->read(@_);
173 has body_parameters => (
177 builder => 'prepare_body_parameters',
183 default => sub { {} },
189 builder => '_build_parameters',
190 clearer => '_clear_parameters',
194 # - Can we lose the before modifiers which just call prepare_body ?
195 # they are wasteful, slow us down and feel cluttery.
197 # Can we make _body an attribute, have the rest of
198 # these lazy build from there and kill all the direct hash access
199 # in Catalyst.pm and Engine.pm?
201 sub prepare_parameters {
203 $self->_clear_parameters;
204 return $self->parameters;
207 sub _build_parameters {
210 my $body_parameters = $self->body_parameters;
211 my $query_parameters = $self->query_parameters;
213 if($self->_use_hash_multivalue) {
214 return Hash::MultiValue->new($query_parameters->flatten, $body_parameters->flatten);
217 # We copy, no references
218 foreach my $name (keys %$query_parameters) {
219 my $param = $query_parameters->{$name};
220 $parameters->{$name} = ref $param eq 'ARRAY' ? [ @$param ] : $param;
223 # Merge query and body parameters
224 foreach my $name (keys %$body_parameters) {
225 my $param = $body_parameters->{$name};
226 my @values = ref $param eq 'ARRAY' ? @$param : ($param);
227 if ( my $existing = $parameters->{$name} ) {
228 unshift(@values, (ref $existing eq 'ARRAY' ? @$existing : $existing));
230 $parameters->{$name} = @values > 1 ? \@values : $values[0];
237 predicate => '_has_uploadtmp',
243 # If previously applied middleware created the HTTP::Body object, then we
246 if(my $plack_body = $self->_has_env ? $self->env->{'plack.request.http.body'} : undef) {
247 $self->_body($plack_body);
248 $self->_body->cleanup(1);
252 # If there is nothing to read, set body to naught and return. This
253 # will cause all body code to be skipped
255 return $self->_body(0) unless my $length = $self->_read_length;
257 # Unless the body has already been set, create it. Not sure about this
258 # code, how else might it be set, but this was existing logic.
260 unless ($self->_body) {
261 my $type = $self->header('Content-Type');
262 $self->_body(HTTP::Body->new( $type, $length ));
263 $self->_body->cleanup(1);
265 # JNAP: I'm not sure this is doing what we expect, but it also doesn't
266 # seem to be hurting (seems ->_has_uploadtmp is true more than I would
269 $self->_body->tmpdir( $self->_uploadtmp )
270 if $self->_has_uploadtmp;
273 # Ok if we get this far, we have to read psgi.input into the new body
274 # object. Lets play nice with any plack app or other downstream, so
275 # we create a buffer unless one exists.
278 if ($self->env->{'psgix.input.buffered'}) {
279 # Be paranoid about previous psgi middleware or apps that read the
280 # input but didn't return the buffer to the start.
281 $self->env->{'psgi.input'}->seek(0, 0);
283 $stream_buffer = Stream::Buffered->new($length);
286 # Check for definedness as you could read '0'
287 while ( defined ( my $chunk = $self->read() ) ) {
288 $self->prepare_body_chunk($chunk);
289 $stream_buffer->print($chunk) if $stream_buffer;
292 # Ok, we read the body. Lets play nice for any PSGI app down the pipe
294 if ($stream_buffer) {
295 $self->env->{'psgix.input.buffered'} = 1;
296 $self->env->{'psgi.input'} = $stream_buffer->rewind;
298 $self->env->{'psgi.input'}->seek(0, 0); # Reset the buffer for downstream middleware or apps
301 # paranoia against wrong Content-Length header
302 my $remaining = $length - $self->_read_position;
303 if ( $remaining > 0 ) {
304 Catalyst::Exception->throw("Wrong Content-Length value: $length" );
308 sub prepare_body_chunk {
309 my ( $self, $chunk ) = @_;
311 $self->_body->add($chunk);
314 sub prepare_body_parameters {
315 my ( $self, $c ) = @_;
317 $self->prepare_body if ! $self->_has_body;
319 unless($self->_body) {
320 return $self->_use_hash_multivalue ? Hash::MultiValue->new : {};
323 my $params = $self->_body->param;
325 # If we have an encoding configured (like UTF-8) in general we expect a client
326 # to POST with the encoding we fufilled the request in. Otherwise don't do any
327 # encoding (good change wide chars could be in HTML entity style llike the old
330 # so, now that HTTP::Body prepared the body params, we gotta 'walk' the structure
331 # and do any needed decoding.
333 # This only does something if the encoding is set via the encoding param. Remember
334 # this is assuming the client is not bad and responds with what you provided. In
335 # general you can just use utf8 and get away with it.
337 # I need to see if $c is here since this also doubles as a builder for the object :(
339 if($c and $c->encoding) {
340 $params = $c->_handle_unicode_decoding($params);
343 return $self->_use_hash_multivalue ?
344 Hash::MultiValue->from_mixed($params) :
348 sub prepare_connection {
351 my $env = $self->env;
353 $self->address( $env->{REMOTE_ADDR} );
354 $self->hostname( $env->{REMOTE_HOST} )
355 if exists $env->{REMOTE_HOST};
356 $self->protocol( $env->{SERVER_PROTOCOL} );
357 $self->remote_user( $env->{REMOTE_USER} );
358 $self->method( $env->{REQUEST_METHOD} );
359 $self->secure( $env->{'psgi.url_scheme'} eq 'https' ? 1 : 0 );
362 # XXX - FIXME - method is here now, move this crap...
363 around parameters => sub {
364 my ($orig, $self, $params) = @_;
366 if ( !ref $params ) {
368 "Attempt to retrieve '$params' with req->params(), " .
369 "you probably meant to call req->param('$params')"
373 return $self->$orig($params);
384 return $self->path if $self->has_uri;
389 is => 'rw', clearer => '_clear_body', predicate => '_has_body',
391 # Eugh, ugly. Should just be able to rename accessor methods to 'body'
392 # and provide a custom reader..
395 $self->prepare_body unless $self->_has_body;
396 croak 'body is a reader' if scalar @_;
397 return blessed $self->_body ? $self->_body->body : $self->_body;
406 gethostbyaddr( inet_aton( $self->address ), AF_INET ) || $self->address
410 has _path => ( is => 'rw', predicate => '_has_path', clearer => '_clear_path' );
412 sub args { shift->arguments(@_) }
413 sub body_params { shift->body_parameters(@_) }
414 sub input { shift->body(@_) }
415 sub params { shift->parameters(@_) }
416 sub query_params { shift->query_parameters(@_) }
417 sub path_info { shift->path(@_) }
419 =for stopwords param params
423 Catalyst::Request - provides information about the current client request
428 $req->address eq "127.0.0.1";
434 $req->body_parameters;
435 $req->content_encoding;
436 $req->content_length;
444 $req->query_keywords;
452 $req->query_parameters;
464 See also L<Catalyst>, L<Catalyst::Request::Upload>.
468 This is the Catalyst Request class, which provides an interface to data for the
469 current client request. The request object is prepared by L<Catalyst::Engine>,
470 thus hiding the details of the particular engine implementation.
476 Returns the IP address of the client.
478 =head2 $req->arguments
480 Returns a reference to an array containing the arguments.
482 print $c->request->arguments->[0];
484 For example, if your action was
486 package MyApp::Controller::Foo;
492 and the URI for the request was C<http://.../foo/moose/bah>, the string C<bah>
493 would be the first and only argument.
495 Arguments get automatically URI-unescaped for you.
499 Shortcut for L</arguments>.
503 Contains the URI base. This will always have a trailing slash. Note that the
504 URI scheme (e.g., http vs. https) must be determined through heuristics;
505 depending on your server configuration, it may be incorrect. See $req->secure
508 If your application was queried with the URI
509 C<http://localhost:3000/some/path> then C<base> is C<http://localhost:3000/>.
513 Returns the message body of the request, as returned by L<HTTP::Body>: a string,
514 unless Content-Type is C<application/x-www-form-urlencoded>, C<text/xml>, or
515 C<multipart/form-data>, in which case a L<File::Temp> object is returned.
517 =head2 $req->body_data
519 Returns a Perl representation of POST/PUT body data that is not classic HTML
520 form data, such as JSON, XML, etc. By default, Catalyst will parse incoming
521 data of the type 'application/json' and return access to that data via this
522 method. You may define addition data_handlers via a global configuration
523 setting. See L<Catalyst\DATA HANDLERS> for more information.
525 =head2 $req->body_parameters
527 Returns a reference to a hash containing body (POST) parameters. Values can
528 be either a scalar or an arrayref containing scalars.
530 print $c->request->body_parameters->{field};
531 print $c->request->body_parameters->{field}->[0];
533 These are the parameters from the POST part of the request, if any.
535 =head2 $req->body_params
537 Shortcut for body_parameters.
539 =head2 $req->content_encoding
541 Shortcut for $req->headers->content_encoding.
543 =head2 $req->content_length
545 Shortcut for $req->headers->content_length.
547 =head2 $req->content_type
549 Shortcut for $req->headers->content_type.
553 A convenient method to access $req->cookies.
555 $cookie = $c->request->cookie('name');
556 @cookies = $c->request->cookie;
564 return keys %{ $self->cookies };
571 unless ( exists $self->cookies->{$name} ) {
575 return $self->cookies->{$name};
581 Returns a reference to a hash containing the cookies.
583 print $c->request->cookies->{mycookie}->value;
585 The cookies in the hash are indexed by name, and the values are L<CGI::Simple::Cookie>
590 Shortcut for $req->headers->header.
594 Returns an L<HTTP::Headers> object containing the headers for the current request.
596 print $c->request->headers->header('X-Catalyst');
598 =head2 $req->hostname
600 Returns the hostname of the client. Use C<< $req->uri->host >> to get the hostname of the server.
604 Alias for $req->body.
606 =head2 $req->query_keywords
608 Contains the keywords portion of a query string, when no '=' signs are
611 http://localhost/path?some+keywords
613 $c->request->query_keywords will contain 'some keywords'
617 This contains the matching part of a Regex action. Otherwise
618 it returns the same as 'action', except for default actions,
619 which return an empty string.
623 Contains the request method (C<GET>, C<POST>, C<HEAD>, etc).
627 Returns GET and POST parameters with a CGI.pm-compatible param method. This
628 is an alternative method for accessing parameters in $c->req->parameters.
630 $value = $c->request->param( 'foo' );
631 @values = $c->request->param( 'foo' );
632 @params = $c->request->param;
634 Like L<CGI>, and B<unlike> earlier versions of Catalyst, passing multiple
635 arguments to this method, like this:
637 $c->request->param( 'foo', 'bar', 'gorch', 'quxx' );
639 will set the parameter C<foo> to the multiple values C<bar>, C<gorch> and
640 C<quxx>. Previously this would have added C<bar> as another value to C<foo>
641 (creating it if it didn't exist before), and C<quxx> as another value for
644 B<NOTE> this is considered a legacy interface and care should be taken when
645 using it. C<< scalar $c->req->param( 'foo' ) >> will return only the first
646 C<foo> param even if multiple are present; C<< $c->req->param( 'foo' ) >> will
647 return a list of as many are present, which can have unexpected consequences
648 when writing code of the form:
652 baz => $c->req->param( 'baz' ),
655 If multiple C<baz> parameters are provided this code might corrupt data or
656 cause a hash initialization error. For a more straightforward interface see
657 C<< $c->req->parameters >>.
659 B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
660 are now known to cause demonstrated exploits. It is highly recommended that you
661 avoid using this method, and migrate existing code away from it. Here's the
662 whitepaper of the exploit:
664 L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
666 Basically this is an exploit that takes advantage of how L<\param> will do one thing
667 in scalar context and another thing in list context. This is combined with how Perl
668 chooses to deal with duplicate keys in a hash definition by overwriting the value of
669 existing keys with a new value if the same key shows up again. Generally you will be
670 vulnerale to this exploit if you are using this method in a direct assignment in a
671 hash, such as with a L<DBIx::Class> create statement. For example, if you have
674 user?user=123&foo=a&foo=user&foo=456
676 You could end up with extra parameters injected into your method calls:
678 $c->model('User')->create({
679 user => $c->req->param('user'),
680 foo => $c->req->param('foo'),
683 Which would look like:
685 $c->model('User')->create({
687 foo => qw(a user 456),
690 (or to be absolutely clear if you are not seeing it):
692 $c->model('User')->create({
697 Possible remediations include scrubbing your parameters with a form validator like
698 L<HTML::FormHandler> or being careful to force scalar context using the scalar
701 $c->model('User')->create({
702 user => scalar($c->req->param('user')),
703 foo => scalar($c->req->param('foo')),
706 Upcoming versions of L<Catalyst> will disable this interface by default and require
707 you to positively enable it should you require it for backwards compatibility reasons.
715 return keys %{ $self->parameters };
718 # If anything in @_ is undef, carp about that, and remove it from
721 my @params = grep { defined($_) ? 1 : do {carp "You called ->params with an undefined value"; 0} } @_;
723 if ( @params == 1 ) {
725 defined(my $param = shift @params) ||
726 carp "You called ->params with an undefined value 2";
728 unless ( exists $self->parameters->{$param} ) {
729 return wantarray ? () : undef;
732 if ( ref $self->parameters->{$param} eq 'ARRAY' ) {
734 ? @{ $self->parameters->{$param} }
735 : $self->parameters->{$param}->[0];
739 ? ( $self->parameters->{$param} )
740 : $self->parameters->{$param};
743 elsif ( @params > 1 ) {
744 my $field = shift @params;
745 $self->parameters->{$field} = [@params];
749 =head2 $req->parameters
751 Returns a reference to a hash containing GET and POST parameters. Values can
752 be either a scalar or an arrayref containing scalars.
754 print $c->request->parameters->{field};
755 print $c->request->parameters->{field}->[0];
757 This is the combination of C<query_parameters> and C<body_parameters>.
761 Shortcut for $req->parameters.
765 Returns the path, i.e. the part of the URI after $req->base, for the current request.
767 http://localhost/path/foo
769 $c->request->path will contain 'path/foo'
771 =head2 $req->path_info
773 Alias for path, added for compatibility with L<CGI>.
778 my ( $self, @params ) = @_;
781 $self->uri->path(@params);
784 elsif ( $self->_has_path ) {
788 my $path = $self->uri->path;
789 my $location = $self->base->path;
790 $path =~ s/^(\Q$location\E)?//;
798 =head2 $req->protocol
800 Returns the protocol (HTTP/1.0 or HTTP/1.1) used for the current request.
802 =head2 $req->query_parameters
804 =head2 $req->query_params
806 Returns a reference to a hash containing query string (GET) parameters. Values can
807 be either a scalar or an arrayref containing scalars.
809 print $c->request->query_parameters->{field};
810 print $c->request->query_parameters->{field}->[0];
812 =head2 $req->read( [$maxlength] )
814 Reads a chunk of data from the request body. This method is intended to be
815 used in a while loop, reading $maxlength bytes on every call. $maxlength
816 defaults to the size of the request if not specified.
818 =head2 $req->read_chunk(\$buff, $max)
822 You have to set MyApp->config(parse_on_demand => 1) to use this directly.
826 Shortcut for $req->headers->referer. Returns the referring page.
830 Returns true or false, indicating whether the connection is secure
831 (https). The reliability of $req->secure may depend on your server
832 configuration; Catalyst relies on PSGI to determine whether or not a
833 request is secure (Catalyst looks at psgi.url_scheme), and different
834 PSGI servers may make this determination in different ways (as by
835 directly passing along information from the server, interpreting any of
836 several HTTP headers, or using heuristics of their own).
838 =head2 $req->captures
840 Returns a reference to an array containing captured args from chained
841 actions or regex captures.
843 my @captures = @{ $c->request->captures };
847 A convenient method to access $req->uploads.
849 $upload = $c->request->upload('field');
850 @uploads = $c->request->upload('field');
851 @fields = $c->request->upload;
853 for my $upload ( $c->request->upload('field') ) {
854 print $upload->filename;
863 return keys %{ $self->uploads };
870 unless ( exists $self->uploads->{$upload} ) {
871 return wantarray ? () : undef;
874 if ( ref $self->uploads->{$upload} eq 'ARRAY' ) {
876 ? @{ $self->uploads->{$upload} }
877 : $self->uploads->{$upload}->[0];
881 ? ( $self->uploads->{$upload} )
882 : $self->uploads->{$upload};
888 while ( my ( $field, $upload ) = splice( @_, 0, 2 ) ) {
890 if ( exists $self->uploads->{$field} ) {
891 for ( $self->uploads->{$field} ) {
892 $_ = [$_] unless ref($_) eq "ARRAY";
893 push( @$_, $upload );
897 $self->uploads->{$field} = $upload;
905 Returns a reference to a hash containing uploads. Values can be either a
906 L<Catalyst::Request::Upload> object, or an arrayref of
907 L<Catalyst::Request::Upload> objects.
909 my $upload = $c->request->uploads->{field};
910 my $upload = $c->request->uploads->{field}->[0];
914 Returns a L<URI> object for the current request. Stringifies to the URI text.
916 =head2 $req->mangle_params( { key => 'value' }, $appendmode);
918 Returns a hashref of parameters stemming from the current request's params,
919 plus the ones supplied. Keys for which no current param exists will be
920 added, keys with undefined values will be removed and keys with existing
921 params will be replaced. Note that you can supply a true value as the final
922 argument to change behavior with regards to existing parameters, appending
923 values rather than replacing them.
927 # URI query params foo=1
928 my $hashref = $req->mangle_params({ foo => 2 });
929 # Result is query params of foo=2
933 # URI query params foo=1
934 my $hashref = $req->mangle_params({ foo => 2 }, 1);
935 # Result is query params of foo=1&foo=2
937 This is the code behind C<uri_with>.
942 my ($self, $args, $append) = @_;
944 carp('No arguments passed to mangle_params()') unless $args;
946 foreach my $value ( values %$args ) {
947 next unless defined $value;
948 for ( ref $value eq 'ARRAY' ? @$value : $value ) {
954 my %params = %{ $self->uri->query_form_hash };
955 foreach my $key (keys %{ $args }) {
956 my $val = $args->{$key};
959 if($append && exists($params{$key})) {
961 # This little bit of heaven handles appending a new value onto
962 # an existing one regardless if the existing value is an array
963 # or not, and regardless if the new value is an array or not
965 ref($params{$key}) eq 'ARRAY' ? @{ $params{$key} } : $params{$key},
966 ref($val) eq 'ARRAY' ? @{ $val } : $val
970 $params{$key} = $val;
974 # If the param wasn't defined then we delete it.
975 delete($params{$key});
983 =head2 $req->uri_with( { key => 'value' } );
985 Returns a rewritten URI object for the current request. Key/value pairs
986 passed in will override existing parameters. You can remove an existing
987 parameter by passing in an undef value. Unmodified pairs will be
990 You may also pass an optional second parameter that puts C<uri_with> into
993 $req->uri_with( { key => 'value' }, { mode => 'append' } );
995 See C<mangle_params> for an explanation of this behavior.
1000 my( $self, $args, $behavior) = @_;
1002 carp( 'No arguments passed to uri_with()' ) unless $args;
1005 if((ref($behavior) eq 'HASH') && defined($behavior->{mode}) && ($behavior->{mode} eq 'append')) {
1009 my $params = $self->mangle_params($args, $append);
1011 my $uri = $self->uri->clone;
1012 $uri->query_form($params);
1017 =head2 $req->remote_user
1019 Returns the value of the C<REMOTE_USER> environment variable.
1021 =head2 $req->user_agent
1023 Shortcut to $req->headers->user_agent. Returns the user agent (browser)
1028 Returns a psgix.io bidirectional socket, if your server supports one. Used for
1029 when you want to jailbreak out of PSGI and handle bidirectional client server
1030 communication manually, such as when you are using cometd or websockets.
1032 =head1 SETUP METHODS
1034 You should never need to call these yourself in application code,
1035 however they are useful if extending Catalyst by applying a request role.
1037 =head2 $self->prepare_headers()
1039 Sets up the C<< $res->headers >> accessor.
1041 =head2 $self->prepare_body()
1043 Sets up the body using L<HTTP::Body>
1045 =head2 $self->prepare_body_chunk()
1047 Add a chunk to the request body.
1049 =head2 $self->prepare_body_parameters()
1051 Sets up parameters from body.
1053 =head2 $self->prepare_cookies()
1055 Parse cookies from header. Sets up a L<CGI::Simple::Cookie> object.
1057 =head2 $self->prepare_connection()
1059 Sets up various fields in the request like the local and remote addresses,
1060 request method, hostname requested etc.
1062 =head2 $self->prepare_parameters()
1064 Ensures that the body has been parsed, then builds the parameters, which are
1065 combined from those in the request and those in the body.
1067 If parameters have already been set will clear the parameters and build them again.
1071 Access to the raw PSGI env.
1079 Catalyst Contributors, see Catalyst.pm
1083 This library is free software. You can redistribute it and/or modify
1084 it under the same terms as Perl itself.
1088 __PACKAGE__->meta->make_immutable;