Package: libapache-session-wrapper-perl Version: 0.34-1 Severity: normal Tags: patch upstream
if a client sends a totally malformed cookie then Apache2::Cookie::Jar dies (either on construction or on access using cookies()) and the session wrapper dies as well, regardless of allow_invalid_id being on or not. furthermore, if the format of the cookie value is syntactically correct but doesn't match the format wanted by the respective session module, then the validation function in the id generator module dies - and the wrapper doesn't catch that and dies, disregarding allow_invalid_id. the attached tiny patch takes care of both issues: by catching exceptions on cookie access, and by looking for the "invalid id" indicators provided by the session id generator modules. regards az
--- Wrapper.pm.orig 2012-07-04 20:11:21.000000000 +1000 +++ Wrapper.pm 2012-07-04 20:14:34.000000000 +1000 @@ -651,8 +651,12 @@ if ( $MOD_PERL == 2 ) { - my $jar = Apache2::Cookie::Jar->new( @{ $self->{fetch_cookie_args} } ); - my $c = $jar->cookies( $self->{cookie_name} ); + # dud cookies cause the jar loader and/or the cookies accessor to + # crash and 'allow_invalid_id' isn't even reached + my $jar = eval { Apache2::Cookie::Jar->new( @{ $self->{fetch_cookie_args} } ) }; + return undef if ($@); + my $c = eval { $jar->cookies( $self->{cookie_name} ); }; + return undef if ($@); return $c->value if $c; } else @@ -706,7 +710,10 @@ my $err = shift; my $session_id = shift; - if ( $err =~ /Object does not exist/ && defined $session_id ) + # the current id generator modules all do some validation for + # the format of the id, but this wrapper treats those cases as + # terminal even if allow_invalid_id is on + if ( $err =~ /(Object does not exist|[iI]nvalid session ID)/ && defined $session_id ) { return if $self->{allow_invalid_id};