The problem that this patch solves is one where cookie names are mis-identified
by mod_usertrack. This is because of the use of strstr() in spot_cookie() the original mod_usertrack.c to find the name of the cookie. strstr(), by virtue of looking for a substring instead of an exact match, can mis-identify the cookie "MyID" as the cookie "ID" or "My". So, if you were looking for the value of the cookie "ID", but only the cookie "MyID" was returned by the browser, mod_usertrack.c would return the value of the "MyID" cookie in place of the "ID" you were looking for. Even more seriously, because strstr is invoked before the cookie name is separated from its cookie value, a cookie and value like "myCookie=thisisnotIDeal" will be a false positive if you told mod_usertrack the cookie name was ID. Furthermore, using this example, "eal" will get logged as the value of the cookie; now that strstr has incorrectly identified the substring "ID" as the cookie name, the following "e" (assumed to be the "=" sign) gets discarded, and the remaining content used as the value of the cookie. Replacing the strstr() with a more robust regex match fixes this problem. PR: 16661 Submitted by: Manni Wood <manniwood@planet-save.com> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101306 13f79535-47bb-0310-9956-ffa450edef68
parent
6b8ff0e1
Please register or sign in to comment