httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Young <>
Subject mod_log_config cookie buglet
Date Tue, 21 Aug 2007 15:11:46 GMT
hi all :)

a co-worker and I were just adding some functionality to an internal
httpd module when we noticed that mod_log_config misbehaves when logging
cookie values...

in short, we have a cookie FOO and were adding a cookie CLIENT_FOO.  in
the log format we used


but the log spit out FOO for both values.  yucko.

it turns out to be mod_log_config's log_cookie() function, where
ap_strstr_c() is used to find the cookie names.  it seems that whichever
cookie is first in the incoming header is the one that gets logged,
provided that the name of one cookie is contained in the name of another.

anyway, I guess this bug has been around forever (though I haven't
looked beyond 2.2) but I have a feeling it's gone unnoticed because
people might expect similar values for similarly named cookies.  in our
case, FOO was a decrypted version of CLIENT_FOO so the results were
radically different in format and the bug was immediately visible
(though not immediately obvious in source :)

anyway, sorry we don't have a patch for you :)

(who isn't subscribed anymore, so please CC me :)

View raw message