https://bz.apache.org/bugzilla/show_bug.cgi?id=63434
--- Comment #4 from Armin Abfalterer <[email protected]> --- (In reply to Yann Ylavic from comment #3) > So, since comma in a header is equivalent to multiple headers, do you > propose that httpd rejects (with status 4xx) any request with either > multiple Cookie header or a single one containing comma(s)? > > Because turning multiple Cookie headers into a single one with semicolon(s) > is not the same HTTP request (while the comma preserves semantics), the only > possible action would be to reject. I'd propose either to reject a request with multiple Cookie headers or to turn multiple Cookie headers into one where each cookie-pair is separated by semicolon. In any case I'd propose to reject a request with comma separated cookie-pairs in a Cookie header. > Also, it seems to me that Cookie is an application thingy, not an HTTP one, > so why would httpd reject it if the HTTP header is valid? > With comma separated cookies, the application can detect and reject, not if > httpd changes the semantics.. In my opinion separated cookie pairs are a HTTP protocol violation so httpd should not allow this at all; e.g. such request should not hit backend servers when mod_proxy is in use -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
