original

diff --git a/lib/Koha/Middleware/SetEnv.pm b/lib/Koha/Middleware/SetEnv.pm
new file mode 100644 (file)
index 0000000..6807392
--- /dev/null
+++ b/lib/Koha/Middleware/SetEnv.pm
@@ -0,0 +1,113 @@
+package Koha::Middleware::SetEnv;
+
+# Copyright 2016 ByWater Solutions and the Koha Dev Team
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+
+use parent qw(Plack::Middleware);
+
+use Plack::Request;
+
+=head1 NAME
+
+Koha::Middleware::SetEnv - Plack middleware to allow SetEnv through proxied headers
+
+=head1 SYNOPSIS
+
+  builder {
+      ...
+      enable "Koha::Middleware::SetEnv";
+      ...
+  }
+
+
+
+=head1 DESCRIPTION
+
+This module adds a Plack middleware to convert C<X-Koha-SetEnv> request headers to actual
+environment variables.
+
+This is needed because Plackified Koha is currently connected to Apache via an HTTP proxy, and
+C<SetEnv>s are not passed through. Koha uses SetEnvs to pass memcached settings and per-virtualhost
+styles, search limits and syspref overrides.
+
+=head1 CAVEATS
+
+Due to how HTTP headers are combined, if you want to set a value with an embedded comma, it must be
+escaped:
+
+  SetEnv OVERRIDE_SYSPREF_LibraryName "The Best, Truly the Best, Koha Library"
+  RequestHeader add X-Koha-SetEnv "OVERRIDE_SYSPREF_LibraryName The Best\, Truly the Best\, Koha Library"
+
+=head1 NOTES
+
+This system was designed to use a single header for reasons of security. We have no way of knowing
+whether a given request header was set by Apache or the original client, so we have to clear any
+relevant headers before Apache starts adding them. This is only really practical for a single header
+name.
+
+=cut
+
+my $allowed_setenvs = qr/^(
+    OVERRIDE_SYSPREF_(\w+) |
+    OVERRIDE_SYSPREF_NAMES |
+    OPAC_CSS_OVERRIDE |
+    OPAC_SEARCH_LIMIT |
+    OPAC_LIMIT_OVERRIDE |
+    TZ
+)\ /x;
+
+sub call {
+    my ( $self, $env ) = @_;
+    my $req = Plack::Request->new($env);
+
+    # First, we split the result only on unescaped commas.
+    my @setenv_headers = split /(?<!\\),\s*/, $req->header('X-Koha-SetEnv') || '';
+
+    # Then, these need to be mapped to key-value pairs, and commas removed.
+    my %setenvs = map {
+        # The syntax of this is a bit awkward because you can't use return inside a map (it
+        # returns from the enclosing function).
+        if (!/$allowed_setenvs/) {
+            warn "Forbidden/incorrect X-Koha-SetEnv: $_";
+
+            ();
+        } else {
+            my ( $key, $value ) = /(\w+) (.*)/;
+            $value =~ s/\\,/,/g;
+
+            ( $key, $value );
+        }
+    } @setenv_headers;
+
+    # Finally, everything is shoved into the $env.
+    $env = {
+        %$env,
+        %setenvs
+    };
+
+    return $self->app->($env);
+}
+
+=head1 AUTHOR
+
+Jesse Weaver, E<lt>jweaver@bywatersolutions.comE<gt>
+
+=cut
+
+1;