Skip Menu |
 

This queue is for tickets about the Authen-Simple-HTTP CPAN distribution.

Report information
The Basics
Id: 82575
Status: new
Priority: 0/
Queue: Authen-Simple-HTTP

People
Owner: Nobody in particular
Requestors: unrtst [...] cpan.org
Cc: unrtst [...] gmail.com
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.2
Fixed in: (no value)

Attachments
Authen-Simple-HTTP-0.2.lwp-and-request-method-feature.patch
Authen-Simple-HTTP-0.2.lwp-fix.patch
Authen-Simple-HTTP-0.2.request-method-feature.patch



CC: unrtst [...] gmail.com
Subject: BUG: Incompatability with LWP 6.x under persistent environments
Download (untitled) / with headers
text/plain 1.6k
LWP::UserAgent::credentials and LWP::UserAgent::get_basic_credentials changed at some point around after 5.805 and before 6.02. Also, LWP::Authen::Basic changed. Authen::Simple::HTTP implements credential handling by overriding the get_basic_credentials methods in LWP::UserAgent (or the given LWP class). This breaks with the new LWP because Authen::Simple::HTTP keeps the LWP::UserAgent instance as class data (Class::Data::Inheritable), so a new instance of LWP isn't created for every new Authen::Simple::HTTP... and LWP is caching the user/pass per instance (per host+port+realm) via the credentials sub in an instance variable. Whew... anyway... the attached patch, "Authen-Simple-HTTP-0.2.lwp-fix.patch", works around that by also overriding the "credentials" sub in a safe way. Two other patches are included. "Authen-Simple-HTTP-0.2.request-method-feature.patch" adds a new feature I've been maintaining separately for 2.5 years. It adds support for a "request_method" option, so that the LWP request can be forced to use "get", "head", or "post" when doing the auth check (or anything the user agent supports). This was needed to work around a wonky server that would return 404 errors when issued HEAD requests, but worked fine with GET requests (it was a Microsoft Exchange Outlook Web Access site running on Microsoft IIS). "Authen-Simple-HTTP-0.2.lwp-and-request-method-feature.patch" combines both patchsets. Please consider these for inclusion in the next version. Please note, the request_method patch provided here, IMO, is a safer implementation than that provided in bug #26468, but it does not address providing additional options to LWP via apache config (IMO, that should be handled via a subclass anyway).
Subject: Authen-Simple-HTTP-0.2.lwp-fix.patch
diff -rup Authen-Simple-HTTP-0.2.orig/Changes Authen-Simple-HTTP-0.2/Changes --- Authen-Simple-HTTP-0.2.orig/Changes 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2/Changes 2013-01-08 18:55:31.226167667 -0500 @@ -1,5 +1,12 @@ Revision history for Perl extension Authen::Simple::HTTP + - work around for libwww-perl 6.x+ when used in a persistent environment. + LWP::UserAgent sub credentials and get_basic_credentials changed and now + cache data per-instance differently than before. + LWP::Authen::Basic calls credentials directly, which will get the previously + used credentials under this new version of LWP. This breaks persistent usage + of Authen::Simple::HTTP (ex. using it undef mod_perl). + 0.2 2006-01-12 00:00 - use HEAD method instead of GET. diff -rup Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm Authen-Simple-HTTP-0.2/lib/Authen/Simple/HTTP.pm --- Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2/lib/Authen/Simple/HTTP.pm 2013-01-08 18:55:05.422234386 -0500 @@ -33,7 +33,9 @@ sub check { # way to implement this without forking a lot of code from LWP::UserAgent. # Please let me know if you have any ideas of improvements. - my $override = sprintf '%s::get_basic_credentials', ref $self->agent; + my $lwpclass = ref $self->agent; + my $override = sprintf '%s::get_basic_credentials', $lwpclass; + my $override2 = sprintf '%s::credentials', $lwpclass; my $response = undef; my $url = $self->url; @@ -46,6 +48,11 @@ sub check { local *$override = sub { return ( undef, undef ); }; + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + # we want to force no user/pass at this point... so just return + return; + }; $response = $self->agent->head($url); } @@ -75,6 +82,18 @@ sub check { local *$override = sub { return ( $username, $password ); }; + # save orig credentials subref + my $credentials_sub = $self->agent->can( 'credentials' ); + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + my $self = shift; + my $netloc = shift; + my $realm = shift; + # call orig method to set any instance variables, forcing user/pass + $credentials_sub->( $self, $netloc, $realm, $username, $password ); + # call orig method as a getter to get what we just put there + return $credentials_sub->( $self, $netloc, $realm ); + }; $response = $self->agent->head($url); }
Subject: Authen-Simple-HTTP-0.2.lwp-and-request-method-feature.patch
diff -rup Authen-Simple-HTTP-0.2.orig/Changes Authen-Simple-HTTP-0.4/Changes --- Authen-Simple-HTTP-0.2.orig/Changes 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/Changes 2013-01-08 16:54:33.482400835 -0500 @@ -1,5 +1,16 @@ Revision history for Perl extension Authen::Simple::HTTP +0.4 2013-01-08 00:00 + - work around for libwww-perl 6.x+ when used in a persistent environment. + LWP::UserAgent sub credentials and get_basic_credentials changed and now + cache data per-instance differently than before. + LWP::Authen::Basic calls credentials directly, which will get the previously + used credentials under this new version of LWP. This breaks persistent usage + of Authen::Simple::HTTP (ex. using it undef mod_perl). + +0.3 2010-02-02 00:00 + - added request_method option to specify use of HEAD, GET, or POST. + 0.2 2006-01-12 00:00 - use HEAD method instead of GET. diff -rup Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm Authen-Simple-HTTP-0.4/lib/Authen/Simple/HTTP.pm --- Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/lib/Authen/Simple/HTTP.pm 2013-01-08 18:37:24.293004387 -0500 @@ -7,13 +7,18 @@ use base 'Authen::Simple::Adapter'; use LWP::UserAgent; use Params::Validate qw[]; -our $VERSION = 0.2; +our $VERSION = 0.3; __PACKAGE__->options({ url => { type => Params::Validate::SCALAR, optional => 0 }, + request_method => { + type => Params::Validate::SCALAR, + default => 'head', + optional => 1 + }, agent => { type => Params::Validate::OBJECT, isa => 'LWP::UserAgent', @@ -33,9 +38,23 @@ sub check { # way to implement this without forking a lot of code from LWP::UserAgent. # Please let me know if you have any ideas of improvements. - my $override = sprintf '%s::get_basic_credentials', ref $self->agent; - my $response = undef; - my $url = $self->url; + my $lwpclass = ref $self->agent; + my $override = sprintf '%s::get_basic_credentials', $lwpclass; + my $override2 = sprintf '%s::credentials', $lwpclass; + my $response = undef; + my $url = $self->url; + my $reqmeth = $self->request_method; + + # Determine request method + + my $method = $self->agent->can( $reqmeth ); + if (! $method ) { + $self->log->error( qq/Unsupported request method: '$reqmeth'./ ) + if $self->log; + + return 0; + } + # First make sure we receive a challenge @@ -46,8 +65,13 @@ sub check { local *$override = sub { return ( undef, undef ); }; + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + # we want to force no user/pass at this point... so just return + return; + }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( my $warning = $response->header('Client-Warning') ) { @@ -75,8 +99,20 @@ sub check { local *$override = sub { return ( $username, $password ); }; + # save orig credentials subref + my $credentials_sub = $self->agent->can( 'credentials' ); + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + my $self = shift; + my $netloc = shift; + my $realm = shift; + # call orig method to set any instance variables, forcing user/pass + $credentials_sub->( $self, $netloc, $realm, $username, $password ); + # call orig method as a getter to get what we just put there + return $credentials_sub->( $self, $netloc, $realm ); + }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( $response->code == 401 ) { @@ -165,6 +201,12 @@ Any object that is a subclass of L<LWP:: agent => LWP::UserAgent->new; +=item * request_method + +Request method used to pull the url. "head", "get", or "post". + + request_method => 'head' + =item * log Any object that supports C<debug>, C<info>, C<error> and C<warn>. diff -rup Authen-Simple-HTTP-0.2.orig/META.yml Authen-Simple-HTTP-0.4/META.yml --- Authen-Simple-HTTP-0.2.orig/META.yml 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/META.yml 2013-01-08 16:54:58.062324878 -0500 @@ -1,6 +1,6 @@ --- name: Authen-Simple-HTTP -version: 0.2 +version: 0.4 author: - 'Christian Hansen C<ch@ngmedia.com>' abstract: Simple HTTP authentication @@ -11,5 +11,5 @@ requires: provides: Authen::Simple::HTTP: file: lib/Authen/Simple/HTTP.pm - version: 0.2 + version: 0.4 generated_by: Module::Build version 0.2611 diff -rup Authen-Simple-HTTP-0.2.orig/README Authen-Simple-HTTP-0.4/README --- Authen-Simple-HTTP-0.2.orig/README 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/README 2013-01-08 16:49:00.991293884 -0500 @@ -42,6 +42,11 @@ METHODS agent => LWP::UserAgent->new; + * request_method Request method used to pull the url. "head", + "get", or "post". + + request_method => 'get' + * log Any object that supports "debug", "info", "error" and "warn".
Subject: Authen-Simple-HTTP-0.2.request-method-feature.patch
diff -rup Authen-Simple-HTTP-0.2.orig/Changes Authen-Simple-HTTP-0.2.new/Changes --- Authen-Simple-HTTP-0.2.orig/Changes 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/Changes 2010-02-02 18:02:23.079189618 -0500 @@ -1,5 +1,8 @@ Revision history for Perl extension Authen::Simple::HTTP +0.3 2010-02-02 00:00 + - added request_method option to specify use of HEAD, GET, or POST. + 0.2 2006-01-12 00:00 - use HEAD method instead of GET. diff -rup Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm Authen-Simple-HTTP-0.2.new/lib/Authen/Simple/HTTP.pm --- Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/lib/Authen/Simple/HTTP.pm 2010-02-03 18:44:58.048860342 -0500 @@ -7,13 +7,18 @@ use base 'Authen::Simple::Adapter'; use LWP::UserAgent; use Params::Validate qw[]; -our $VERSION = 0.2; +our $VERSION = 0.3; __PACKAGE__->options({ url => { type => Params::Validate::SCALAR, optional => 0 }, + request_method => { + type => Params::Validate::SCALAR, + default => 'head', + optional => 1 + }, agent => { type => Params::Validate::OBJECT, isa => 'LWP::UserAgent', @@ -36,6 +41,18 @@ sub check { my $override = sprintf '%s::get_basic_credentials', ref $self->agent; my $response = undef; my $url = $self->url; + my $reqmeth = $self->request_method; + + # Determine request method + + my $method = $self->agent->can( $reqmeth ); + if (! $method ) { + $self->log->error( qq/Unsupported request method: '$reqmeth'./ ) + if $self->log; + + return 0; + } + # First make sure we receive a challenge @@ -47,7 +64,7 @@ sub check { return ( undef, undef ); }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( my $warning = $response->header('Client-Warning') ) { @@ -76,7 +93,7 @@ sub check { return ( $username, $password ); }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( $response->code == 401 ) { @@ -165,6 +182,12 @@ Any object that is a subclass of L<LWP:: agent => LWP::UserAgent->new; +=item * request_method + +Request method used to pull the url. "head", "get", or "post". + + request_method => 'head' + =item * log Any object that supports C<debug>, C<info>, C<error> and C<warn>. diff -rup Authen-Simple-HTTP-0.2.orig/META.yml Authen-Simple-HTTP-0.2.new/META.yml --- Authen-Simple-HTTP-0.2.orig/META.yml 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/META.yml 2010-02-02 17:25:44.279188845 -0500 @@ -1,6 +1,6 @@ --- name: Authen-Simple-HTTP -version: 0.2 +version: 0.3 author: - 'Christian Hansen C<ch@ngmedia.com>' abstract: Simple HTTP authentication @@ -11,5 +11,5 @@ requires: provides: Authen::Simple::HTTP: file: lib/Authen/Simple/HTTP.pm - version: 0.2 + version: 0.3 generated_by: Module::Build version 0.2611 diff -rup Authen-Simple-HTTP-0.2.orig/README Authen-Simple-HTTP-0.2.new/README --- Authen-Simple-HTTP-0.2.orig/README 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/README 2010-02-02 18:02:04.899199578 -0500 @@ -42,6 +42,11 @@ METHODS agent => LWP::UserAgent->new; + * request_method Request method used to pull the url. "head", + "get", or "post". + + request_method => 'get' + * log Any object that supports "debug", "info", "error" and "warn".


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.