www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ari Halberstadt <...@shore.net>
Subject mod_jserv/2800: cookie max age overflows at about 25 days
Date Thu, 06 Aug 1998 19:06:46 GMT

>Number:         2800
>Category:       mod_jserv
>Synopsis:       cookie max age overflows at about 25 days
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jserv
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Aug  6 12:10:00 PDT 1998
>Last-Modified:
>Originator:     ari@shore.net
>Organization:
apache
>Release:        1.3
>Environment:
not relevant, it's a java source bug
>Description:
Here is the existing code in org.apache.jserv.JServUtils.encodeCookie:

        ...
        int age = cookie.getMaxAge();
        if ( cookie.getMaxAge() > 0 ) {
            buf.append( "; expires=" );
            buf.append( cookieDate.format(new Date(System.currentTimeMillis() + age * 1000)));
        } else if ( cookie.getMaxAge() == 0 ) {
        ...

The multiplication of the int by 1000 causes integer overflow.

History: this problem was detected by Sean Hammon (sean-h@mailhost) in a post to   java-apache-users
in early June; I added the analysis of the problem and suggested fix.
>How-To-Repeat:
Use a cookie expiration time of about 25 days,

25 days in milliseconds:  25*3600*24*1000 = 2160000000
Integer.MAX_INT: 0x7fffffff = 2^31-1=       2147483647
>Fix:
This should be changed to use long (64-bit) arithmetic, for instance

         ...
       long age = cookie.getMaxAge();
        if ( age > 0 ) {
            buf.append( "; expires=" );
            buf.append( cookieDate.format(new Date(System.currentTimeMillis() + age * 1000)));
        } else if ( age == 0 ) {
        ...
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]




Mime
View raw message