httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: mod_rewrite cookies
Date Sat, 19 Jul 2008 18:27:22 GMT


On 07/19/2008 06:08 PM, Nick Kew wrote:
> Reviewing the backport proposal in STATUS, it amounts to
> 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=639465&r2=664330&pathrev=664330
> 
> It still seems to be at risk of generating a malformed cookie,
> if secure is unset (NULL) but httponly is set.
> 
> Shouldn't it guard against this by reporting a syntax error if
> secure (or indeed httponly) is set to an unrecognised value?
> Or have I just been staring at a screen for too long?
> 

Unless I am confused as well it is the later :-).
If secure is unset or has the wrong value
the result of the ? operator will be NULL. It doesn't matter
what value comes after that as apr_pstrcat does only cat the
strings until it reaches the first NULL parameter.

Regards

RĂ¼diger


Mime
View raw message