httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@rexursive.com>
Subject Bug in mod_apreq.c
Date Tue, 16 Nov 2004 22:21:25 GMT
This piece of code in mod_apreq.c:

--------------------------------
static apr_status_t apache2_header_out(void *env, const char *name,
                                       char *value)
{
    dR;
    apr_table_addn(r->headers_out, name, value);
    return APR_SUCCESS;
}
--------------------------------

assumes that name and value will be something from "permanent" memory and
therefore don't need to be copied, but rather that their pointers should simply
be stored in the table (therefore the addn, not add). However, this code in
apreq_cookie.c:

--------------------------------
APREQ_DECLARE(apr_status_t) apreq_cookie_bake(const apreq_cookie_t *c,
                                              void *env)
{
    char s[APREQ_COOKIE_MAX_LENGTH];
    int len = apreq_cookie_serialize(c, s, APREQ_COOKIE_MAX_LENGTH);
    if (len < APREQ_COOKIE_MAX_LENGTH)
        return apreq_env_set_cookie(env, s);

    apreq_log(APREQ_ERROR APR_INCOMPLETE, env,
              "serialized cookie length exceeds limit %d",
              APREQ_COOKIE_MAX_LENGTH - 1);
    return APR_INCOMPLETE;
}
--------------------------------

uses values from the stack. The apreq_env_set_cookie() call eventually calls
apache2_header_out() function, which then assigns completely temporary strings
(the ones from the stack) to the request headers, which are normally associated
with the request pool.

Function apr_table_add() should be used instead, to make copies of both keys and
values. My test show that this fixes the problem of Weird Cookies (TM).

--
Bojan

Mime
View raw message