Bug #30400 for POE-Component-Client-HTTP: Security issue with the way cookies are handled

Thu Nov 01 01:09:59 2007 hanenkamp [...] cpan.org - Ticket created

Subject:

Security issue with the way cookies are handled

There's a critical security problem with POE::Component::Client::HTTP. In the Request module, it clones the current request to perform redirects. If the redirect goes from one server to another, the cookies from the first server are passed to the second, which is a violation of the cookies spec. If the request is going to be cloned this way, then at least the "Cookie" header (and possibly others) needs to be sanitized. This is my recommendation. This snippet with the added remove_header() call I'm suggesting is from around line 449 of POE::Component::Client::HTTP::Request in check_redirect(). else { # All fine, yield new request and mark this disabled. my $newrequest = $self->[REQ_REQUEST]->clone(); + $newrequest->remove_header('Cookie'); DEBUG and warn "RED: new request $newrequest"; $newrequest->uri($new_uri); _set_host_header ($newrequest); $self->[REQ_STATE] = RS_REDIRECTED; DEBUG and warn "RED: new request $newrequest"; return $newrequest; }

Mon Mar 24 14:03:33 2008 RCAPUTO [...] cpan.org - Correspondence added

Thank you again. I've applied your security change as revision 316 and commented it with a TODO to consider whether other headers should be removed.

Mon Mar 24 14:03:35 2008 The RT System itself - Status changed from 'new' to 'open'

Mon Mar 24 14:03:35 2008 RCAPUTO [...] cpan.org - Status changed from 'open' to 'resolved'