mod_session: Always decode session attributes early. (34f58ae2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+2 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,8 @@ Changes with Apache 2.4.38
		and we should just set the value for the environment variable
		like in the pattern case. [Ruediger Pluem]

		*) mod_session: Always decode session attributes early. [Hank Ibell]

		*) core: Incorrect values for environment variables are substituted when
		multiple environment variables are specified in a directive. [Hank Ibell]

+0 −5

Original line number	Diff line number	Diff line
		@@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) mod_session: Always decode session attributes early.
		trunk patch: http://svn.apache.org/r1850947
		2.4.x patch: svn merge -c 1850947 ^/httpd/httpd/trunk .
		+1: hwibell, covener, wrowe

		*) mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)
		Clear retry flags before aborting on client-initiated reneg. [Joe Orton]
		PR: 63052

+14 −11

Original line number	Diff line number	Diff line
		@@ -126,20 +126,23 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z)

		/* found a session that hasn't expired? */
		now = apr_time_now();

		if (zz) {
		if (zz->expiry && zz->expiry < now) {
		zz = NULL;
		}
		else {
		/* load the session attibutes */
		rv = ap_run_session_decode(r, zz);

		/* having a session we cannot decode is just as good as having
		none at all */
		rv = ap_run_session_decode(r, zz);
		if (OK != rv) {
		ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
		"error while decoding the session, "
		"session not loaded: %s", r->uri);
		zz = NULL;
		}

		/* invalidate session if session is expired */
		if (zz && zz->expiry && zz->expiry < now) {
		zz = NULL;
		}
		}