Attached is a patch by Manni Wood for the 1.3.x series that fixes a
problem in mod_usertrack where the usertracking cookie will be incorrectly
identified. It simply switches from a strstr to a regex match.
The equivalent patch has already been committed to 2.1 and 2.0. Votes for
1.3 inclusion?
+1 from me.
--Cliff
--- mod_usertrack-old.c 2003-09-24 21:40:55.000000000 -0400
+++ mod_usertrack.c 2003-09-24 22:33:35.000000000 -0400
@@ -126,6 +126,8 @@
char *cookie_name;
char *cookie_domain;
char *prefix_string;
+ char *regexp_string; /* used to compile regexp; save for debugging */
+ regex_t *regexp; /* used to find usertrack cookie in cookie header */
} cookie_dir_rec;
/* Define this to allow post-2000 cookies. Cookies use two-digit dates,
@@ -284,35 +286,48 @@
return;
}
+/* dcfg->regexp is "^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)",
+ * which has three subexpressions, $0..$2 */
+#define NUM_SUBS 3
+
static int spot_cookie(request_rec *r)
{
cookie_dir_rec *dcfg = ap_get_module_config(r->per_dir_config,
&usertrack_module);
- const char *cookie;
- char *value;
+ const char *cookie_header;
+ regmatch_t regm[NUM_SUBS];
+ int i;
if (!dcfg->enabled) {
return DECLINED;
}
- if ((cookie = ap_table_get(r->headers_in,
- (dcfg->style == CT_COOKIE2
- ? "Cookie2"
- : "Cookie"))))
- if ((value = strstr(cookie, dcfg->cookie_name))) {
- char *cookiebuf, *cookieend;
-
- value += strlen(dcfg->cookie_name) + 1; /* Skip over the '=' */
- cookiebuf = ap_pstrdup(r->pool, value);
- cookieend = strchr(cookiebuf, ';');
- if (cookieend)
- *cookieend = '\0'; /* Ignore anything after a ; */
-
- /* Set the cookie in a note, for logging */
- ap_table_setn(r->notes, "cookie", cookiebuf);
+ if ((cookie_header = ap_table_get(r->headers_in,
+ (dcfg->style == CT_COOKIE2
+ ? "Cookie2"
+ : "Cookie")))) {
+ if (!ap_regexec(dcfg->regexp, cookie_header, NUM_SUBS, regm, 0)) {
+ char *cookieval = NULL;
+ /* Our regexp,
+ * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
+ * only allows for $1 or $2 to be available. ($0 is always
+ * filled with the entire matched expression, not just
+ * the part in parentheses.) So just check for either one
+ * and assign to cookieval if present. */
+ if (regm[1].rm_so != -1) {
+ cookieval = ap_pregsub(r->pool, "$1", cookie_header,
+ NUM_SUBS, regm);
+ }
+ if (regm[2].rm_so != -1) {
+ cookieval = ap_pregsub(r->pool, "$2", cookie_header,
+ NUM_SUBS, regm);
+ }
+ /* Set the cookie in a note, for logging */
+ ap_table_setn(r->notes, "cookie", cookieval);
- return DECLINED; /* There's already a cookie, no new one */
- }
+ return DECLINED; /* There's already a cookie, no new one */
+ }
+ }
make_cookie(r);
return OK; /* We set our cookie */
}
@@ -422,7 +437,26 @@
{
cookie_dir_rec *dcfg = (cookie_dir_rec *) mconfig;
+ /* The goal is to end up with this regexp,
+ * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
+ * with cookie_name
+ * obviously substituted with the real cookie name set by the
+ * user in httpd.conf. */
+ dcfg->regexp_string = ap_pstrcat(cmd->pool, "^", name,
+ "=([^;]+)|;[ \t]+", name,
+ "=([^;]+)", NULL);
+
dcfg->cookie_name = ap_pstrdup(cmd->pool, name);
+
+ dcfg->regexp = ap_pregcomp(cmd->pool, dcfg->regexp_string, REG_EXTENDED);
+ if (dcfg->regexp == NULL) {
+ return "Regular expression could not be compiled.";
+ }
+ if (dcfg->regexp->re_nsub + 1 != NUM_SUBS) {
+ return ap_pstrcat(cmd->pool, "Invalid cookie name \"",
+ name, "\"", NULL);
+ }
+
return NULL;
}
