[jira] [Work logged] (TS-4653) ESI plugin - $HTTP_COOKIE can leak important cookie info unintentionally

Thu, 14 Jul 2016 01:45:44 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-4653?focusedWorklogId=25475&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-25475
 ]

ASF GitHub Bot logged work on TS-4653:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 14/Jul/16 08:45
            Start Date: 14/Jul/16 08:45
    Worklog Time Spent: 10m 
      Work Description: GitHub user shukitchan opened a pull request:

    https://github.com/apache/trafficserver/pull/798

    TS-4653: esi plugin - disable HTTP_COOKIE variable by default and imp…

    …lement a whitelist mechanism to allow the specified cookies for it
    
    Original code and idea contributed by Chris Rohlf ([email protected])
    
    @bryancall / @jpeach , pls help to review. Thanks a lot.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shukitchan/trafficserver esicookiepatch

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/798.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #798
    
----
commit 2caf4e54aedb0428ad3dd9233c5f12958e28546b
Author: Kit Chan <[email protected]>
Date:   2016-07-14T08:42:24Z

    TS-4653: esi plugin - disable HTTP_COOKIE variable by default and implement 
a whitelist mechanism to allow the specified cookies for it

----


Issue Time Tracking
-------------------

            Worklog Id:     (was: 25475)
            Time Spent: 10m
    Remaining Estimate: 0h

> ESI plugin - $HTTP_COOKIE can leak important cookie info unintentionally
> ------------------------------------------------------------------------
>
>                 Key: TS-4653
>                 URL: https://issues.apache.org/jira/browse/TS-4653
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Kit Chan
>            Assignee: Kit Chan
>             Fix For: 7.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In the ESI spec, we can print out cookie information with $HTTP_COOKIE. This 
> can be problematic and unintentionally print out sensitive info on a web page.
> We should have mechanism to disable this by default and allow us to fine tune 
> it so we can choose to expose this functionality for only the cookie that we 
> allow 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to