use URI::https;
use URI::QueryParam;
use HTTP::Headers;
-
+use Stream::Buffered;
+use Hash::MultiValue;
+use Scalar::Util;
+use HTTP::Body;
+use Catalyst::Exception;
+use Catalyst::Request::PartData;
use Moose;
use namespace::clean -except => 'meta';
with 'MooseX::Emulate::Class::Accessor::Fast';
-has env => (is => 'ro', writer => '_set_env');
+has env => (is => 'ro', writer => '_set_env', predicate => '_has_env');
+# XXX Deprecated crap here - warn?
+has action => (is => 'rw');
+# XXX: Deprecated in docs ages ago (2006), deprecated with warning in 5.8000 due
+# to confusion between Engines and Plugin::Authentication. Remove in 5.8100?
+has user => (is => 'rw');
+sub snippets { shift->captures(@_) }
-has _read_position => ( is => 'rw', default => 0 );
-has _read_length => ( is => 'ro',
+has _read_position => (
+ # FIXME: work around Moose bug RT#75367
+ # init_arg => undef,
+ is => 'ro',
+ writer => '_set_read_position',
+ default => 0,
+);
+has _read_length => (
+ # FIXME: work around Moose bug RT#75367
+ # init_arg => undef,
+ is => 'ro',
default => sub {
my $self = shift;
$self->header('Content-Length') || 0;
lazy => 1,
);
-has action => (is => 'rw');
has address => (is => 'rw');
has arguments => (is => 'rw', default => sub { [] });
has cookies => (is => 'ro', builder => 'prepare_cookies', lazy => 1);
-=head2 $self->prepare_cookies($c)
-
-Parse cookies from header. Sets a L<CGI::Simple::Cookie> object.
-
-=cut
-
sub prepare_cookies {
my ( $self ) = @_;
has match => (is => 'rw');
has method => (is => 'rw');
has protocol => (is => 'rw');
-has query_parameters => (is => 'rw', default => sub { {} });
+has query_parameters => (is => 'rw', lazy=>1, default => sub { shift->_use_hash_multivalue ? Hash::MultiValue->new : +{} });
has secure => (is => 'rw', default => 0);
has captures => (is => 'rw', default => sub { [] });
has uri => (is => 'rw', predicate => 'has_uri');
lazy => 1,
);
-=head2 $self->prepare_headers($c)
-
-=cut
-
sub prepare_headers {
my ($self) = @_;
return $headers;
}
-has _context => (
- is => 'rw',
- weak_ref => 1,
- clearer => '_clear_context',
+has _log => (
+ is => 'ro',
+ weak_ref => 1,
+ required => 1,
);
+has io_fh => (
+ is=>'ro',
+ predicate=>'_has_io_fh',
+ lazy=>1,
+ builder=>'_build_io_fh');
+
+sub _build_io_fh {
+ my $self = shift;
+ return $self->env->{'psgix.io'}
+ || (
+ $self->env->{'net.async.http.server.req'} &&
+ $self->env->{'net.async.http.server.req'}->stream) ## Until I can make ioasync cabal see the value of supportin psgix.io (jnap)
+ || die "Your Server does not support psgix.io";
+};
+
+has data_handlers => ( is=>'ro', isa=>'HashRef', default=>sub { +{} } );
+
+has body_data => (
+ is=>'ro',
+ lazy=>1,
+ builder=>'_build_body_data');
+
+sub _build_body_data {
+ my ($self) = @_;
+
+ # Not sure if these returns should not be exceptions...
+ my $content_type = $self->content_type || return;
+ return unless ($self->method eq 'POST' || $self->method eq 'PUT');
+
+ my ($match) = grep { $content_type =~/$_/i }
+ keys(%{$self->data_handlers});
+
+ if($match) {
+ my $fh = $self->body;
+ local $_ = $fh;
+ return $self->data_handlers->{$match}->($fh, $self);
+ } else {
+ Catalyst::Exception->throw("$content_type is does not have an available data handler");
+ }
+}
+
+has _use_hash_multivalue => (
+ is=>'ro',
+ required=>1,
+ default=> sub {0});
+
# Amount of data to read from input on each pass
our $CHUNKSIZE = 64 * 1024;
# said there should be.
return;
}
- $self->_read_position( $self->_read_position + $rc );
+ $self->_set_read_position( $self->_read_position + $rc );
return $buffer;
}
else {
is => 'rw',
required => 1,
lazy => 1,
- default => sub { {} },
+ predicate => 'has_body_parameters',
+ builder => 'prepare_body_parameters',
);
has uploads => (
has parameters => (
is => 'rw',
lazy => 1,
- builder => 'prepare_parameters',
+ builder => '_build_parameters',
+ clearer => '_clear_parameters',
);
# TODO:
sub prepare_parameters {
my ( $self ) = @_;
+ $self->_clear_parameters;
+ return $self->parameters;
+}
- $self->prepare_body;
+sub _build_parameters {
+ my ( $self ) = @_;
my $parameters = {};
my $body_parameters = $self->body_parameters;
my $query_parameters = $self->query_parameters;
+
+ if($self->_use_hash_multivalue) {
+ return Hash::MultiValue->new($query_parameters->flatten, $body_parameters->flatten);
+ }
+
# We copy, no references
foreach my $name (keys %$query_parameters) {
my $param = $query_parameters->{$name};
$parameters;
}
-before body_parameters => sub {
- my ($self) = @_;
- $self->prepare_body;
- $self->prepare_body_parameters;
-};
-
-=head2 $self->prepare_body()
-
-sets up the L<Catalyst::Request> object body using L<HTTP::Body>
-
-=cut
-
has _uploadtmp => (
is => 'ro',
predicate => '_has_uploadtmp',
sub prepare_body {
my ( $self ) = @_;
- if ( my $length = $self->_read_length ) {
- unless ( $self->_body ) {
- my $type = $self->header('Content-Type');
- $self->_body(HTTP::Body->new( $type, $length ));
- $self->_body->cleanup(1); # Make extra sure!
- $self->_body->tmpdir( $self->_uploadtmp )
- if $self->_has_uploadtmp;
- }
+ # If previously applied middleware created the HTTP::Body object, then we
+ # just use that one.
- # Check for definedness as you could read '0'
- while ( defined ( my $buffer = $self->read() ) ) {
- $self->prepare_body_chunk($buffer);
- }
+ if(my $plack_body = $self->_has_env ? $self->env->{'plack.request.http.body'} : undef) {
+ $self->_body($plack_body);
+ $self->_body->cleanup(1);
+ return;
+ }
- # paranoia against wrong Content-Length header
- my $remaining = $length - $self->_read_position;
- if ( $remaining > 0 ) {
- Catalyst::Exception->throw(
- "Wrong Content-Length value: $length" );
- }
+ # If there is nothing to read, set body to naught and return. This
+ # will cause all body code to be skipped
+
+ return $self->_body(0) unless my $length = $self->_read_length;
+
+ # Unless the body has already been set, create it. Not sure about this
+ # code, how else might it be set, but this was existing logic.
+
+ unless ($self->_body) {
+ my $type = $self->header('Content-Type');
+ $self->_body(HTTP::Body->new( $type, $length ));
+ $self->_body->cleanup(1);
+
+ # JNAP: I'm not sure this is doing what we expect, but it also doesn't
+ # seem to be hurting (seems ->_has_uploadtmp is true more than I would
+ # expect.
+
+ $self->_body->tmpdir( $self->_uploadtmp )
+ if $self->_has_uploadtmp;
}
- else {
- # Defined but will cause all body code to be skipped
- $self->_body(0);
+
+ # Ok if we get this far, we have to read psgi.input into the new body
+ # object. Lets play nice with any plack app or other downstream, so
+ # we create a buffer unless one exists.
+
+ my $stream_buffer;
+ if ($self->env->{'psgix.input.buffered'}) {
+ # Be paranoid about previous psgi middleware or apps that read the
+ # input but didn't return the buffer to the start.
+ $self->env->{'psgi.input'}->seek(0, 0);
+ } else {
+ $stream_buffer = Stream::Buffered->new($length);
}
-}
-=head2 $self->prepare_body_chunk()
+ # Check for definedness as you could read '0'
+ while ( defined ( my $chunk = $self->read() ) ) {
+ $self->prepare_body_chunk($chunk);
+ next unless $stream_buffer;
-Add a chunk to the request body.
+ $stream_buffer->print($chunk)
+ || die sprintf "Failed to write %d bytes to psgi.input file: $!", length( $chunk );
+ }
-=cut
+ # Ok, we read the body. Lets play nice for any PSGI app down the pipe
+
+ if ($stream_buffer) {
+ $self->env->{'psgix.input.buffered'} = 1;
+ $self->env->{'psgi.input'} = $stream_buffer->rewind;
+ } else {
+ $self->env->{'psgi.input'}->seek(0, 0); # Reset the buffer for downstream middleware or apps
+ }
+
+ # paranoia against wrong Content-Length header
+ my $remaining = $length - $self->_read_position;
+ if ( $remaining > 0 ) {
+ Catalyst::Exception->throw("Wrong Content-Length value: $length" );
+ }
+}
sub prepare_body_chunk {
my ( $self, $chunk ) = @_;
$self->_body->add($chunk);
}
-=head2 $self->prepare_body_parameters()
+sub prepare_body_parameters {
+ my ( $self, $c ) = @_;
+ return $self->body_parameters if $self->has_body_parameters;
+ $self->prepare_body if ! $self->_has_body;
+
+ unless($self->_body) {
+ my $return = $self->_use_hash_multivalue ? Hash::MultiValue->new : {};
+ $self->body_parameters($return);
+ return $return;
+ }
-Sets up parameters from body.
+ my $params;
+ my %part_data = %{$self->_body->part_data};
+ if(scalar %part_data && !$c->config->{skip_complex_post_part_handling}) {
+ foreach my $key (keys %part_data) {
+ my $proto_value = $part_data{$key};
+ my ($val, @extra) = (ref($proto_value)||'') eq 'ARRAY' ? @$proto_value : ($proto_value);
-=cut
+ $key = $c->_handle_param_unicode_decoding($key)
+ if ($c and $c->encoding and !$c->config->{skip_body_param_unicode_decoding});
-sub prepare_body_parameters {
- my ( $self ) = @_;
+ if(@extra) {
+ $params->{$key} = [map { Catalyst::Request::PartData->build_from_part_data($c, $_) } ($val,@extra)];
+ } else {
+ $params->{$key} = Catalyst::Request::PartData->build_from_part_data($c, $val);
+ }
+ }
+ } else {
+ $params = $self->_body->param;
+
+ # If we have an encoding configured (like UTF-8) in general we expect a client
+ # to POST with the encoding we fufilled the request in. Otherwise don't do any
+ # encoding (good change wide chars could be in HTML entity style llike the old
+ # days -JNAP
+
+ # so, now that HTTP::Body prepared the body params, we gotta 'walk' the structure
+ # and do any needed decoding.
+
+ # This only does something if the encoding is set via the encoding param. Remember
+ # this is assuming the client is not bad and responds with what you provided. In
+ # general you can just use utf8 and get away with it.
+ #
+ # I need to see if $c is here since this also doubles as a builder for the object :(
+
+ if($c and $c->encoding and !$c->config->{skip_body_param_unicode_decoding}) {
+ $params = $c->_handle_unicode_decoding($params);
+ }
+ }
- return unless $self->_body;
+ my $return = $self->_use_hash_multivalue ?
+ Hash::MultiValue->from_mixed($params) :
+ $params;
- $self->{body_parameters} = $self->_body->param; # FIXME!! Recursion here.
+ $self->body_parameters($return) unless $self->has_body_parameters;
+ return $return;
}
sub prepare_connection {
my ($orig, $self, $params) = @_;
if ($params) {
if ( !ref $params ) {
- $self->_context->log->warn(
+ $self->_log->warn(
"Attempt to retrieve '$params' with req->params(), " .
"you probably meant to call req->param('$params')"
);
# and provide a custom reader..
sub body {
my $self = shift;
- $self->prepare_body();
+ $self->prepare_body unless $self->_has_body;
croak 'body is a reader' if scalar @_;
return blessed $self->_body ? $self->_body->body : $self->_body;
}
has _path => ( is => 'rw', predicate => '_has_path', clearer => '_clear_path' );
-# XXX: Deprecated in docs ages ago (2006), deprecated with warning in 5.8000 due
-# to confusion between Engines and Plugin::Authentication. Remove in 5.8100?
-has user => (is => 'rw');
-
sub args { shift->arguments(@_) }
sub body_params { shift->body_parameters(@_) }
sub input { shift->body(@_) }
sub params { shift->parameters(@_) }
sub query_params { shift->query_parameters(@_) }
sub path_info { shift->path(@_) }
-sub snippets { shift->captures(@_) }
=for stopwords param params
=head1 SYNOPSIS
$req = $c->request;
- $req->action;
- $req->address;
+ $req->address eq "127.0.0.1";
$req->arguments;
$req->args;
$req->base;
$req->body;
+ $req->body_data;
$req->body_parameters;
$req->content_encoding;
$req->content_length;
$req->read;
$req->referer;
$req->secure;
- $req->captures; # previously knows as snippets
+ $req->captures;
$req->upload;
$req->uploads;
$req->uri;
$req->user;
$req->user_agent;
+ $req->env;
See also L<Catalyst>, L<Catalyst::Request::Upload>.
=head1 METHODS
-=head2 $req->action
-
-[DEPRECATED] Returns the name of the requested action.
-
-
-Use C<< $c->action >> instead (which returns a
-L<Catalyst::Action|Catalyst::Action> object).
-
=head2 $req->address
Returns the IP address of the client.
unless Content-Type is C<application/x-www-form-urlencoded>, C<text/xml>, or
C<multipart/form-data>, in which case a L<File::Temp> object is returned.
+=head2 $req->body_data
+
+Returns a Perl representation of POST/PUT body data that is not classic HTML
+form data, such as JSON, XML, etc. By default, Catalyst will parse incoming
+data of the type 'application/json' and return access to that data via this
+method. You may define addition data_handlers via a global configuration
+setting. See L<Catalyst\DATA HANDLERS> for more information.
+
+If the POST is malformed in some way (such as undefined or not content that
+matches the content-type) we raise a L<Catalyst::Exception> with the error
+text as the message.
+
+If the POSTed content type does not match an available data handler, this
+will also raise an exception.
+
=head2 $req->body_parameters
Returns a reference to a hash containing body (POST) parameters. Values can
These are the parameters from the POST part of the request, if any.
+B<NOTE> If your POST is multipart, but contains non file upload parts (such
+as an line part with an alternative encoding or content type) we do our best to
+try and figure out how the value should be presented. If there's a specified character
+set we will use that to decode rather than the default encoding set by the application.
+However if there are complex headers and we cannot determine
+the correct way to extra a meaningful value from the upload, in this case any
+part like this will be represented as an instance of L<Catalyst::Request::PartData>.
+
+Patches and review of this part of the code welcomed.
+
=head2 $req->body_params
Shortcut for body_parameters.
cause a hash initialization error. For a more straightforward interface see
C<< $c->req->parameters >>.
+B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
+are known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it. Here's a
+whitepaper of the exploit:
+
+L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
+
+B<NOTE> Further discussion on IRC indicate that the L<Catalyst> core team from 'back then'
+were well aware of this hack and this is the main reason we added the new approach to
+getting parameters in the first place.
+
+Basically this is an exploit that takes advantage of how L<\param> will do one thing
+in scalar context and another thing in list context. This is combined with how Perl
+chooses to deal with duplicate keys in a hash definition by overwriting the value of
+existing keys with a new value if the same key shows up again. Generally you will be
+vulnerable to this exploit if you are using this method in a direct assignment in a
+hash, such as with a L<DBIx::Class> create statement. For example, if you have
+parameters like:
+
+ user?user=123&foo=a&foo=user&foo=456
+
+You could end up with extra parameters injected into your method calls:
+
+ $c->model('User')->create({
+ user => $c->req->param('user'),
+ foo => $c->req->param('foo'),
+ });
+
+Which would look like:
+
+ $c->model('User')->create({
+ user => 123,
+ foo => qw(a user 456),
+ });
+
+(or to be absolutely clear if you are not seeing it):
+
+ $c->model('User')->create({
+ user => 456,
+ foo => 'a',
+ });
+
+Possible remediations include scrubbing your parameters with a form validator like
+L<HTML::FormHandler> or being careful to force scalar context using the scalar
+keyword:
+
+ $c->model('User')->create({
+ user => scalar($c->req->param('user')),
+ foo => scalar($c->req->param('foo')),
+ });
+
+Upcoming versions of L<Catalyst> will disable this interface by default and require
+you to positively enable it should you require it for backwards compatibility reasons.
+
=cut
sub param {
return keys %{ $self->parameters };
}
- if ( @_ == 1 ) {
+ # If anything in @_ is undef, carp about that, and remove it from
+ # the list;
+
+ my @params = grep { defined($_) ? 1 : do {carp "You called ->params with an undefined value"; 0} } @_;
- my $param = shift;
+ if ( @params == 1 ) {
+
+ defined(my $param = shift @params) ||
+ carp "You called ->params with an undefined value 2";
unless ( exists $self->parameters->{$param} ) {
return wantarray ? () : undef;
: $self->parameters->{$param};
}
}
- elsif ( @_ > 1 ) {
- my $field = shift;
- $self->parameters->{$field} = [@_];
+ elsif ( @params > 1 ) {
+ my $field = shift @params;
+ $self->parameters->{$field} = [@params];
}
}
=head2 $req->read_chunk(\$buff, $max)
-Reads a chunk..
+Reads a chunk.
You have to set MyApp->config(parse_on_demand => 1) to use this directly.
=head2 $req->secure
Returns true or false, indicating whether the connection is secure
-(https). Note that the URI scheme (e.g., http vs. https) must be determined
-through heuristics, and therefore the reliability of $req->secure will depend
-on your server configuration. If you are serving secure pages on the standard
-SSL port (443) and/or setting the HTTPS environment variable, $req->secure
-should be valid.
+(https). The reliability of $req->secure may depend on your server
+configuration; Catalyst relies on PSGI to determine whether or not a
+request is secure (Catalyst looks at psgi.url_scheme), and different
+PSGI servers may make this determination in different ways (as by
+directly passing along information from the server, interpreting any of
+several HTTP headers, or using heuristics of their own).
=head2 $req->captures
my @captures = @{ $c->request->captures };
-=head2 $req->snippets
-
-C<captures> used to be called snippets. This is still available for backwards
-compatibility, but is considered deprecated.
-
=head2 $req->upload
A convenient method to access $req->uploads.
next unless defined $value;
for ( ref $value eq 'ARRAY' ? @$value : $value ) {
$_ = "$_";
- utf8::encode( $_ ) if utf8::is_utf8($_);
+ # utf8::encode($_);
}
};
Shortcut to $req->headers->user_agent. Returns the user agent (browser)
version string.
+=head2 $req->io_fh
+
+Returns a psgix.io bidirectional socket, if your server supports one. Used for
+when you want to jailbreak out of PSGI and handle bidirectional client server
+communication manually, such as when you are using cometd or websockets.
+
+=head1 SETUP METHODS
+
+You should never need to call these yourself in application code,
+however they are useful if extending Catalyst by applying a request role.
+
+=head2 $self->prepare_headers()
+
+Sets up the C<< $res->headers >> accessor.
+
+=head2 $self->prepare_body()
+
+Sets up the body using L<HTTP::Body>
+
+=head2 $self->prepare_body_chunk()
+
+Add a chunk to the request body.
+
+=head2 $self->prepare_body_parameters()
+
+Sets up parameters from body.
+
+=head2 $self->prepare_cookies()
+
+Parse cookies from header. Sets up a L<CGI::Simple::Cookie> object.
+
+=head2 $self->prepare_connection()
+
+Sets up various fields in the request like the local and remote addresses,
+request method, hostname requested etc.
+
+=head2 $self->prepare_parameters()
+
+Ensures that the body has been parsed, then builds the parameters, which are
+combined from those in the request and those in the body.
+
+If parameters have already been set will clear the parameters and build them again.
+
+=head2 $self->env
+
+Access to the raw PSGI env.
+
=head2 meta
Provided by Moose