Re: BUG: Apache::Cookie v1.0

2002-09-23 Thread Lupe Christoph 

On Monday, 2002-09-23 at 11:11:02 -0400, darren chamberlain wrote:
> * Michael McLagan <[EMAIL PROTECTED]> [2002-09-21 11:45]:
> > There is a bug in Apache::Cookie.  It doesn't handle a cookie with
> > zero bytes in it!

> This is because Apache::Cookie is implemented in C, and C uses NULL as
> the end of string terminator.

No quite accurate. C has no concept of a string. There are a number of
library functions for string handling that use '\0' as the string
terminator.

If somebody rewrites Apache::Cookie to replace those functions, it will
be able to handle such cookies.

> This is probably something that needs to be done in Perl, since I doubt
> there's a way to check for "embedded" NULLs in a string in C...

/* We assume there will always a '\0' to be found. */
char *
find_nul(char *str)
{
  while (*str) {
str++;
  }

  return str;
}

What interests me much more is *why* a cookie should be able to contain
*any* control character. If you want binary data in a cookie, you should
encode it somehow.

If the '\0' was a '\n', things would be much more interesting ...

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be|
| unsinkable. The designer had a speech impediment. He said: "I have |
| thith great unthinkable conthept ..."  |

Re: BUG: Apache::Cookie v1.0

2002-09-23 Thread darren chamberlain 

* Michael McLagan <[EMAIL PROTECTED]> [2002-09-21 11:45]:
> There is a bug in Apache::Cookie.  It doesn't handle a cookie with
> zero bytes in it!

This is because Apache::Cookie is implemented in C, and C uses NULL as
the end of string terminator.

This is probably something that needs to be done in Perl, since I doubt
there's a way to check for "embedded" NULLs in a string in C...

(darren)

-- 
If you wish to drown, do not torture yourself with shallow water.

Re: BUG: Apache::Cookie v1.0

2002-09-21 Thread Michael McLagan 

Once upon a time, I wrote: 

> There is a bug in Apache::Cookie.  It doesn't handle a cookie
> with zero bytes in it!

A clarification, it's not a zero length cookie that is mishandled, it's a 
cookie with an embedded NUL (zero) character.

   Michael

BUG: Apache::Cookie v1.0

2002-09-21 Thread Michael McLagan 

Hello,

   There is a bug in Apache::Cookie.  It doesn't handle a cookie with zero 
bytes in it!

$value = "ABCD" . chr(0) . "EFGH";
$cookie = Apache::Cookie->new($request, -name=> 'oatmeal', -value=> $value, 
-domain=>$ENV{'SERVER_NAME'}, -path=>"/");
print $cookie->as_string;


The output looks like:

oatmeal=ABCD; domain=my.web.server.com; path=/; expires=0

Where did the rest of my cookie go?!

Should I not have gotten:

oatmeal=ABCD%00EFGH; domain=my.web.server.com; path=/; expires=0

   Michael