Re: Cookie parsing errors: conflicting information, expected token not present

[Joe Schaefer]

- Original Message 

 From: Clinton Gormley cl...@traveljury.com
 To: apreq-dev@httpd.apache.org
 Sent: Saturday, February 14, 2009 8:21:51 AM
 Subject: Cookie parsing errors: conflicting information, expected token not 
 present
 
 Hiya
 
 There has been some discussion about cookie parsing errors with
 libapreq2 on the modperl list, and Joe Schafer said:
 
 What version of apreq was this?  And did you report it to the 
 apreq-dev@ mailing list?
 
 While I have previously reported the errors I see to the modperl list, I
 thought I'd send them here as well.
 
 This is in apache 2.2.4 with libapreq2-2.08, on linux x86_64.
 
 The code I use to parse the cookies is as follows:
 
 
 my $req = APR::Request::Apache2-handle( $self-r );
 my %cookies;
 if ( $req-jar_status =~ /^(?:Missing input data|Success)$/ ) {
 my $jar = $req-jar;
 foreach my $key ( keys %$jar ) {
 $cookies{$key} = $jar-get($key);
 }
 }
 
 ## Send warning with headers to explain bad cookie
 else {
 warn(   COOKIE ERROR: 
   . $req-jar_status . \n
   . Data::Dumper::Dumper( $self-r-headers_in() ) );
 }
 
 
 
 The headers which get passed back to my users look like this:
 
 Set-Cookie: 
 SID=n4@@GcCoAzMAAF7rnv8C|d2cb80bdcfcb60a436f99d643349f3fe14e144ec; 
 path=/; 
 domain=www..com
 Set-Cookie: 
 UID=n4@@GcCoAzMAAF7rnv8C|d2cb80bdcfcb60a436f99d643349f3fe14e144ec; 
 path=/; 
 domain=www..com; expires=Sun, 14-Feb-2010 13:06:36 GMT
 
 We run various sites, all of which have Google Analytics plus usually
 some other form of click tracking and advertising, which set their own
 cookies.
 
 Below are examples of Cookie headers that caused libapreq to throw one
 of two errors:
 
 Conflicting information:
 
 
 'UID=MTj9S8CoAzMAAFEq21YG|c85a9e59db92b261408eb7539ff7f949b92c7d58; 
 $Version=0;SID=MTj9S8CoAzMAAFEq21YG|c85a9e59db92b261408eb7539ff7f949b92c7d58;$Domain=www..com;$Path=/'

Should be $Version=1, as there is no specification that describes $Version=0.

 'UID=Gh9VxX8AAAIAAHP7h6AC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3; 
 SID=Gh9VxX8AAAIAAHP7h6AC|2e809a9cc99c2dca778c385ebdefc5cb86c95dc3; 
 $Version=1'

The $Version=1 string needs to precede the cookie, not follow it.

 'UID=hCijN8CoAzMAAGVDO2QF|50299f079343fd6146257c105b1370f2da78246a; 
 SID=hCijN8CoAzMAAGVDO2QF|50299f079343fd6146257c105b1370f2da78246a; 
 $Path=/; $Domain=www..com'

Missing a $Version=1 token.

 Expected token not present:

[...]

All of these have commas in them, which is disallowed by every cookie spec.

 I realise that the cookies themselves may not be compliant, either
 because of bad JS or buggy clients, but CGI.pm manages to parse all of
 the examples below, in the same way that browsers try to cope with dodgy
 HTML. It'd be nice if libapreq were a bit more DWIM.

apreq is written to be standards compliant, and although more DWIM might be
nice, it shouldn't come at a cost of violating the specifications (IMO).

Re: mod_vhost_dbd

[Dave Ingram]

Hi Jorge,

Something with the same name:

http://code.google.com/p/dbd-modules/wiki/mod_vhost_dbd

self-promotion
I don't know if that's what you're after, but I've written something
vaguely similar but more flexible:

http://www.dmi.me.uk/code/apache/mod_sqltemplate/
/self-promotion

Hope this helps!


Dave


Jorge Bastos wrote:
 Hi people,

 I just signed up, to report a typo.

  

 http://modules.apache.org/search.php?id=1753

  

 the link is broken.

 I'd love to test this, I'm looking for it for some time.

 Is the maintainer out there? J

  

 Jorge


   

RE: mod_vhost_dbd

[Jorge Bastos]

Hi dave,
Thanks,

I'm looking at your proj also.

What I am looking is, a completely independent module, so that I can create,
decreate any virtualhost, just inserting and removing records from the DB.
The values can be apache configurations, or any other.
Yours can? I didn't got time to look at it.




 -Original Message-
 From: Dave Ingram [mailto:d...@dmi.me.uk]
 Sent: domingo, 15 de Fevereiro de 2009 20:03
 To: modules-dev@httpd.apache.org
 Subject: Re: mod_vhost_dbd
 
 Hi Jorge,
 
 Something with the same name:
 
 http://code.google.com/p/dbd-modules/wiki/mod_vhost_dbd
 
 self-promotion
 I don't know if that's what you're after, but I've written something
 vaguely similar but more flexible:
 
 http://www.dmi.me.uk/code/apache/mod_sqltemplate/
 /self-promotion
 
 Hope this helps!
 
 
 Dave
 
 
 Jorge Bastos wrote:
  Hi people,
 
  I just signed up, to report a typo.
 
 
 
  http://modules.apache.org/search.php?id=1753
 
 
 
  the link is broken.
 
  I'd love to test this, I'm looking for it for some time.
 
  Is the maintainer out there? J
 
 
 
  Jorge
 
 
 

RE: mod_vhost_dbd

[Jorge Bastos]

 Thanks -- it's always nice to be appreciated. Let me know if you hit
 any
 problems, as I don't have the resources to test it in lots of different
 situations.

I'll :)

 This is possible using mod_sqltemplate. Suppose in your database, you
 have a php_register_globals column, which is either On or Off.
 Then this will work:
 
 SQLRepeat  blah sql to select virtualhosts... 
 VirtualHost *:80
 # ...
 php_flag register_globals ${php_register_globals}
 # ...
 /VirtualHost
 /SQLRepeat
 
  When I say this values for php, it may happen that other ones appear.
 
 You can use a similar method for any directives. You can even have
 fully
 custom directives:
 
 SQLRepeat...
 VirtualHost *:80
 #...
 ${custom}
 #...
 /VirtualHost
 /SQLRepeat

So I think my problem is resolved!
Resuming, I can have as many columns I want in the hosts table, correct? If
so, I can have the config I want!!! That's fantastic, I've been looking for
something like this for some years!

 You can tell Apache to perform a config reload (e.g. via apache2ctl
 graceful), which will force the configuration to be re-read from the
 database.

Hum but this only via commandline correct?



Another thing, apache read's this, when it loads and stays with this info on
memory correct?
The existing virtualhosts that I have, I can leave that intact, and start
using the new virtualhosts with this configuration, correct?

Re: mod_vhost_dbd

[Dave Ingram]

Jorge Bastos wrote:
 This is possible using mod_sqltemplate. Suppose in your database, you
 have a php_register_globals column, which is either On or Off.
 Then this will work:

 [snip]

 So I think my problem is resolved!
 Resuming, I can have as many columns I want in the hosts table, correct? If
 so, I can have the config I want!!! That's fantastic, I've been looking for
 something like this for some years!
   
Yup. I place no restrictions at all. It doesn't even have to be a single
table -- it can be the result of a multi-table join, as long as all of
the columns have different names. They can be renamed using AS, like
SELECT a.id, a.name, h.name AS hname FROM table1 a, table2 h for
example, which would then be accessed as ${id}, ${name}, ${hname}. Take
a quick glance at the sample configuration
http://www.dmi.me.uk/code/apache/mod_sqltemplate/99_mod_sqltemplate.conf
from the mod_sqltemplate site.

 You can tell Apache to perform a config reload (e.g. via apache2ctl
 graceful), which will force the configuration to be re-read from the
 database.
 

 Hum but this only via commandline correct?
   
It can be from anything that can send Apache a signal (USR1 causes a
graceful restart) as well. Running apache2ctl can be done from anything
that has the right permissions to signal Apache.

As an incidental note, I'm planning on writing a PHP patch that allows
you to force Apache to do a graceful restart, but I haven't had the time
to think about the best way to do this yet.

 Another thing, apache read's this, when it loads and stays with this info on
 memory correct?
   
That's correct.

 The existing virtualhosts that I have, I can leave that intact, and start
 using the new virtualhosts with this configuration, correct?
   
You can leave your existing configuration files and create a completely
new one that handles all of your new virtualhosts.


Dave

Re: mod_vhost_dbd

[Dave Ingram]

Jorge Bastos wrote:
 Dave,
 You could have a Install.txt file to explain how to compile.
 I'm not very familiar with apxs2 :)

 Can you post here?
   

Erm. I think all you need to use is:

apxs2 -i -c mod_sqltemplate.c

as root, to compile and install in one step. Don't forget to add the
LoadModule line!


Dave

RE: mod_vhost_dbd

[Jorge Bastos]

 
 Erm. I think all you need to use is:
 
 apxs2 -i -c mod_sqltemplate.c
 
 as root, to compile and install in one step. Don't forget to add the
 LoadModule line!

I won't!

Sorry about apxs.
I'm just curious, libmysql shouldn't be linked agains the .so module?

Re: mod_vhost_dbd

[Dave Ingram]

Jorge Bastos wrote:
 Sorry about apxs.
   
That's fine -- everyone has to learn somewhere.

 I'm just curious, libmysql shouldn't be linked agains the .so module
Nope - it uses the built-in APR DBD in Apache, which already links
against MySQL.


Dave

RE: mod_vhost_dbd

[Jorge Bastos]

  I'm just curious, libmysql shouldn't be linked agains the .so module
 Nope - it uses the built-in APR DBD in Apache, which already links
 against MySQL.
 

Oh right. Stupid question, and I saw it on the source the apr_dbd, I'm
sleepy :|
I do use mod_dbd for http auth, stupid question :P

Ok going to test this and let you know the success/something not right with
it.
Thank's a lot Dave.

Jorge

Re: Optimize behaviour of reverse and forward worker

[Ruediger Pluem]

On 02/14/2009 10:46 PM, Rainer Jung wrote:
 On 14.02.2009 15:09, Ruediger Pluem wrote:
 Current we set is_address_reusable to 0 for the reverse and forward
 worker. Is this really needed?
 IMHO we could reuse the connection if it goes to the same target
 (we already check this).
 
 By check you mean the code in ap_proxy_determine_connection()?

Yes.

 The check there seems only to happen in the case were the client reuses
 a keepalive connection.
 
 I have the feeling, that disablereuse and is_address_reusable are used
 almost in the same way at the moment, except for mod_proxy_ftp.

IMHO disablereuse is a configurable option whereas is_address_reusable is
an internal flag set / unset by the code in various situations.

 
 Both attributes are always checked together, so both imply the same
 behaviour.
 
 What's the expected case were you can actually reuse the backend
 connection? A client using HTTP Keep-Alive and a backend connection

Especially I have the case in mind where HTTPD acts as a forward proxy
in a proxy chain and forwards all requests to the next proxy in the
chain. IMHO it is a pity that each request creates a new connection
to this proxy.

 that's not too busy, so that consecutive client requests to the same
 backend can be send via the same backend connection?
 
 Could that be generalized to concurrent client connections C1, C2, ...
 mapping to different backend connections B1, B2, ..., each of them
 reused for the same client connection as long as it lasts (C1 - B1,
 C2- B2, ...)? If so, we would also need to find good default pool
 configuration for the reverse and forward worker.

IMHO there is no size that fits all, so I would like to make this configurable
by defining special worker names like _forward_ and _reverse_ which can
be configured via

ProxySet _forward_ .
ProxySet _reverse_ .

 
 There's also a use case, were proxy requests are defined via
 RewriteRule. In case the host in the rewrite rule is a constant string,
 we would benefit from initializing a real worker, not using the default
 workers.

As said, this can be done today by

Proxy [common prefix of rewriterule]
  ProxySet 
/Proxy

Regards

Rüdiger

Bug report for Apache httpd-1.3 [2009/02/15]

[bugzilla]

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|10744|New|Nor|2002-07-12|suexec might fail to open log file|
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc|
|14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite|
|16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore   |
|16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l|
|17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy |
|19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build|
|21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged  |
|21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files|
|22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap|
|25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co|
|26126|New|Nor|2004-01-14|mod_include hangs with request body   |
|26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner|
|26790|New|Maj|2004-02-09|error deleting old cache file |
|29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,|
|29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy |
|29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog|
|30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe   |
|30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i|
|30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections |
|31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle|
|32078|New|Enh|2004-11-05|clean up some compiler warnings   |
|32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE|
|32974|Inf|Maj|2005-01-06|Client IP not set |
|33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server|
|33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for|
|33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue|
|33875|New|Enh|2005-03-07|Apache processes consuming CPU|
|34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document|
|34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t|
|34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout   |
|34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging  vhost|
|34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql|
|35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI|
|35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri|
|35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie |
|3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge|
|36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file|
|37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt|
|37252|New|Reg|2005-10-26|gen_test_char reject NLS string   |
|38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (|
|39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed   |
|39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn|
|39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre|
|40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?|
|41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove|
|42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 |
|43626|New|Maj|2007-10-15|r-path_info returning invalid value  |
|44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only|
|44926|New|Nor|2008-05-02|1.3.41 binary downloads are faulty MSIs   |