Skip Menu |

This queue is for tickets about the Apache-Session-Wrapper CPAN distribution.

Report information
The Basics
Id: 78203
Status: open
Priority: 0/
Queue: Apache-Session-Wrapper
People
Owner: Nobody in particular
Requestors: gregoa [...] debian.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Jul 04 12:11:15 2012 gregoa [...] cpan.org - Ticket created
From: gregoa [...] cpan.org
Subject: use_cookie + allow_invalid_id doesn't work with malformed cookies
This bug has been forwarded from http://bugs.debian.org/680186 Thanks in advance, gregor herrmann, Debian Perl Group
  Wed Jul 04 12:13:52 2012 gregoa [...] cpan.org - Correspondence added
Oops, there's something missing: From http://bugs.debian.org/680186 : From: Alexander Zangerl <az@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: Bug#680186: use_cookie + allow_invalid_id doesn't work with malformed cookies Date: Wed, 04 Jul 2012 20:25:57 +1000 Reply-To: Alexander Zangerl <az@debian.org>, 680186@bugs.debian.org if a client sends a totally malformed cookie then Apache2::Cookie::Jar dies (either on construction or on access using cookies()) and the session wrapper dies as well, regardless of allow_invalid_id being on or not. furthermore, if the format of the cookie value is syntactically correct but doesn't match the format wanted by the respective session module, then the validation function in the id generator module dies - and the wrapper doesn't catch that and dies, disregarding allow_invalid_id. the attached tiny patch takes care of both issues: by catching exceptions on cookie access, and by looking for the "invalid id" indicators provided by the session id generator modules. regards az The patch can be found in the Debian Bug report.
  Wed Jul 04 12:13:53 2012 The RT System itself - Status changed from 'new' to 'open'