httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <joe_schae...@yahoo.com>
Subject Re: skip bad cookie value in Apache2::Cookie::Jar?
Date Wed, 22 Dec 2010 00:23:56 GMT
The issue has nothing to do with browsers.  It has to do
with 3rd party apps that generate bogus cookies. If you
want apreq to ignore those cookies, just use eval {} and
trap the exception.

If you want to fix those 3rd party cookie apps, it's good
that apreq lets you know there's a problem.




----- Original Message ----
> From: Mark Hedges <hedges@formdata.biz>
> To: apreq-dev@httpd.apache.org
> Sent: Tue, December 21, 2010 6:24:14 PM
> Subject: skip bad cookie value in Apache2::Cookie::Jar?
> 
> 
> On Fri, 12 Nov 2010, Clinton Gormley wrote:
> 
> > On Fri, 2010-11-12  at 11:59 -0800, Mark Hedges wrote:
> > >
> > > Sorry if I don't  understand what's going on, but is this a
> > > bug that causes the  cookie header to have only the value '1'
> > > instead of proper  headers?
> > >
> > > https://rt.cpan.org/Public/Bug/Display.html?id=61744
> > >
> >  > Since there's some activity/interest in a new release,
> > > maybe  someone can offer their opinion whether the
> > > suggested fix in the  bug report above is a good idea, or
> > > whether this is something that  needs to be fixed in
> > > Apache2::Cookie.  I haven't been able to  duplicate it--
> > > maybe because I use Debian?
> >
> > I had a  read of your bug and the conversation it links to.
> > This isn't a bug in  libapreq or Apache2::Cookie - some
> > process somewhere (and it could be  from an advert on the
> > user's site) is setting an invalid cookie, which  then gets
> > passed back to apache.
> >
> > Apache2::Cookie tries  to parse it, and chokes on it,
> > throwing an error. However, you can  change how you use
> > Apache2::Cookie to ignore the error and just  retrieve
> > valid cookies as discussed in the conversation linked  to
> > in that bug report:
> >  http://comments.gmane.org/gmane.comp.apache.apreq/4477
> >
> >  clint
> 
> Could Apache2::Cookie::Jar maybe have an option to skip
> NOTOKEN  errors when reading the jar?  Then it would do
> something like  below.  Or does the eval have to happen in
> the 'each %attrs' loop of  Jar->new().
> 
> It just seems like this is a universal problem.  If  the
> client presents a bad cookie, shouldn't we just ignore it?
> It may be  unrealistic to demand that the world be free of
> buggy  browsers.
> 
> --mark--
> 
> --- /usr/lib/perl5/Apache2/Cookie.pm.orig    2010-12-21 15:05:24.000000000 
>-0800
> +++  /usr/lib/perl5/Apache2/Cookie.pm    2010-12-21 15:21:22.000000000  -0800
> @@ -4,6 +4,7 @@
>  use APR::Request::Cookie;
>  use  APR::Request::Apache2;
>  use APR::Request qw/encode decode/;
> +use  APR::Request::Error ();
>  use Apache2::RequestRec;
>  use  Apache2::RequestUtil;
>  use overload '""' => sub { shift->as_string() },  fallback => 1;
> @@ -101,8 +102,21 @@
>  *Apache2::Cookie::Jar::status =  *APR::Request::jar_status;
> 
>  sub new {
> -    my $class =  shift;
> -    my $jar =  $class->APR::Request::Apache2::handle(shift);
> +    my ($class,  $r) = @_;
> +    my $jar;
> +    eval { $jar =  $class->APR::Request::Apache2::handle($r) };
> +    if (my $err =  $@) {
> +        my $ref = ref $err;
> +         if  (   $ref eq 'APR::Request::Error'
> +             &&  $err ==  APR::Request::Error::NOTOKEN
> +            )  {
> +            # skip bad cookies by getting  jar from error
> +            $jar =  $err->jar;
> +        }
> +         else {
> +            die $err;  # rethrows  any other APR::Error
> +        }
> +     }
>      my %attrs = @_;
>      while (my ($k, $v) = each  %attrs) {
>          $k =~ s/^-//;
> 
> 


      

Mime
View raw message