0

I'm writing a CGI script (Perl on Apache, no other framework) that's supposed to be a webhook endpoint. The technical details are it's supposed to receive events from a Shopify store, but that's semi-irrelevant. Shopify tells me that in order to verify that the webhook came from them, I need to calculate the HMAC using a secret key they provide, and make sure it matches the value in the X-SHOPIFY-HMAC-SHA256 header. I've used requestb.in to look at the webhook as it's sent, and I can verify that the http client they're using is sending the X-header.

However, when my CGI script runs, I only get the bog-standard headers. X-SHOPIFY-HMAC-SHA256 is neither found in Perl CGI module http() nor in the %ENV environment variables. (I read How do I access the HTTP Header of request in a CGI script? and How to fetch HTTP headers in perl when using CGI)

I'm using cgiwrap to get my script additional privileges, but that shouldn't stop me from seeing the headers right?

AnotherParker
  • 789
  • 5
  • 16

1 Answers1

2

Plain apache sets environment variables for HTTP headers. Try it without any wrapper first. You might also try printenv.cgi:

#!/usr/bin/perl
use Data::Dumper;

print "Content-type: text/plain\r\n\r\n".Dumper(\%ENV);

Call printenv or your script manually to check if the caller might cause the problem:

curl -H "Foo: Bar" http://localhost/cgi-bin/printenv.cgi

You might also want to dump to a file if your script is being called as API.

See also http://httpd.apache.org/docs/current/howto/cgi.html

Sebastian
  • 2,472
  • 1
  • 18
  • 31