On 07/19/2008 06:08 PM, Nick Kew wrote:
Reviewing the backport proposal in STATUS, it amounts to http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=639465&r2=664330&pathrev=664330 It still seems to be at risk of generating a malformed cookie, if secure is unset (NULL) but httponly is set. Shouldn't it guard against this by reporting a syntax error if secure (or indeed httponly) is set to an unrecognised value? Or have I just been staring at a screen for too long?
Unless I am confused as well it is the later :-). If secure is unset or has the wrong value the result of the ? operator will be NULL. It doesn't matter what value comes after that as apr_pstrcat does only cat the strings until it reaches the first NULL parameter. Regards RĂ¼diger
