Re: corrupt cookie kills mod-perl / apreq

[Joe Schaefer]

Joe Schaefer <[EMAIL PROTECTED]> writes:

>>'Cookie' =>
>> 'wordpressuser_c580712eb86cad2660b3601ac04202b2=admin;
>> wordpresspass_c580712eb86cad2660b3601ac04202b2=7ebeeed42ef50720940f5b8db
>> 2f9db49; rs_session=59ae9b8b503e3af7d17b97e7f77f7ea5; dbx-
>> postmeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-',
>
> I don't see anything fundamentally wrong with that header.

Doh- now I do.  The commas in the final cookie are what's causing
the parsing problem.

From:

http://wp.netscape.com/newsref/std/cookie_spec.html

 NAME=VALUE
This string is a sequence of characters excluding semi-colon, comma
and white space.

-- 
Joe Schaefer

Re: corrupt cookie kills mod-perl / apreq

[Joe Schaefer]

Jonathan Vanasco <[EMAIL PROTECTED]> writes:

> BUT it brings up this issue - a corrupt cookie of this sort seems to  call a
> die() in modperl  once libapreq attempts to parse it.  i'd say  50% of
> the dies are met with a segfault.  i don't know why its not a  1:1 ratio.

It's supposed to die, but it's obviously not supposed to segfault.
Have you tried putting a "use APR::Request::Error" in the offending
script, to see if that impacts on the segfaults?

>> I couldn't seem to find any way to provide a defense against this.   Just
> calling cookiejar->cookie() will cause the error.
>   my $cookiejar   = Apache2::Cookie::Jar->new( $self->{'apr'} );
>   my @names   = $cookiejar->cookies();
>
> the segfault, natually, occurs whether or not the code is wrapped in  an eval
> block.  an eval block didn't seem to catch the other  error  either
> (sorry, but i can't discern what it is)


  use APR::Request::Error;

  my $req = APR::Request::Apache2->new($r);
  eval {
   my $jar = $req->jar; #table of cookies
   ...
  };

  if (ref $@ and [EMAIL PROTECTED]>isa("APR::Request::Error") ) {
 my $jar = [EMAIL PROTECTED]>jar; # table of successfully parsed cookies
 ...
  }

>'Cookie' =>
> 'wordpressuser_c580712eb86cad2660b3601ac04202b2=admin;
> wordpresspass_c580712eb86cad2660b3601ac04202b2=7ebeeed42ef50720940f5b8db
> 2f9db49; rs_session=59ae9b8b503e3af7d17b97e7f77f7ea5; dbx-
> postmeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-',

I don't see anything fundamentally wrong with that header.
Will do some testing tho.

-- 
Joe Schaefer

corrupt cookie kills mod-perl / apreq

[Jonathan Vanasco]

[note: x-posted to modperl]
[note: i sent this earlier from an unsubscribed address.  that  
shouldn't go through.  if it does, apologies in advance ]


I wrote a web services module to incorporate the TrackBack protocol  
into my mod_perl application


I started testing it using WordPress - the php blog software

It seems to have set a cookie (see details below) , that causes an  
automatic error in modperl


The error in the logs is :"Expected token not present"

It was touched briefly in :
[mp2] "Expected token not present" error in logs
Date: Sun, 8 Jan 2006 11:18:10 -0500

The extent to which it was discussed was:

Joe Schaefer
	It probably means that the request's Cookie: header was missing an  
"=" sign.

Philip M. Gollucci
joes: any possibility of improving that error message in 2.07-dev ?

And then the conversation died.

The issue seems to be definitively caused by an issue in the way that  
wordpress encodes the cookie and safari sends it

http://wordpress.org/support/topic/52813
http://www.darcynorman.net/2005/12/21/upgrading-blog-to-wp-20-rc3

From the headers_in , it seems that WordPress includes raw-php code  
(instead of executing it), and either wordpress or safari doesn't  
properly escape the = sign in the cookies.


In production I see little chance this will affect me or any other  
user -- the invalid cookie isn't going to be sent to the box.


BUT it brings up this issue - a corrupt cookie of this sort seems to  
call a die() in modperl  once libapreq attempts to parse it.  i'd say  
50% of the dies are met with a segfault.  i don't know why its not a  
1:1 ratio.


I couldn't seem to find any way to provide a defense against this.   
Just calling cookiejar->cookie() will cause the error.

my $cookiejar   = Apache2::Cookie::Jar->new( $self->{'apr'} );
my @names   = $cookiejar->cookies();

the segfault, natually, occurs whether or not the code is wrapped in  
an eval block.  an eval block didn't seem to catch the other  error  
either (sorry, but i can't discern what it is)


Can someone suggest an approach?  Maybe some sort of validation regex  
needs to be in/updated on the cookie parsing code?  I'm a little  
uneasy with the idea that sending a bad cookie gives a 50% chance to  
segfault a server.


I've enclosed a Data::Dumper representation of the the APR::Table  
headers_in atfer the cookie info.  I'll be happy to pull it into any  
other format if instructed how.


To recreate this, you can use:
wordpress-2.0.1 (current)
mac osx 10.4 + safari 2.0.3
libapreq 2.07
httpd 2.055

===
Created
193189633
Domain
g5.local
Expires
2007-02-14T23:47:13Z
Name
dbx-postmeta
Path
/
Value
grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-
===
$headers_in = bless( {
   'Accept' => '*/*',
   'Accept-Language' => 'en',
   'Accept-Encoding' => 'gzip, deflate',
   'Cookie' =>  
'wordpressuser_c580712eb86cad2660b3601ac04202b2=admin;  
wordpresspass_c580712eb86cad2660b3601ac04202b2=7ebeeed42ef50720940f5b8db 
2f9db49; rs_session=59ae9b8b503e3af7d17b97e7f77f7ea5; dbx- 
postmeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-',
   'User-Agent' => 'Mozilla/5.0 (Macintosh; U;  
PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8',

   'Connection' => 'keep-alive',
   'Host' => 'g5.local:8082'
 }, 'APR::Table' );