diff -Nru libreverseproxy-formfiller-perl-0.3/Changes libreverseproxy-formfiller-perl-0.5/Changes --- libreverseproxy-formfiller-perl-0.3/Changes 2014-04-29 07:49:36.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/Changes 2014-10-02 17:06:20.000000000 +0000 @@ -8,3 +8,10 @@ 0.3 2014/04/29 Add parameters 'publicFilledData', 'postDataSub' and 'javascript' + +0.4 2014/09/24 + Fix bug with unquoted strings + +0.5 2014/10/02 + Unfix bug with unquoted strings (was not a bug), improve POD + diff -Nru libreverseproxy-formfiller-perl-0.3/debian/changelog libreverseproxy-formfiller-perl-0.5/debian/changelog --- libreverseproxy-formfiller-perl-0.3/debian/changelog 2014-05-01 20:53:58.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/debian/changelog 2014-10-18 18:51:53.000000000 +0000 @@ -1,3 +1,21 @@ +libreverseproxy-formfiller-perl (0.5-1) unstable; urgency=medium + + * Team upload. + + [ Salvatore Bonaccorso ] + * Update Vcs-Browser URL to cgit web frontend + + [ gregor herrmann ] + * New upstream release. + * Refresh spelling.patch. + * Update years of upstream copyright. + * debian/rules: drop override_dh_auto_test. + Tests pass now, or are skipped by upstream. + * Mark package as autopkgtest-able. + * Declare compliance with Debian Policy 3.9.6. + + -- gregor herrmann Sat, 18 Oct 2014 20:51:30 +0200 + libreverseproxy-formfiller-perl (0.3-1) unstable; urgency=medium * Import Upstream version 0.3 diff -Nru libreverseproxy-formfiller-perl-0.3/debian/control libreverseproxy-formfiller-perl-0.5/debian/control --- libreverseproxy-formfiller-perl-0.3/debian/control 2014-05-01 20:53:58.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/debian/control 2014-10-18 18:51:53.000000000 +0000 @@ -8,10 +8,11 @@ Build-Depends-Indep: libapache2-mod-perl2, libtest-pod-perl, perl -Standards-Version: 3.9.5 -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libreverseproxy-formfiller-perl.git +Standards-Version: 3.9.6 +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-perl/packages/libreverseproxy-formfiller-perl.git Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libreverseproxy-formfiller-perl.git Homepage: https://metacpan.org/release/ReverseProxy-FormFiller +Testsuite: autopkgtest-pkg-perl Package: libreverseproxy-formfiller-perl Architecture: all diff -Nru libreverseproxy-formfiller-perl-0.3/debian/copyright libreverseproxy-formfiller-perl-0.5/debian/copyright --- libreverseproxy-formfiller-perl-0.3/debian/copyright 2014-05-01 20:53:58.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/debian/copyright 2014-10-18 18:51:53.000000000 +0000 @@ -4,7 +4,7 @@ Source: https://metacpan.org/release/ReverseProxy-FormFiller Files: * -Copyright: 2013, FX Deltombe +Copyright: 2013-2014, FX Deltombe License: Artistic or GPL-1+ Files: debian/* diff -Nru libreverseproxy-formfiller-perl-0.3/debian/patches/spelling.patch libreverseproxy-formfiller-perl-0.5/debian/patches/spelling.patch --- libreverseproxy-formfiller-perl-0.3/debian/patches/spelling.patch 2014-05-01 20:50:11.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/debian/patches/spelling.patch 2014-10-18 18:51:53.000000000 +0000 @@ -1,15 +1,18 @@ Description: fix POD grammar -Author: Florian Schlichting +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=95253 Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=95253 +Author: Florian Schlichting +Reviewed-by: gregor herrmann +Last-Update: 2014-10-18 --- a/lib/ReverseProxy/FormFiller.pm +++ b/lib/ReverseProxy/FormFiller.pm -@@ -259,7 +259,7 @@ +@@ -260,7 +260,7 @@ Some applications based on frameworks either use HTTP without HTML (e.g Flash), or they send POST data out of any HTML form. --This module allows to fill any HTML field from its jQuery selectors, thanks to the "publicFilledData" parameter. -+This module allows one to fill any HTML field from its jQuery selectors, thanks to the "publicFilledData" parameter. +-This module allows to fill any HTML field from its jQuery selectors, thanks to the I parameter. ++This module allows one to fill any HTML field from its jQuery selectors, thanks to the I parameter. - On the other hand, you can apply any substitution on POST datas, thanks to the "postDataSub" parameter - but it may require some tuning to get the right substitution PCRE. + On the other hand, you can apply any substitution on POST datas, thanks to the I parameter - but it may require some tuning to get the right substitution PCRE. diff -Nru libreverseproxy-formfiller-perl-0.3/debian/rules libreverseproxy-formfiller-perl-0.5/debian/rules --- libreverseproxy-formfiller-perl-0.3/debian/rules 2013-04-30 05:49:29.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/debian/rules 2014-10-18 18:51:53.000000000 +0000 @@ -2,8 +2,3 @@ %: dh $@ - -# t/manifest.t is disabled and t/pod-coverage.t fails and are useful only for -# the author so tests are restricted to t/00-load.t and t/pod.t -override_dh_auto_test: - dh_auto_test -- TEST_FILES="t/00-load.t t/pod.t" diff -Nru libreverseproxy-formfiller-perl-0.3/example/FormFillerConfig libreverseproxy-formfiller-perl-0.5/example/FormFillerConfig --- libreverseproxy-formfiller-perl-0.3/example/FormFillerConfig 2014-04-29 07:42:32.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/example/FormFillerConfig 2014-10-02 15:07:46.000000000 +0000 @@ -6,15 +6,15 @@ # jQuery selector to the form to fill # optional: if not defined, first form in web page will be filled -form => "form:first", +form => '"form:first"', # may rely on perl functions and Apache environment vars, e.g #form => '(localtime)[2] >= 12 ? "#morningForm" : "#afternoonForm"', # If the inputs/textareas/select markups do not belong to any form, you can set -#form => "body" +#form => '"body"' # To enable form auto-submit, or to automatically click on a button # may be true (enabled), false (disabled), or a jQuery selector to the button to click on -submit => "true", +submit => '"true"', # may also rely on perl functions and Apache environment vars # optional, default value: false @@ -27,17 +27,17 @@ # Hash keys refer to input/textarea/select's name attribute # Fields value can rely on perl functions and Apache environment vars publicFormData => { - company => "SnakeOilsInc", + company => '"SnakeOilsInc"', user => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "user" : $ENV{REMOTE_USER} =~ /dwho/ ? "admin" : "nobody"', - password => "hidden" + password => '"hidden"' }, # Alternatively, if the inputs you want to fill in the html page # have no name attribute, you can define them with jQuery selectors #publicFilledData => { -# 'textarea.company' => "SnakeOilsInc", +# 'textarea.company' => '"SnakeOilsInc"', # 'input#user' => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "user" : $ENV{REMOTE_USER} =~ /dwho/ ? "admin" : "nobody"', -# 'input[type=password]' => "hidden" +# 'input[type=password]' => '"hidden"' #}, # Form fields to fill in request body - filled data will not be seen by user diff -Nru libreverseproxy-formfiller-perl-0.3/lib/ReverseProxy/FormFiller.pm libreverseproxy-formfiller-perl-0.5/lib/ReverseProxy/FormFiller.pm --- libreverseproxy-formfiller-perl-0.3/lib/ReverseProxy/FormFiller.pm 2014-04-29 07:55:49.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/lib/ReverseProxy/FormFiller.pm 2014-10-02 17:06:40.000000000 +0000 @@ -8,7 +8,7 @@ use Apache2::Log; use URI::Escape; -our $VERSION = '0.3'; +our $VERSION = '0.5'; my $globalParams; @@ -159,20 +159,20 @@ =head1 VERSION -Version 0.3 +Version 0.5 =head1 SYNOPSIS -ReverseProxy::FormFiller makes an Apache server, positioned as a frontal server or as a reverse-proxy, fill and (possibly) submit html forms in place of users. +ReverseProxy::FormFiller makes an Apache server, positioned as a frontal server or as a reverse-proxy, fill and submit html forms in place of users. -This is particularly intended for authentication forms, if you want users to be authenticated with some account, but if you don't want them to know and type any password. But it also works with any html POST form. +This is particularly intended for authentication forms, if you want users to be authenticated with some account, but you don't want them to know and type any password. But it also works with any html POST form. ReverseProxy::FormFiller is based on Apache2 mod_perl filters. So, you have to enable mod_perl. =head2 Basic Example -Assume you want all users requesting auth.example.com to be authenticated as "jdoe", but you don't want to publish jdoe's password. -If auth.example.com's authentication form is located at http://auth.example.com/login.php and looks like +Assume you want all users requesting some web app to be authenticated as "jdoe", but you don't want to publish jdoe's password. +If the app's authentication form is located at http://auth.example.com/login.php and looks like
login:
@@ -204,16 +204,17 @@ and create a ReverseProxy::FormFiller config file at /etc/apache2/FormFiller/example, looking like - form => '#authForm', + form => '"#authForm"', submit => "true", publicFormData => { - login => "jdoe", - password => "fake", + login => '"jdoe"', + password => '"fake"', }, secretFormData => { - password => "secret", + password => '"secret"', }, +Quotes around strings are necessary for some parameters that are interpreted as perl expressions. Look at I for more details. =head2 Elaborate example @@ -226,11 +227,11 @@ /etc/apache2/FormFiller/example will look like jQueryUrl => 'http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js', - form => '#authForm', - submit => "button[type=submit]", + form => '"#authForm"', + submit => '"button[type=submit]"', publicFormData => { login => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "admin" : "user"', - password => "fake", + password => '"fake"', }, secretFormData => { password => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "admin-secret" : "user-secret"', @@ -246,30 +247,31 @@ form => '(localtime)[2] >= 12 ? "#morningForm" : "#afternoonForm"', submit => "false", publicFormData => { - login => "jdoe", # so, user believe he'll be authenticated as "jdoe" - password => "fake", + login => '"jdoe"', # so, user believe he'll be authenticated as "jdoe" + password => '"fake"', }, secretFormData => { - # but actually, he'll be authenticated as "admin" or as "user" - login => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "admin" : "user"', - password => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "admin-secret" : "user-secret"', + # but actually, he'll be authenticated as "admin" if he uses Firefox, as "user" else + login => '$ENV{HTTP_USER_AGENT} =~ /Firefox/ ? "admin" : "user"', + password => '$ENV{HTTP_USER_AGENT} =~ /Firefox/ ? "admin-secret" : "user-secret"', }, =head2 Framework example Some applications based on frameworks either use HTTP without HTML (e.g Flash), or they send POST data out of any HTML form. -This module allows to fill any HTML field from its jQuery selectors, thanks to the "publicFilledData" parameter. +This module allows to fill any HTML field from its jQuery selectors, thanks to the I parameter. -On the other hand, you can apply any substitution on POST datas, thanks to the "postDataSub" parameter - but it may require some tuning to get the right substitution PCRE. +On the other hand, you can apply any substitution on POST datas, thanks to the I parameter - but it may require some tuning to get the right substitution PCRE. Here is an example from a real-life GWT application : + jQueryUrl => '//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js', - form => 'body', - submit => 'button.genericButton', + form => '"body"', + submit => '"button.genericButton"', publicFilledData => { - 'input.gwt-TextBox' => 'jdoe', - 'input.gwt-PasswordTextBox' => 'fake', + 'input.gwt-TextBox' => '"jdoe"', + 'input.gwt-PasswordTextBox' => '"fake"', }, postDataSub => [ 's/jdoe\|fake/jdoe\|secret/' @@ -285,7 +287,7 @@ PerlModule ReverseProxy::FormFiller This directive has to appear once in Apache config. -It can be set in server config or in a container. +It can be set in server config or in a C<< >> container. =head2 Set config parameters @@ -293,7 +295,7 @@ PerlSetVar FormFillerParamFile "/etc/apache2/FormFiller/example" -This directive can be set in server config or in a any container directive (as a container, a container or a container). It is applied only to requests matching the corresponding container directive. +This directive can be set in server config or in a any container directive (as a C<< >> container, a C<< >> container or a C<< >> container). It is applied only to requests matching the corresponding container directive. This directive can be set several times, so a single server can manage several forms (typically, on different virtualhosts, but you can also manage several forms in the same virtualhost). @@ -315,7 +317,7 @@ Header unset Content-Length -For performances, it is better to handle only html pages containing the aimed form. So, you should place these directives in a container directive matching the form URL (as a directive), so as not to filter any html content. +For performances, it is better to handle only html pages containing the aimed form. So, you should place these directives in a container directive matching the form URL (as a C<< >> directive), so as not to filter any html content. =head2 Filter request body @@ -323,134 +325,165 @@ PerlInputFilterHandler ReverseProxy::FormFiller::input -For performances, it is better to handle only requests to the form "action" URL. So, you should place this directive in a container directive matching this URL (as a directive), so as not to filter any request. +For performances, it is better to handle only requests to the form "action" URL. So, you should place this directive in a container directive matching this URL (as a C<< >> directive), so as not to filter any request. =head1 ReverseProxy::FormFiller config parameters +=head2 Config file + ReverseProxy::FormFiller config file looks similar to a .ini file, but it is not. Actually it is simply a hash content. So, don't forget commas ! In case of syntax error, you'll have a message " content doesn't seem to be a valid perl hash" in Apache error logs. -=head2 jQueryUrl +=head2 Parameters -URL to load jQuery, since ReverseProxy::FormFiller response filter relies on jQuery (any version >= 1.0) -Optional: if empty or not defined, jQuery is supposed to be already loaded in the web page +Most of config parameters are interpreted as perl expressions, not just as strings. So, they can rely on standard perl functions and request env vars (look at the examples below). These parameters are: -=head2 form +=over 4 -jQuery selector to the form to fill. -For example : +=item * form - form => "form#authForm", +=item * submit -or +=item * publicFormData values - form => "form:last", +=item * publicFilledData values -Optional: if empty or not defined, first form in web page will be filled - i.e., +=item * secretFormData values - form => "form:first", +=item * javascript -This field may rely on perl functions and Apache environment vars, e.g +=back - form => '(localtime)[2] >= 12 ? "#morningForm" : "#afternoonForm"', +That's why these parameters, if they are set to strings, need quotes around. For example, + + form => '#authForm', # bad ! + form => '"#authForm"', # good ! + +Indeed, these parameters are Ied in a piece of code looking like + + eval "\$x = $form"; + +Well, in some cases quotes are unnecessary, because Perl in laxist enough to work with not-quoted strings: + + $x = "foo"; # this is right syntax + $x = foo; # this is lazy syntax, but it works + $x = "39foo"; # this is right syntax + $x = 39foo; # this does not work, an error is thrown "Bareword found where operator expected" + +=over 4 + +=item B + +URL to load jQuery, since ReverseProxy::FormFiller response filter relies on jQuery (any version >= 1.0) + +Optional: if empty or not defined, jQuery is supposed to be already loaded in the web page + +=item B + +jQuery selector to the form to fill. + +Optional: if empty or not defined, first form in web page will be filled. That is, default value is "form:first" -or +Here are few examples : + form => '"form#authForm"', + + form => '"form:last"', + + form => '(localtime)[2] >= 12 ? "#morningForm" : "#afternoonForm"', + form => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "#adminForm" : "#userForm"', -=head2 submit +=item B To enable form autosubmit, or to automatically click on a button. -It may be "true" (autosubmit enabled), "false" (autosubmit disabled), or a jQuery selector to the button to click on (this is sometimes useful, when clicking runs a javasript function). It also may rely on perl functions and Apache environment vars (as same as "form" parameter). +It may be "true" (autosubmit enabled), "false" (autosubmit disabled), or a jQuery selector to the button to click on (this is sometimes useful, when clicking runs a javasript function). Optional: if empty or not defined, autosubmit is disabled - that is, default value is "false". For example, - submit => "true", - -or - submit => 'button#login', + submit => 'true', + + submit => '"button#login"', -=head2 publicFormData +=item B Form fields to fill in html form : these data will be seen by user. Additionnaly, these fields will be controled in POST request when the form will be submitted, to prevent malicious users to change any value. -As same as "submit" and "form" parameters, field values can rely on perl functions and Apache environment vars. - For example, publicFormData => { - company => "SnakeOilsInc", + company => '"SnakeOilsInc"', user => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "admin" : "user"', - password => "hidden" + password => '"hidden"' }, -Note that these data are filled through jQuery method '.val()', so it works only with text inputs, password inputs, select tags and textarea, but not with checkboxes and radio buttons. In order to select on radio buttons or check on checkboxes, look at the "javascript" parameter. +Note that these data are filled through jQuery method '.val()', so it works only with text inputs, password inputs, select tags and textarea, but not with checkboxes and radio buttons. In order to select on radio buttons or check on checkboxes, look at the I parameter. -=head2 publicFilledData +=item B Input fields to fill, defined by jQuery selectors instead of their name attribute. This is useful if an input field has no name attribute. -As same as publicFormData, -* these data will be seen by users -* field values can rely on perl functions and Apache environment vars -* it works only with text inputs, password inputs, select tags and textarea. - -Unlike to publicFormData, these fields are note controled in POST request against malicious tampering of values. - publicFilledData => { - 'textarea.company' => "SnakeOilsInc", + 'textarea.company' => '"SnakeOilsInc"', 'input#user' => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "user" : $ENV{REMOTE_USER} =~ /dwho/ ? "admin" : "nobody"', - 'input[type=password]' => "hidden" + 'input[type=password]' => '"hidden"' } -Parameters publicFormData and publicFilledData can be used together. +As same as I, these data will be seen by users, and it works only with text inputs, password inputs, select tags and textarea. -=head2 secretFormData +Unlike to I, these fields are not controled in POST request against malicious tampering of values. -Form fields to fill in request body, in addition or in overload to publicFormData. The main with between publicFormData is that these data will not be filled in the html form, so users can't see them. +Parameters I and I can be used together. -Field values can rely on perl functions and Apache environment vars. +=item B + +Form fields to fill in request body, in addition or in overload to I. The main difference with I is that these data will not be filled in the html form, so users can't see them. secretFormData => { password => '$ENV{REMOTE_USER} =~ /(rtyler|msmith)/ ? "admin-secret" : "user-secret"', }, -=head2 postDataSub +=item B -Substitutions to apply to POST datas. Substitutions are defined with PCRE; they may use captures and may rely on Apache environment vars. +Substitutions to apply to POST datas. Substitutions are defined with PCRE and may use captures. They may rely on env vars, but not on perl functions. -Parameter postDataSub is an array ref and not a hash ref (unlike to publicFormData, publicFilledData and secretFormData). Hence substitutions are applied in the order they are defined. +Parameter I is an array ref and not a hash ref (unlike to I, I and I). Hence substitutions are applied in the order they are defined. Basic example: + postDataSub => [ 's/foo/bar/gi', ] If POST data are made of colon-separated values and you want to change 5th value into "foo": + postDataSub => [ 's/^((.+?:){4}).+?:/$1:foo:/' # if POST data are made of :-separated values and you want to change 5th value into "foo" ] In order to rewrite POST data so as to force jdoe's password to "jdoe-secret" and rtyler's to "rtyler-passwd", whereas these passwords are disclosed - assume POST data is '[login]:[password]' + postDataSub => [ 's/^.*$/$ENV{REMOTE_USER}:$ENV{REMOTE_USER}/', 's/jdoe:jdoe/jdoe:jdoe-secret/', 's/rtyler:rtyler/rtyler:rtyler-passwd/' ] -=head2 javascript +=item B Arbitrary javascript code to run after fields are filled, but before posting the form. -This javascript code can rely on perl functions and Apache environment vars. If you call jQuery through its shortcut '$', you have to escape it. Use single quotes and double quotes as in the example. +If you call jQuery through its shortcut '$', you have to escape it. Use single quotes and double quotes as in the example. javascript => 'alert("Hello $ENV{REMOTE_USER}"); \$(input.mycheckbox).prop("checked", true)' +=back + =head1 AUTHOR FX Deltombe, C<< >> @@ -499,7 +532,7 @@ =head1 LICENSE AND COPYRIGHT -Copyright 2013 FX Deltombe. +Copyright 2013-2014 FX Deltombe. This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published diff -Nru libreverseproxy-formfiller-perl-0.3/META.yml libreverseproxy-formfiller-perl-0.5/META.yml --- libreverseproxy-formfiller-perl-0.3/META.yml 2014-04-29 07:50:00.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/META.yml 2014-10-02 17:06:53.000000000 +0000 @@ -1,6 +1,6 @@ --- #YAML:1.0 name: ReverseProxy-FormFiller -version: 0.3 +version: 0.5 abstract: Let Apache fill and submit any html form in place of the user author: - FX Deltombe diff -Nru libreverseproxy-formfiller-perl-0.3/README libreverseproxy-formfiller-perl-0.5/README --- libreverseproxy-formfiller-perl-0.3/README 2013-04-10 12:50:23.000000000 +0000 +++ libreverseproxy-formfiller-perl-0.5/README 2014-09-24 17:01:26.000000000 +0000 @@ -42,7 +42,7 @@ LICENSE AND COPYRIGHT -Copyright (C) 2013 FX Deltombe +Copyright (C) 2013-2014 FX Deltombe This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published