Bug#680186: use_cookie + allow_invalid_id doesn't work with malformed cookies

Alexander Zangerl az at debian.org
Wed Jul 4 10:25:57 UTC 2012 

Package: libapache-session-wrapper-perl
Version: 0.34-1
Severity: normal
Tags: patch upstream

if a client sends a totally malformed cookie then Apache2::Cookie::Jar
dies (either on construction or on access using cookies()) and the 
session wrapper dies as well, regardless of allow_invalid_id being on
or not.

furthermore, if the format of the cookie value is syntactically correct but
doesn't match the format wanted by the respective session module, then 
the validation function in the id generator module dies - and 
the wrapper doesn't catch that and dies, disregarding allow_invalid_id.

the attached tiny patch takes care of both issues: by catching exceptions
on cookie access, and by looking for the "invalid id" indicators provided
by the session id generator modules.

regards
az
-------------- next part --------------
--- Wrapper.pm.orig	2012-07-04 20:11:21.000000000 +1000
+++ Wrapper.pm	2012-07-04 20:14:34.000000000 +1000
@@ -651,8 +651,12 @@
 
     if ( $MOD_PERL == 2 )
     {
-        my $jar = Apache2::Cookie::Jar->new( @{ $self->{fetch_cookie_args} } );
-        my $c   = $jar->cookies( $self->{cookie_name} );
+	# dud cookies cause the jar loader and/or the cookies accessor to 
+	# crash and 'allow_invalid_id' isn't even reached
+        my $jar = eval { Apache2::Cookie::Jar->new( @{ $self->{fetch_cookie_args} } ) };
+	return undef if ($@);
+        my $c = eval { $jar->cookies( $self->{cookie_name} ); };
+	return undef if ($@);
         return $c->value if $c;
     }
     else
@@ -706,7 +710,10 @@
     my $err = shift;
     my $session_id = shift;
 
-    if ( $err =~ /Object does not exist/ && defined $session_id )
+    # the current id generator modules all do some validation for
+    # the format of the id, but this wrapper treats those cases as 
+    # terminal even if allow_invalid_id is on
+    if ( $err =~ /(Object does not exist|[iI]nvalid session ID)/ && defined $session_id )
     {
         return if $self->{allow_invalid_id};

More information about the pkg-perl-maintainers mailing list