|
List Info Thread: mod_log_config cookie buglet
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
mod_log_config cookie buglet |
|
List Info Thread: mod_log_config cookie buglet
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
a co-worker and I were just adding some functionality to an
internal
httpd module when we noticed that mod_log_config misbehaves
when logging
cookie values...
in short, we have a cookie FOO and were adding a cookie
CLIENT_FOO. in
the log format we used
%Ct%C
but the log spit out FOO for both values. yucko.
it turns out to be mod_log_config's log_cookie() function,
where
ap_strstr_c() is used to find the cookie names. it seems
that whichever
cookie is first in the incoming header is the one that gets
logged,
provided that the name of one cookie is contained in the
name of another.
anyway, I guess this bug has been around forever (though I
haven't
looked beyond 2.2) but I have a feeling it's gone unnoticed
because
people might expect similar values for similarly named
cookies. in our
case, FOO was a decrypted version of CLIENT_FOO so the
results were
radically different in format and the bug was immediately
visible
(though not immediately obvious in source