httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <...@sunstarsys.com>
Subject cookies: %26 & &amp;
Date Fri, 29 Dec 2000 04:25:57 GMT
I've come across a bug in the escape_url macro
in apache_cookie.c.  For cookies that have an "&"
sign in them somewhere like 

-name = "people"
-value = "Jack&Jill"

It will wind up being serialized as something like:

Set-Cookie:  people=Jack&Jill; ...
                        ^
                  *not* escaped by escape_url

When this cookie is returned to the server, it will be parsed
like a multivalued cookie because "&" is used as the separator in
ApacheCookie_parse (this is common practice).

It needs to be uri-escaped to %26 in this case, but I don't 
think ap_os_escape_path will work as is, since it escapes the % sign:

ap_os_escape_path( p , "Jack%26Jill" , 1) == "Jack%2526Jill"

which is also bad.  There needs to be an additional escape for "&"
on the result of ap_os_escape_path.

I should have a patch ready in a few days.
-- 
Joe Schaefer

Mime
View raw message