[
https://issues.apache.org/jira/browse/TS-4653?focusedWorklogId=25574&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-25574
]
ASF GitHub Bot logged work on TS-4653:
--------------------------------------
Author: ASF GitHub Bot
Created on: 17/Jul/16 15:39
Start Date: 17/Jul/16 15:39
Worklog Time Spent: 10m
Work Description: Github user zwoop commented on a diff in the pull
request:
https://github.com/apache/trafficserver/pull/798#discussion_r71084383
--- Diff: plugins/experimental/esi/esi.cc ---
@@ -61,6 +61,7 @@ struct OptionInfo {
};
static HandlerManager *gHandlerManager = NULL;
+static Utils::HeaderValueList gWhitelistCookies;
--- End diff --
I'm not familiar with the ESI plugin, but there's only one "config" ever?
It sort of feels that the whitelist ought to be associated with the handler
(config) no? Even if not supported now, maybe later you would want to?
Issue Time Tracking
-------------------
Worklog Id: (was: 25574)
Time Spent: 2h 40m (was: 2.5h)
> ESI plugin - $HTTP_COOKIE can leak important cookie info unintentionally
> ------------------------------------------------------------------------
>
> Key: TS-4653
> URL: https://issues.apache.org/jira/browse/TS-4653
> Project: Traffic Server
> Issue Type: Bug
> Components: Plugins
> Reporter: Kit Chan
> Assignee: Kit Chan
> Fix For: 7.0.0
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> In the ESI spec, we can print out cookie information with $HTTP_COOKIE. This
> can be problematic and unintentionally print out sensitive info on a web page.
> We should have mechanism to disable this by default and allow us to fine tune
> it so we can choose to expose this functionality for only the cookie that we
> allow
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
