Hello
Here is the latest Caml Weekly News, for the week of 13 to 20 January, 2004.
A security problem has been found in mod_caml 1.0.5 and earlier which
could lead to a SQL insertion attack on PostgreSQL databases.
mod_caml normally escapes strings before inserting them into
PostgreSQL queries. However a bug was found in this escaping
function. This would allow attackers to craft arbitrary SQL commands
to run against the database.
This is fixed in version 1.0.6, along with some other minor bugfixes,
or you can apply the source patch at the end of this message.
Because savannah.nongnu.org continues to be partially unavailable,
version 1.0.6 is available here:
http://www.annexia.org/tmp/mod_caml-1.0.6.tar.gz (about 74K)
Rich.
----------------------------------------------------------------------
From: http://www.merjis.com/developers/mod_caml/
What is mod_caml?
mod_caml is a set of Objective CAML (OCaml) bindings for the Apache
API. It allows you to run CGI scripts written in OCaml directly inside
the Apache webserver. However, it is much much more than just that:
* Bind to any part of the Apache request cycle.
* Read and modify internal Apache structures.
* Share modules of code between handlers and scripts.
* CGI library and templating system (allows separation of
code and presentation).
* Works with Apache 1.3 and Apache 2.0.
* DBI library for simple database access.
* DBI library can use Perl DBDs (database drivers) [requires
Perl4Caml >= 0.3.6]
----------------------------------------------------------------------
diff -u -r1.11 dbi_postgres.ml
--- dbi_postgres.ml 23 Nov 2003 14:24:57 -0000 1.11
+++ dbi_postgres.ml 15 Jan 2004 13:34:04 -0000
@@ -42,11 +42,16 @@
(* Damn. [Postgres] module doesn't export the PQescapeString function, so
* I've had to write it myself.
*)
-let escape_string s =
- String.concat "" [ "'";
- (Pcre.replace ~pat:"'" ~templ:"''" s);
- "'" ]
+let escape_string =
+ let re1 = Pcre.regexp "'" in (* Double up any single quotes. *)
+ let sub1 = Pcre.subst "''" in
+ let re2 = Pcre.regexp "\\\\" in (* Double up any backslashes. *)
+ let sub2 = Pcre.subst "\\\\" in
+ fun s ->
+ let s = Pcre.replace ~rex:re1 ~itempl:sub1 s in
+ let s = Pcre.replace ~rex:re2 ~itempl:sub2 s in
+ "'" ^ s ^ "'" (* Surround with quotes. *)
(* PCRE regular expressions for parsing timestamps and intervals. *)
let re_timestamp =
> What I'd like to see is to be able to pattern match on regexs, like:
> match str with
> | /ab+/ -> ...
> | /foo(bar)*/ -> ...
>
> etc.
My camlp4-macro named Regexp/OCaml may solve most of the requests:
try it from http://www.yl.is.s.u-tokyo.ac.jp/~oiwa/caml/ .
Using Regexp/OCaml, you can write the code like
Regexp.match str with
"^(\d+)-(\d+)$" as f : int, t : int ->
for i = f to t do
printf "%d\n" i
done
| "^(\d+)$" as s : int ->
printf "%d\n" s
to perform branch based on multiple regular patterns and to extract
matched substrings automatically (bound to f, t, s respectively, after
converted to int type by using int_of_string). See
http://www.yl.is.s.u-tokyo.ac.jp/~oiwa/pub/caml/regexp-pp-0.9.3/README.match-regexp
for further details.
> The compiler could then combine all the matchings into a single DFA,
> improving performance over code like:
>
> if (regex_match str "ab+") then
> ...
> else if (regex_match str "foo(bar)*") then
> ...
> else
> ...
The code generated by current Regexp/OCaml is something similar to the
above, (however, pattern compilations are performed only once per
execution per each pattern.) but if the backend regexp engine
(currently Regexp/OCaml uses PCRE/OCaml) supports optimization for
multiple regular expression matching, Regexp/OCaml can easily
utilize it. Analysis for patterns may be performed at compilation
(camlp4-translation) phase, if required.
> The regex matching would also let the compiler know if there were possible
> unmatched strings (these would should up as transitions to the error state
> in the DFA).
This feature is not currently implemented in Regexp/OCaml, but
as the macro package owns self-implemented parser for regular
patterns, it is possible to implement if I have enough time to do.
(And it is included in my personal to-do list for Regexp/OCaml.)
Markus Mottl added:
> The code generated by current Regexp/OCaml is something similar to the
> above, (however, pattern compilations are performed only once per
> execution per each pattern.) but if the backend regexp engine
> (currently Regexp/OCaml uses PCRE/OCaml) supports optimization for
> multiple regular expression matching, Regexp/OCaml can easily
> utilize it. Analysis for patterns may be performed at compilation
> (camlp4-translation) phase, if required.
As mentioned in a previous post, this could be done using the callout
features of PCRE-OCaml. Only problem: the string to be matched is
internally copied to the C-heap (once), because the OCaml-GC could
theoretically move the string to another memory location in the OCaml-heap
during callouts.
Thus, it may not be as efficient as you expect, and possibly only pay
off if the patterns match the same, long string prefixes. Unfortunately,
there is no workaround for this: you'd either have to rewrite PCRE so
that you can return pointers to new string locations after each callout
(no, thanks ;) or somehow be able to temporarily protect strings from
being moved by the GC (not feasible either, I suppose; would, however,
work with character strings in char Bigarrays if I am not mistaken).
http://ontil.ihep.su/~vsl/
MPassing-0.0.0: simple ConcurrentML-like message passing
library with a network transparency (based on a Marshal functionality
currently), including some common features like threads pools,
consumer queues, logging, notifications.
J4-0.0.0: simple base to build a Joy-like embedded languages
for Objective Caml programs. Suitable for a research purposes
only.
Camllisp-0.0.0: lisp-like embeddable language for Objective Caml.
I'm pleased to announce the first release of caml-get, an experimental
tool to distribute and get Objective-Caml code, in a way similar to the
apt-get utility.
What is it ? How does it work ? Where to get it ? Answers are on the
caml-get home page:
http://pauillac.inria.fr/~guesdon/Tools/camlget/
Comments are welcome, especially since I don't know about any similar
tool.
Here is a quick trick to help you read this CWN if you are viewing it using vim (version 6 or greater).
:set foldmethod=expr
:set foldexpr=getline(v:lnum)=~'^=\\{78}$'?'<1':1
zM
If you know of a better way, please let me know.
If you happen to miss a CWN, you can send me a message and I'll mail it to you, or go take a look at the archive or the RSS feed of the archives.
If you also wish to receive it every week by mail, you may subscribe online.