Skip to content

Support non-string header values that stringify #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 7, 2020
Merged

Support non-string header values that stringify #137

merged 2 commits into from
May 7, 2020

Conversation

horgh
Copy link
Contributor

@horgh horgh commented May 6, 2020

To avoid leaking secrets in stack traces, my team has started passing
secrets as blessed coderefs, similar to Secret.pm in this commit. One of
the spots we have a secret is in a header value.

I found that passing such an object to HTTP::Headers sort of works
already, but when LWP tries to use it in the request it calls clone()
which fails due to Storable throwing "Can't store CODE items".

Instead, this changes us to use Clone::clone which seems to provide
similar functionality while supporting this use case.

I'm not sure if there's important functional implications though between Storable and Clone.

Thank you!

@horgh
Support non-string header values that stringify
77c82a6 
To avoid leaking secrets in stack traces, my team has started passing
secrets as blessed coderefs, similar to Secret.pm in this commit. One of
the spots we have a secret is in a header value.

I found that passing such an object to HTTP::Headers sort of works
already, but when LWP tries to use it in the request it calls clone()
which fails due to Storable throwing "Can't store CODE items".

Instead, this changes us to use Clone::clone which seems to provide
similar functionality while supporting this use case.
@oalders
Copy link
Member

oalders commented May 6, 2020

Pinging @ether, @genio and @skaji for thoughts on this.

@oalders
Copy link
Member

oalders commented May 6, 2020

@atoomic do you foresee any issues with swapping out Storable for Clone in this way?

@atoomic
Copy link

atoomic commented May 6, 2020

Using Clone seems fine to me here

@genio
Copy link
Member

genio commented May 6, 2020

Seems fine to me here as well.

@skaji
Copy link
Member

skaji commented May 6, 2020

I think we should be careful when we introduce new XS dependencies.
How about making Clone module "runtime recommends"?

@horgh
Copy link
Contributor Author

horgh commented May 7, 2020

That sounds good! I did that.

Another thought is we could potentially drop the code path using Storable/Clone all together, given it's optional.

@skaji
Copy link
Member

skaji commented May 7, 2020

@horgh Thanks. LGTM

@oalders
Copy link
Member

oalders commented May 7, 2020

The AppVeyor failures are happening in master as well, so I don't think those are significant here.

@oalders oalders merged commit 196c9c4 into libwww-perl:master May 7, 2020
@oalders
Copy link
Member

oalders commented May 7, 2020

Thanks @horgh, @atoomic, @genio and @skaji!

@oalders
Copy link
Member

oalders commented May 7, 2020

https://metacpan.org/release/OALDERS/HTTP-Message-6.23-TRIAL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oalders oalders oalders approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@horgh @oalders @atoomic @genio @skaji