The issue has nothing to do with browsers. It has to do
with 3rd party apps that generate bogus cookies. If you
want apreq to ignore those cookies, just use eval {} and
trap the exception.
If you want to fix those 3rd party cookie apps, it's good
that apreq lets you know there's a problem.
----- Original Message ----
> From: Mark Hedges <hed...@formdata.biz>
> To: apreq-dev@httpd.apache.org
> Sent: Tue, December 21, 2010 6:24:14 PM
> Subject: skip bad cookie value in Apache2::Cookie::Jar?
>
>
> On Fri, 12 Nov 2010, Clinton Gormley wrote:
>
> > On Fri, 2010-11-12 at 11:59 -0800, Mark Hedges wrote:
> > >
> > > Sorry if I don't understand what's going on, but is this a
> > > bug that causes the cookie header to have only the value '1'
> > > instead of proper headers?
> > >
> > > https://rt.cpan.org/Public/Bug/Display.html?id=61744
> > >
> > > Since there's some activity/interest in a new release,
> > > maybe someone can offer their opinion whether the
> > > suggested fix in the bug report above is a good idea, or
> > > whether this is something that needs to be fixed in
> > > Apache2::Cookie. I haven't been able to duplicate it--
> > > maybe because I use Debian?
> >
> > I had a read of your bug and the conversation it links to.
> > This isn't a bug in libapreq or Apache2::Cookie - some
> > process somewhere (and it could be from an advert on the
> > user's site) is setting an invalid cookie, which then gets
> > passed back to apache.
> >
> > Apache2::Cookie tries to parse it, and chokes on it,
> > throwing an error. However, you can change how you use
> > Apache2::Cookie to ignore the error and just retrieve
> > valid cookies as discussed in the conversation linked to
> > in that bug report:
> > http://comments.gmane.org/gmane.comp.apache.apreq/4477
> >
> > clint
>
> Could Apache2::Cookie::Jar maybe have an option to skip
> NOTOKEN errors when reading the jar? Then it would do
> something like below. Or does the eval have to happen in
> the 'each %attrs' loop of Jar->new().
>
> It just seems like this is a universal problem. If the
> client presents a bad cookie, shouldn't we just ignore it?
> It may be unrealistic to demand that the world be free of
> buggy browsers.
>
> --mark--
>
> --- /usr/lib/perl5/Apache2/Cookie.pm.orig 2010-12-21 15:05:24.000000000
>-0800
> +++ /usr/lib/perl5/Apache2/Cookie.pm 2010-12-21 15:21:22.000000000 -0800
> @@ -4,6 +4,7 @@
> use APR::Request::Cookie;
> use APR::Request::Apache2;
> use APR::Request qw/encode decode/;
> +use APR::Request::Error ();
> use Apache2::RequestRec;
> use Apache2::RequestUtil;
> use overload '""' => sub { shift->as_string() }, fallback => 1;
> @@ -101,8 +102,21 @@
> *Apache2::Cookie::Jar::status = *APR::Request::jar_status;
>
> sub new {
> - my $class = shift;
> - my $jar = $class->APR::Request::Apache2::handle(shift);
> + my ($class, $r) = @_;
> + my $jar;
> + eval { $jar = $class->APR::Request::Apache2::handle($r) };
> + if (my $err = $@) {
> + my $ref = ref $err;
> + if ( $ref eq 'APR::Request::Error'
> + && $err == APR::Request::Error::NOTOKEN
> + ) {
> + # skip bad cookies by getting jar from error
> + $jar = $err->jar;
> + }
> + else {
> + die $err; # rethrows any other APR::Error
> + }
> + }
> my %attrs = @_;
> while (my ($k, $v) = each %attrs) {
> $k =~ s/^-//;
>
>
