[jira] [Work logged] (TS-4653) ESI plugin - $HTTP_COOKIE can leak important cookie info unintentionally

Sun, 17 Jul 2016 08:38:47 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-4653?focusedWorklogId=25572&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-25572
 ]

ASF GitHub Bot logged work on TS-4653:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 17/Jul/16 15:37
            Start Date: 17/Jul/16 15:37
    Worklog Time Spent: 10m 
      Work Description: Github user zwoop commented on a diff in the pull 
request:

    https://github.com/apache/trafficserver/pull/798#discussion_r71084358
  
    --- Diff: plugins/experimental/esi/lib/Variables.cc ---
    @@ -357,9 +357,26 @@ Variables::_parseCookieString(const char *str, int 
str_len)
       AttributeList cookies;
       Utils::parseAttributes(str, str_len, cookies, ";,");
       for (AttributeList::iterator iter = cookies.begin(); iter != 
cookies.end(); ++iter) {
    -    _insert(_dict_data[HTTP_COOKIE], string(iter->name, iter->name_len), 
string(iter->value, iter->value_len));
    -    _debugLog(_debug_tag, "[%s] Inserted cookie with name [%.*s] and value 
[%.*s]", __FUNCTION__, iter->name_len, iter->name,
    -              iter->value_len, iter->value);
    +    std::string v = iter->name;
    +    size_t eq     = v.find("=");
    +
    +    if (eq != std::string::npos) {
    +      v = v.substr(0, eq);
    +    }
    +
    +    bool found = false;
    +    for (Utils::HeaderValueList::iterator lz = _whitelistCookies.begin(); 
lz != _whitelistCookies.end(); ++lz) {
    +      std::string c = *lz;
    --- End diff --
    
    Maybe this is the norm for the esi, but why create this intermediary 
std::string c? That seems inefficient and unnecessary ? Can't you just use the 
*lz ?


Issue Time Tracking
-------------------

    Worklog Id:     (was: 25572)
    Time Spent: 2.5h  (was: 2h 20m)

> ESI plugin - $HTTP_COOKIE can leak important cookie info unintentionally
> ------------------------------------------------------------------------
>
>                 Key: TS-4653
>                 URL: https://issues.apache.org/jira/browse/TS-4653
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Kit Chan
>            Assignee: Kit Chan
>             Fix For: 7.0.0
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> In the ESI spec, we can print out cookie information with $HTTP_COOKIE. This 
> can be problematic and unintentionally print out sensitive info on a web page.
> We should have mechanism to disable this by default and allow us to fine tune 
> it so we can choose to expose this functionality for only the cookie that we 
> allow 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to