[ https://issues.apache.org/jira/browse/TS-4653?focusedWorklogId=25475&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-25475 ]
ASF GitHub Bot logged work on TS-4653: -------------------------------------- Author: ASF GitHub Bot Created on: 14/Jul/16 08:45 Start Date: 14/Jul/16 08:45 Worklog Time Spent: 10m Work Description: GitHub user shukitchan opened a pull request: https://github.com/apache/trafficserver/pull/798 TS-4653: esi plugin - disable HTTP_COOKIE variable by default and imp… …lement a whitelist mechanism to allow the specified cookies for it Original code and idea contributed by Chris Rohlf (chris.ro...@gmail.com) @bryancall / @jpeach , pls help to review. Thanks a lot. You can merge this pull request into a Git repository by running: $ git pull https://github.com/shukitchan/trafficserver esicookiepatch Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/798.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #798 ---- commit 2caf4e54aedb0428ad3dd9233c5f12958e28546b Author: Kit Chan <kic...@apache.org> Date: 2016-07-14T08:42:24Z TS-4653: esi plugin - disable HTTP_COOKIE variable by default and implement a whitelist mechanism to allow the specified cookies for it ---- Issue Time Tracking ------------------- Worklog Id: (was: 25475) Time Spent: 10m Remaining Estimate: 0h > ESI plugin - $HTTP_COOKIE can leak important cookie info unintentionally > ------------------------------------------------------------------------ > > Key: TS-4653 > URL: https://issues.apache.org/jira/browse/TS-4653 > Project: Traffic Server > Issue Type: Bug > Components: Plugins > Reporter: Kit Chan > Assignee: Kit Chan > Fix For: 7.0.0 > > Time Spent: 10m > Remaining Estimate: 0h > > In the ESI spec, we can print out cookie information with $HTTP_COOKIE. This > can be problematic and unintentionally print out sensitive info on a web page. > We should have mechanism to disable this by default and allow us to fine tune > it so we can choose to expose this functionality for only the cookie that we > allow -- This message was sent by Atlassian JIRA (v6.3.4#6332)