| Subject: | Duplication Of Cookies |
Bug in HTTP::Cookies version 6.01
Perl Version 5.10.1
Operating System: Ubuntu 10.04
BUG:
In package HTTP::Cookies, the function add_cookie_header() has a bug
that it copies prevoiusly existing cookies and concatenates them to the
request header. This sometimes causes duplication of cookies.
The Bug causes error 400 Bad Request, due to the request header being
too long when trying to log in to a server.This condition does not cause
an error until and unless the cookies are too long.
Workaround:
Rather than appending the existing cookies to the new cookies we should
check if the cookie already exists than skip appending it, otherwise
append it to the new cookies.
My Scenario:
I was trying to log on to an AD-FS server using NTLM Authentication.
We recieve 4 NTLM Request Cookies which are base64 encoded. But during
Authentication there are 3 redirections which are handled using
request() in LWP::UserAgent.
This make a indirect call to HTTP::Cookies each time.
Therefore, the same cookies are repeated 3 times.
As the cookies are too long we recieve an HTTP Bad Request, Error 400.
Place of Bug in Code:
if (@cval) {
if (my $old = $request->header("Cookie")) {
unshift(@cval, $old);
}
$request->header(Cookie => join("; ", @cval));
}
Fix:
This patch checks whether the cookie in @oldcookie has alredy been
included in @cval, if yes than it skips appending it to @cval,
if (@cval) {
if (my $old = $request->header("Cookie")) {
my @oldcookie = split(/;/, $old);
my $cookieflag;
my $ocookie;
my $ncookie;
foreach(@oldcookie){
$ocookie = $_;
$ocookie=~ s/^\s*//;
$ocookie=~ s/\s*$//;
chomp($ocookie);
$cookieflag = 1;
foreach(@cval){
$ncookie = $_;
$ncookie=~ s/^\s*//;
$ncookie=~ s/\s*$//;
chomp($ncookie);
if($ncookie eq $ocookie)
{
$cookieflag=0;
}
}
if($cookieflag==1)
{
unshift(@cval, $ocookie);
}
}
}
$request->header(Cookie => join("; ", @cval));
}
| Subject: | Error report |
Message body not shown because it is not plain text.