Re: Cookie parsing errors: conflicting information, expected token not present
- Original Message From: Clinton Gormley cl...@traveljury.com To: apreq-dev@httpd.apache.org Sent: Saturday, February 14, 2009 8:21:51 AM Subject: Cookie parsing errors: conflicting information, expected token not present Hiya There has been some discussion about cookie parsing errors with libapreq2 on the modperl list, and Joe Schafer said: What version of apreq was this? And did you report it to the apreq-dev@ mailing list? While I have previously reported the errors I see to the modperl list, I thought I'd send them here as well. This is in apache 2.2.4 with libapreq2-2.08, on linux x86_64. The code I use to parse the cookies is as follows: my $req = APR::Request::Apache2-handle( $self-r ); my %cookies; if ( $req-jar_status =~ /^(?:Missing input data|Success)$/ ) { my $jar = $req-jar; foreach my $key ( keys %$jar ) { $cookies{$key} = $jar-get($key); } } ## Send warning with headers to explain bad cookie else { warn( COOKIE ERROR: . $req-jar_status . \n . Data::Dumper::Dumper( $self-r-headers_in() ) ); } The headers which get passed back to my users look like this: Set-Cookie: SID=n4@@GcCoAzMAAF7rnv8C|d2cb80bdcfcb60a436f99d643349f3fe14e144ec; path=/; domain=www..com Set-Cookie: UID=n4@@GcCoAzMAAF7rnv8C|d2cb80bdcfcb60a436f99d643349f3fe14e144ec; path=/; domain=www..com; expires=Sun, 14-Feb-2010 13:06:36 GMT We run various sites, all of which have Google Analytics plus usually some other form of click tracking and advertising, which set their own cookies. Below are examples of Cookie headers that caused libapreq to throw one of two errors: Conflicting information: 'UID=MTj9S8CoAzMAAFEq21YG|c85a9e59db92b261408eb7539ff7f949b92c7d58; $Version=0;SID=MTj9S8CoAzMAAFEq21YG|c85a9e59db92b261408eb7539ff7f949b92c7d58;$Domain=www..com;$Path=/' Should be $Version=1, as there is no specification that describes $Version=0. 'UID=Gh9VxX8AAAIAAHP7h6AC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3; SID=Gh9VxX8AAAIAAHP7h6AC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3; $Version=1' The $Version=1 string needs to precede the cookie, not follow it. 'UID=hCijN8CoAzMAAGVDO2QF|50299f079343fd6146257c105b1370f2da78246a; SID=hCijN8CoAzMAAGVDO2QF|50299f079343fd6146257c105b1370f2da78246a; $Path=/; $Domain=www..com' Missing a $Version=1 token. Expected token not present: [...] All of these have commas in them, which is disallowed by every cookie spec. I realise that the cookies themselves may not be compliant, either because of bad JS or buggy clients, but CGI.pm manages to parse all of the examples below, in the same way that browsers try to cope with dodgy HTML. It'd be nice if libapreq were a bit more DWIM. apreq is written to be standards compliant, and although more DWIM might be nice, it shouldn't come at a cost of violating the specifications (IMO).
Re: mod_vhost_dbd
Hi Jorge, Something with the same name: http://code.google.com/p/dbd-modules/wiki/mod_vhost_dbd self-promotion I don't know if that's what you're after, but I've written something vaguely similar but more flexible: http://www.dmi.me.uk/code/apache/mod_sqltemplate/ /self-promotion Hope this helps! Dave Jorge Bastos wrote: Hi people, I just signed up, to report a typo. http://modules.apache.org/search.php?id=1753 the link is broken. I'd love to test this, I'm looking for it for some time. Is the maintainer out there? J Jorge
RE: mod_vhost_dbd
Hi dave, Thanks, I'm looking at your proj also. What I am looking is, a completely independent module, so that I can create, decreate any virtualhost, just inserting and removing records from the DB. The values can be apache configurations, or any other. Yours can? I didn't got time to look at it. -Original Message- From: Dave Ingram [mailto:d...@dmi.me.uk] Sent: domingo, 15 de Fevereiro de 2009 20:03 To: modules-dev@httpd.apache.org Subject: Re: mod_vhost_dbd Hi Jorge, Something with the same name: http://code.google.com/p/dbd-modules/wiki/mod_vhost_dbd self-promotion I don't know if that's what you're after, but I've written something vaguely similar but more flexible: http://www.dmi.me.uk/code/apache/mod_sqltemplate/ /self-promotion Hope this helps! Dave Jorge Bastos wrote: Hi people, I just signed up, to report a typo. http://modules.apache.org/search.php?id=1753 the link is broken. I'd love to test this, I'm looking for it for some time. Is the maintainer out there? J Jorge
RE: mod_vhost_dbd
Thanks -- it's always nice to be appreciated. Let me know if you hit any problems, as I don't have the resources to test it in lots of different situations. I'll :) This is possible using mod_sqltemplate. Suppose in your database, you have a php_register_globals column, which is either On or Off. Then this will work: SQLRepeat blah sql to select virtualhosts... VirtualHost *:80 # ... php_flag register_globals ${php_register_globals} # ... /VirtualHost /SQLRepeat When I say this values for php, it may happen that other ones appear. You can use a similar method for any directives. You can even have fully custom directives: SQLRepeat... VirtualHost *:80 #... ${custom} #... /VirtualHost /SQLRepeat So I think my problem is resolved! Resuming, I can have as many columns I want in the hosts table, correct? If so, I can have the config I want!!! That's fantastic, I've been looking for something like this for some years! You can tell Apache to perform a config reload (e.g. via apache2ctl graceful), which will force the configuration to be re-read from the database. Hum but this only via commandline correct? Another thing, apache read's this, when it loads and stays with this info on memory correct? The existing virtualhosts that I have, I can leave that intact, and start using the new virtualhosts with this configuration, correct?
Re: mod_vhost_dbd
Jorge Bastos wrote: This is possible using mod_sqltemplate. Suppose in your database, you have a php_register_globals column, which is either On or Off. Then this will work: [snip] So I think my problem is resolved! Resuming, I can have as many columns I want in the hosts table, correct? If so, I can have the config I want!!! That's fantastic, I've been looking for something like this for some years! Yup. I place no restrictions at all. It doesn't even have to be a single table -- it can be the result of a multi-table join, as long as all of the columns have different names. They can be renamed using AS, like SELECT a.id, a.name, h.name AS hname FROM table1 a, table2 h for example, which would then be accessed as ${id}, ${name}, ${hname}. Take a quick glance at the sample configuration http://www.dmi.me.uk/code/apache/mod_sqltemplate/99_mod_sqltemplate.conf from the mod_sqltemplate site. You can tell Apache to perform a config reload (e.g. via apache2ctl graceful), which will force the configuration to be re-read from the database. Hum but this only via commandline correct? It can be from anything that can send Apache a signal (USR1 causes a graceful restart) as well. Running apache2ctl can be done from anything that has the right permissions to signal Apache. As an incidental note, I'm planning on writing a PHP patch that allows you to force Apache to do a graceful restart, but I haven't had the time to think about the best way to do this yet. Another thing, apache read's this, when it loads and stays with this info on memory correct? That's correct. The existing virtualhosts that I have, I can leave that intact, and start using the new virtualhosts with this configuration, correct? You can leave your existing configuration files and create a completely new one that handles all of your new virtualhosts. Dave
Re: mod_vhost_dbd
Jorge Bastos wrote: Dave, You could have a Install.txt file to explain how to compile. I'm not very familiar with apxs2 :) Can you post here? Erm. I think all you need to use is: apxs2 -i -c mod_sqltemplate.c as root, to compile and install in one step. Don't forget to add the LoadModule line! Dave
RE: mod_vhost_dbd
Erm. I think all you need to use is: apxs2 -i -c mod_sqltemplate.c as root, to compile and install in one step. Don't forget to add the LoadModule line! I won't! Sorry about apxs. I'm just curious, libmysql shouldn't be linked agains the .so module?
Re: mod_vhost_dbd
Jorge Bastos wrote: Sorry about apxs. That's fine -- everyone has to learn somewhere. I'm just curious, libmysql shouldn't be linked agains the .so module Nope - it uses the built-in APR DBD in Apache, which already links against MySQL. Dave
RE: mod_vhost_dbd
I'm just curious, libmysql shouldn't be linked agains the .so module Nope - it uses the built-in APR DBD in Apache, which already links against MySQL. Oh right. Stupid question, and I saw it on the source the apr_dbd, I'm sleepy :| I do use mod_dbd for http auth, stupid question :P Ok going to test this and let you know the success/something not right with it. Thank's a lot Dave. Jorge
Re: Optimize behaviour of reverse and forward worker
On 02/14/2009 10:46 PM, Rainer Jung wrote: On 14.02.2009 15:09, Ruediger Pluem wrote: Current we set is_address_reusable to 0 for the reverse and forward worker. Is this really needed? IMHO we could reuse the connection if it goes to the same target (we already check this). By check you mean the code in ap_proxy_determine_connection()? Yes. The check there seems only to happen in the case were the client reuses a keepalive connection. I have the feeling, that disablereuse and is_address_reusable are used almost in the same way at the moment, except for mod_proxy_ftp. IMHO disablereuse is a configurable option whereas is_address_reusable is an internal flag set / unset by the code in various situations. Both attributes are always checked together, so both imply the same behaviour. What's the expected case were you can actually reuse the backend connection? A client using HTTP Keep-Alive and a backend connection Especially I have the case in mind where HTTPD acts as a forward proxy in a proxy chain and forwards all requests to the next proxy in the chain. IMHO it is a pity that each request creates a new connection to this proxy. that's not too busy, so that consecutive client requests to the same backend can be send via the same backend connection? Could that be generalized to concurrent client connections C1, C2, ... mapping to different backend connections B1, B2, ..., each of them reused for the same client connection as long as it lasts (C1 - B1, C2- B2, ...)? If so, we would also need to find good default pool configuration for the reverse and forward worker. IMHO there is no size that fits all, so I would like to make this configurable by defining special worker names like _forward_ and _reverse_ which can be configured via ProxySet _forward_ . ProxySet _reverse_ . There's also a use case, were proxy requests are defined via RewriteRule. In case the host in the rewrite rule is a constant string, we would benefit from initializing a real worker, not using the default workers. As said, this can be done today by Proxy [common prefix of rewriterule] ProxySet /Proxy Regards Rüdiger
Bug report for Apache httpd-1.3 [2009/02/15]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog| |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 | |43626|New|Maj|2007-10-15|r-path_info returning invalid value | |44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only| |44926|New|Nor|2008-05-02|1.3.41 binary downloads are faulty MSIs |