[Bug 63434] New: Multiple Cookie headers combined to one header line

bugzilla Wed, 15 May 2019 01:42:27 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63434


            Bug ID: 63434
           Summary: Multiple Cookie headers combined to one header line
           Product: Apache httpd-2
           Version: 2.4.39
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

RFC 6265, 5.4. The Cookie Header says

"When the user agent generates an HTTP request, the user agent MUST NOT attach
more than one Cookie header field."

However, httpd combines multiple Cookie headers into on header line; e.g.

Cookie: foo1=bar1
Cookie: foo2=bar2
Cookie: foo3=bar3

becomes "Cookie: foo1=bar1, foo2=bar2, foo3=bar3" (which in turns violates
syntax definition in RFC 6265, 4.2.1. Syntax).

The call of apr_table_compress() in in
server/protocol.c:ap_get_mime_headers_core() leads to this misbehaviour

https://github.com/apache/httpd/blob/trunk/server/protocol.c#L1274

Cheers, Armin

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 63434] New: Multiple Cookie headers combined to one header line

Reply via email to