httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1199987 - in /httpd/httpd/trunk: CHANGES modules/metadata/mod_usertrack.c
Date Wed, 09 Nov 2011 21:43:49 GMT
Author: sf
Date: Wed Nov  9 21:43:49 2011
New Revision: 1199987

URL: http://svn.apache.org/viewvc?rev=1199987&view=rev
Log:
Use random value instead of remote IP address in cookie value. This has the
advantage that we don't leak internal IP addresses in reverse proxy setups.
Also, use hex to make the cookie shorter.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/metadata/mod_usertrack.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1199987&r1=1199986&r2=1199987&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Nov  9 21:43:49 2011
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.16
 
+  *) mod_usertrack: Use random value instead of remote IP address.
+     [Stefan Fritsch]
 
 Changes with Apache 2.3.15
 

Modified: httpd/httpd/trunk/modules/metadata/mod_usertrack.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_usertrack.c?rev=1199987&r1=1199986&r2=1199987&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/metadata/mod_usertrack.c (original)
+++ httpd/httpd/trunk/modules/metadata/mod_usertrack.c Wed Nov  9 21:43:49 2011
@@ -97,19 +97,16 @@ static void make_cookie(request_rec *r)
 {
     cookie_log_state *cls = ap_get_module_config(r->server->module_config,
                                                  &usertrack_module);
-    /* 1024 == hardcoded constant */
-    char cookiebuf[1024];
+    char cookiebuf[2 * (sizeof(apr_uint64_t) + sizeof(int)) + 2];
+    unsigned int random;
+    apr_time_t now = r->request_time ? r->request_time : apr_time_now();
     char *new_cookie;
-    const char *rname = ap_get_remote_host(r->connection, r->per_dir_config,
-                                           REMOTE_NAME, NULL);
     cookie_dir_rec *dcfg;
 
+    ap_random_insecure_bytes(&random, sizeof(random));
+    apr_snprintf(cookiebuf, sizeof(cookiebuf), "%x.%" APR_UINT64_T_HEX_FMT,
+                 random, (apr_uint64_t)now);
     dcfg = ap_get_module_config(r->per_dir_config, &usertrack_module);
-
-    /* XXX: hmm, this should really tie in with mod_unique_id */
-    apr_snprintf(cookiebuf, sizeof(cookiebuf), "%s.%" APR_TIME_T_FMT, rname,
-                 apr_time_now());
-
     if (cls->expires) {
 
         /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */



Mime
View raw message