Bug #17366 for CGI-Application-Plugin-Session: session + session_cookie enter an infinite loop if you specify an invalid driver

Mon Jan 30 14:31:56 2006 Guest - Ticket created

Subject:

session + session_cookie enter an infinite loop if you specify an invalid driver

If you specify an invalid driver CGI::Application::Plugin::Session will enter into an infinite loop that cycles between session and session_cookie. This cycle appears to be internal, and is caused here: $self->{__CAP__SESSION_OBJ} = CGI::Session->new(@params); If CGI::Session fails to initialize (for example when an invalid driver is specified) then $self->{__CAP__SESSION_OBJ} will be undefined, which causes the cycle to start. Adding a test for defined after the above line would solve this problem. Example trace from DProf: CGI::Application::Plugin::Session::session_cookie CGI::Application::Plugin::Session::session CGI::Session::new CGI::Session::load CGI::Session::parse_dsn Text::Abbrev::abbrev CGI::Session::ErrorHandler::set_error CGI::Session::DESTROY CGI::Session::flush CGI::Session::id CGI::Session::dataref CGI::Session::dataref CGI::Session::ErrorHandler::errstr CGI::Session::ErrorHandler::set_error CGI::Application::query CGI::Session::name CGI::cookie CGI::self_or_default CGI::Util::rearrange CGI::Cookie::fetch CGI::Cookie::get_raw_cookie CGI::Application::Plugin::Session::session_cookie CGI::Application::Plugin::Session::session

Tue Jan 31 11:54:42 2006 cees-perl [...] crtconsulting.ca - Correspondence added

On Mon Jan 30 14:31:56 2006, guest wrote: Show quoted text

> > If you specify an invalid driver CGI::Application::Plugin::Session will > enter into an infinite loop that cycles between session and

session_cookie. Show quoted text

> > This cycle appears to be internal, and is caused here: > > $self->{__CAP__SESSION_OBJ} = CGI::Session->new(@params); > > If CGI::Session fails to initialize (for example when an invalid driver > is specified) then $self->{__CAP__SESSION_OBJ} will be undefined, which > causes the cycle to start. > > Adding a test for defined after the above line would solve this problem.

Adding the extra check is a good idea, and I have added it to the code. But while trying to write a test case for this, I have been unable to actually recreate the problem. Can you give me some sample code that triggers the problem for you. Also, what version of CGI::Session are you using? Cheers, Cees Hek

Tue Jan 31 11:54:43 2006 The RT System itself - Status changed from 'new' to 'open'

Tue Jan 31 14:09:33 2006 Guest - Correspondence added

From:

perlmonkey [...] gmail.com

On Tue Jan 31 11:54:42 2006, CEESHEK wrote: Show quoted text

> On Mon Jan 30 14:31:56 2006, guest wrote:

> > > > If you specify an invalid driver CGI::Application::Plugin::Session will > > enter into an infinite loop that cycles between session and

> session_cookie.

> > > > This cycle appears to be internal, and is caused here: > > > > $self->{__CAP__SESSION_OBJ} = CGI::Session->new(@params); > > > > If CGI::Session fails to initialize (for example when an invalid driver > > is specified) then $self->{__CAP__SESSION_OBJ} will be undefined, which > > causes the cycle to start. > > > > Adding a test for defined after the above line would solve this problem.

> > Adding the extra check is a good idea, and I have added it to the code. > But while trying to write a test case for this, I have been unable to > actually recreate the problem. Can you give me some sample code that > triggers the problem for you. Also, what version of CGI::Session are > you using? > > Cheers, > > Cees Hek

Attached is an example test case that causes an infinite loop, testable with an alarm. Using version 0.09

#!/usr/bin/perl Example->new()->run; package Example; use strict; use warnings; use base 'CGI::Application'; use CGI::Application::Plugin::Session; use Test::More 'no_plan'; sub setup { my ($self) = @_; ok(1, 'setup called'); $self->session_init(); ok(1, 'session_init completed'); eval { alarm 2; local $SIG{ALRM} = sub { ok(0, "timed out"); exit; }; my $val = $self->session->param('foo'); alarm 0; }; ok("no timeout"); } sub session_init { my ($self) = @_; $self->session_config( CGI_SESSION_OPTIONS => [ "driver:invalid_driver;serializer:FreezeThaw", $self->query, ], COOKIE_PARAMS => { -path=>"/" }, SEND_COOKIE => 1, ); }

Tue Jan 31 16:12:10 2006 cees-perl [...] crtconsulting.ca - Correspondence added

On Tue Jan 31 14:09:33 2006, guest wrote: Show quoted text

> Attached is an example test case that causes an infinite loop, testable > with an alarm.

Your test coded passes with no infinite loop for me. The call to $self->session->param ends up dying with an error from CGI::Session: ------------ CGI::Session doesn't seem to be a valid CGI::Session driver. At least one method ('store') is missing ------------ Show quoted text

> Using version 0.09

I needed to know what version of CGI::Session you are using. I originally tested it with version 3.95, and should have checked the latest version as well. Turns out it fails with version 4+, so something definately changed in the way bad driver info is handled. Anyway, I have fixed the issue in CGI::Application::Plugin::Session and will upload a new version soon. Thanks for the help... Cheers, Cees

Tue Jan 31 16:12:11 2006 cees-perl [...] crtconsulting.ca - Status changed from 'open' to 'resolved'