On Fri, 12 Nov 2010, Clinton Gormley wrote:
> On Fri, 2010-11-12 at 11:59 -0800, Mark Hedges wrote:
> >
> > Sorry if I don't understand what's going on, but is this a
> > bug that causes the cookie header to have only the value '1'
> > instead of proper headers?
> >
> > https://rt.cpan.org/Public/Bug/Display.html?id=61744
> >
> > Since there's some activity/interest in a new release,
> > maybe someone can offer their opinion whether the
> > suggested fix in the bug report above is a good idea, or
> > whether this is something that needs to be fixed in
> > Apache2::Cookie. I haven't been able to duplicate it--
> > maybe because I use Debian?
>
> I had a read of your bug and the conversation it links to.
> This isn't a bug in libapreq or Apache2::Cookie - some
> process somewhere (and it could be from an advert on the
> user's site) is setting an invalid cookie, which then gets
> passed back to apache.
>
> Apache2::Cookie tries to parse it, and chokes on it,
> throwing an error. However, you can change how you use
> Apache2::Cookie to ignore the error and just retrieve
> valid cookies as discussed in the conversation linked to
> in that bug report:
> http://comments.gmane.org/gmane.comp.apache.apreq/4477
>
> clint
Could Apache2::Cookie::Jar maybe have an option to skip
NOTOKEN errors when reading the jar? Then it would do
something like below. Or does the eval have to happen in
the 'each %attrs' loop of Jar->new().
It just seems like this is a universal problem. If the
client presents a bad cookie, shouldn't we just ignore it?
It may be unrealistic to demand that the world be free of
buggy browsers.
--mark--
--- /usr/lib/perl5/Apache2/Cookie.pm.orig 2010-12-21 15:05:24.000000000 -0800
+++ /usr/lib/perl5/Apache2/Cookie.pm 2010-12-21 15:21:22.000000000 -0800
@@ -4,6 +4,7 @@
use APR::Request::Cookie;
use APR::Request::Apache2;
use APR::Request qw/encode decode/;
+use APR::Request::Error ();
use Apache2::RequestRec;
use Apache2::RequestUtil;
use overload '""' => sub { shift->as_string() }, fallback => 1;
@@ -101,8 +102,21 @@
*Apache2::Cookie::Jar::status = *APR::Request::jar_status;
sub new {
- my $class = shift;
- my $jar = $class->APR::Request::Apache2::handle(shift);
+ my ($class, $r) = @_;
+ my $jar;
+ eval { $jar = $class->APR::Request::Apache2::handle($r) };
+ if (my $err = $@) {
+ my $ref = ref $err;
+ if ( $ref eq 'APR::Request::Error'
+ && $err == APR::Request::Error::NOTOKEN
+ ) {
+ # skip bad cookies by getting jar from error
+ $jar = $err->jar;
+ }
+ else {
+ die $err; # rethrows any other APR::Error
+ }
+ }
my %attrs = @_;
while (my ($k, $v) = each %attrs) {
$k =~ s/^-//;
