[Ur] Request environment variables
Adam Chlipala
adamc at csail.mit.edu
Sun Jul 29 12:37:26 EDT 2012
Edward Z. Yang wrote:
> Servers pass a lot of interesting information to the CGI
> programs in the form of environment variables (for example,
> if you do client cert authentication, that info comes in the
> form of an environment variable.) It would be great if
> Ur/Web could access that information.
>
> Now, implementing this requires a little bit of cooperation
> from the SAPIs, since, for example, FastCGI passes in its
> environment variables from the wire, so just calling getenv
> doesn't work. But probably a 'getenv : string -> transaction string'
> would work reasonably well.
Just exposing the environment variables literally doesn't sound so
appetizing: any [transaction] code would be able to read any environment
variable. There could be sensitive information in there, and it's nice
to be able to run other people's library code without worrying that it
can read sensitive information.
Ur/Web already supports a whitelist of HTTP headers that may be read by
transactions. What do you think of a directive that maps an environment
variable name in as a specific HTTP header? Then the existing mechanism
can do double-duty via a single whitelist.
Another idea would be to create an abstract "capability" type, where a
page handler may always request such a value as a function argument.
State-access functions like header/environment variable reading could
require a value of this type as an argument, so that a page handler
could call other functions without giving them direct access to touch
the request/response context.
I'm inclined to implement both of these ideas.
More information about the Ur
mailing list