Re: mod_rewrite cookies
On 07/19/2008 06:08 PM, Nick Kew wrote: > Reviewing the backport proposal in STATUS, it amounts to > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=6394 \ > 65&r2=664330&pathrev=664330 > It still seems to be at risk of generating a malformed cookie, > if secure is unset (NULL) but httponly is set. I ignore the way cookie parts are internally stored, but are they always stored in this order (expires:path:secure:HttpOnly) ? Couldn't we have ...:HttpOnly:secure ? If so, we could end up with comparing strings with the wrong cookie part. Also, in the internal format, "secure" and "httponly" could be stored as "1" or "true" ? In rev 664330, both"secure" and "httponly" are compared against "1" and "true", in rev 647395 and in the patch attached to bug 44799, only secure is compared against "1" and "true". This is quite confusing ...
Re: mod_rewrite cookies
On 07/19/2008 06:08 PM, Nick Kew wrote: Reviewing the backport proposal in STATUS, it amounts to http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=639465&r2=664330&pathrev=664330 It still seems to be at risk of generating a malformed cookie, if secure is unset (NULL) but httponly is set. Shouldn't it guard against this by reporting a syntax error if secure (or indeed httponly) is set to an unrecognised value? Or have I just been staring at a screen for too long? Unless I am confused as well it is the later :-). If secure is unset or has the wrong value the result of the ? operator will be NULL. It doesn't matter what value comes after that as apr_pstrcat does only cat the strings until it reaches the first NULL parameter. Regards RĂ¼diger
mod_rewrite cookies
Reviewing the backport proposal in STATUS, it amounts to http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=639465&r2=664330&pathrev=664330 It still seems to be at risk of generating a malformed cookie, if secure is unset (NULL) but httponly is set. Shouldn't it guard against this by reporting a syntax error if secure (or indeed httponly) is set to an unrecognised value? Or have I just been staring at a screen for too long? -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/