httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-2.0/modules/metadata mod_usertrack.c
Date Sat, 27 Sep 2003 18:24:39 GMT
striker     2003/09/27 11:24:39

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               modules/metadata Tag: APACHE_2_0_BRANCH mod_usertrack.c
  Log:
  Backport from 2.1.
  
    *) Fixed mod_usertrack to not get false positive matches on the
       user-tracking cookie's name.  PR 16661.
       [Manni Wood <manniwood@planet-save.com>]
  
  Reviewed by: Cliff Woolley, Jeff Trawick, Sander Striker
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.160 +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.159
  retrieving revision 1.988.2.160
  diff -u -r1.988.2.159 -r1.988.2.160
  --- CHANGES	27 Sep 2003 18:17:09 -0000	1.988.2.159
  +++ CHANGES	27 Sep 2003 18:24:37 -0000	1.988.2.160
  @@ -1,5 +1,9 @@
   Changes with Apache 2.0.48
   
  +  *) Fixed mod_usertrack to not get false positive matches on the
  +     user-tracking cookie's name.  PR 16661.
  +     [Manni Wood <manniwood@planet-save.com>]
  +
     *) mod_cache: Fix the cache code so that responses can be cached
        if they have an Expires header but no Etag or Last-Modified
        headers. PR 23130.
  
  
  
  1.751.2.486 +1 -6      httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.485
  retrieving revision 1.751.2.486
  diff -u -r1.751.2.485 -r1.751.2.486
  --- STATUS	27 Sep 2003 18:17:09 -0000	1.751.2.485
  +++ STATUS	27 Sep 2003 18:24:38 -0000	1.751.2.486
  @@ -324,11 +324,6 @@
           modules/generators/mod_info.c r1.151
         +1: trawick
   
  -    * mod_usertrack: use a regex instead of strstr() to fix false-positive
  -      matches on the user tracking cookie's name.
  -        modules/metadata/mod_usertrack.c r1.42
  -      +1: jwoolley, trawick, striker
  -
   CURRENT RELEASE NOTES:
   
       * Backwards compatibility is expected of future Apache 2.0 releases,
  
  
  
  No                   revision
  No                   revision
  1.39.2.3  +49 -16    httpd-2.0/modules/metadata/mod_usertrack.c
  
  Index: mod_usertrack.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/metadata/mod_usertrack.c,v
  retrieving revision 1.39.2.2
  retrieving revision 1.39.2.3
  diff -u -r1.39.2.2 -r1.39.2.3
  --- mod_usertrack.c	7 Mar 2003 21:27:38 -0000	1.39.2.2
  +++ mod_usertrack.c	27 Sep 2003 18:24:38 -0000	1.39.2.3
  @@ -125,6 +125,8 @@
       cookie_type_e style;
       char *cookie_name;
       char *cookie_domain;
  +    char *regexp_string;  /* used to compile regexp; save for debugging */
  +    regex_t *regexp;  /* used to find usertrack cookie in cookie header */
   } cookie_dir_rec;
   
   /* Make Cookie: Now we have to generate something that is going to be
  @@ -193,36 +195,48 @@
       return;
   }
   
  +/* dcfg->regexp is "^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)",
  + * which has three subexpressions, $0..$2 */
  +#define NUM_SUBS 3
  +
   static int spot_cookie(request_rec *r)
   {
       cookie_dir_rec *dcfg = ap_get_module_config(r->per_dir_config,
   						&usertrack_module);
  -    const char *cookie;
  -    const char *value;
  +    const char *cookie_header;
  +    regmatch_t regm[NUM_SUBS];
   
       /* Do not run in subrequests */
       if (!dcfg->enabled || r->main) {
           return DECLINED;
       }
   
  -    if ((cookie = apr_table_get(r->headers_in,
  -                                (dcfg->style == CT_COOKIE2
  -                                 ? "Cookie2"
  -                                 : "Cookie"))))
  -        if ((value = ap_strstr_c(cookie, dcfg->cookie_name))) {
  -            char *cookiebuf, *cookieend;
  -
  -            value += strlen(dcfg->cookie_name) + 1;  /* Skip over the '=' */
  -            cookiebuf = apr_pstrdup(r->pool, value);
  -            cookieend = strchr(cookiebuf, ';');
  -            if (cookieend)
  -                *cookieend = '\0';      /* Ignore anything after a ; */
  -
  +    if ((cookie_header = apr_table_get(r->headers_in,
  +                                       (dcfg->style == CT_COOKIE2
  +                                        ? "Cookie2"
  +                                        : "Cookie")))) {
  +        if (!ap_regexec(dcfg->regexp, cookie_header, NUM_SUBS, regm, 0)) {
  +            char *cookieval = NULL;
  +            /* Our regexp,
  +             * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
  +             * only allows for $1 or $2 to be available. ($0 is always
  +             * filled with the entire matched expression, not just
  +             * the part in parentheses.) So just check for either one
  +             * and assign to cookieval if present. */
  +            if (regm[1].rm_so != -1) {
  +                cookieval = ap_pregsub(r->pool, "$1", cookie_header,
  +                                       NUM_SUBS, regm);
  +            }
  +            if (regm[2].rm_so != -1) {
  +                cookieval = ap_pregsub(r->pool, "$2", cookie_header,
  +                                       NUM_SUBS, regm);
  +            }
               /* Set the cookie in a note, for logging */
  -            apr_table_setn(r->notes, "cookie", cookiebuf);
  +            apr_table_setn(r->notes, "cookie", cookieval);
   
               return DECLINED;    /* There's already a cookie, no new one */
           }
  +    }
       make_cookie(r);
       return OK;                  /* We set our cookie */
   }
  @@ -331,7 +345,26 @@
   {
       cookie_dir_rec *dcfg = (cookie_dir_rec *) mconfig;
   
  +    /* The goal is to end up with this regexp,
  +     * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
  +     * with cookie_name
  +     * obviously substituted with the real cookie name set by the
  +     * user in httpd.conf. */
  +    dcfg->regexp_string = apr_pstrcat(cmd->pool, "^", name,
  +                                      "=([^;]+)|;[ \t]+", name,
  +                                      "=([^;]+)", NULL);
  +
       dcfg->cookie_name = apr_pstrdup(cmd->pool, name);
  +
  +    dcfg->regexp = ap_pregcomp(cmd->pool, dcfg->regexp_string, REG_EXTENDED);
  +    if (dcfg->regexp == NULL) {
  +        return "Regular expression could not be compiled.";
  +    }
  +    if (dcfg->regexp->re_nsub + 1 != NUM_SUBS) {
  +        return apr_pstrcat(cmd->pool, "Invalid cookie name \"",
  +                           name, "\"", NULL);
  +    }
  +
       return NULL;
   }
   
  
  
  

Mime
View raw message