[Bug 63434] New: Multiple Cookie headers combined to one header line

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63434] New: Multiple Cookie headers combined to one header line

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

            Bug ID: 63434
           Summary: Multiple Cookie headers combined to one header line
           Product: Apache httpd-2
           Version: 2.4.39
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

RFC 6265, 5.4. The Cookie Header says

"When the user agent generates an HTTP request, the user agent MUST NOT attach
more than one Cookie header field."

However, httpd combines multiple Cookie headers into on header line; e.g.

Cookie: foo1=bar1
Cookie: foo2=bar2
Cookie: foo3=bar3

becomes "Cookie: foo1=bar1, foo2=bar2, foo3=bar3" (which in turns violates
syntax definition in RFC 6265, 4.2.1. Syntax).

The call of apr_table_compress() in in
server/protocol.c:ap_get_mime_headers_core() leads to this misbehaviour

https://github.com/apache/httpd/blob/trunk/server/protocol.c#L1274

Cheers, Armin

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63434] Multiple Cookie headers combined to one comma-separated header line

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

Armin Abfalterer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Multiple Cookie headers     |Multiple Cookie headers
                   |combined to one header line |combined to one
                   |                            |comma-separated header line

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63434] Multiple Cookie headers combined to one comma-separated header line

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

--- Comment #1 from Yann Ylavic <[hidden email]> ---
(In reply to Armin Abfalterer from comment #0)
> RFC 6265, 5.4. The Cookie Header says
>
> "When the user agent generates an HTTP request, the user agent MUST NOT
> attach more than one Cookie header field."

This says "there must not be multiple Cookie headers" (thus "multiple cookies
must be in the same header"), which you translate as "there must not be
multiple cookies in the same header"?

It seems to me that apr_table_compress() does the right thing, including for
Cookie headers..

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63434] Multiple Cookie headers combined to one comma-separated header line

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

--- Comment #2 from Armin Abfalterer <[hidden email]> ---
(In reply to Yann Ylavic from comment #1)

> This says "there must not be multiple Cookie headers" (thus "multiple
> cookies must be in the same header"), which you translate as "there must not
> be multiple cookies in the same header"?

No, multiple cookies are fine in the same header... but separated by semicolon,
not comma.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63434] Multiple Cookie headers combined to one comma-separated header line

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

--- Comment #3 from Yann Ylavic <[hidden email]> ---
So, since comma in a header is equivalent to multiple headers, do you propose
that httpd rejects (with status 4xx) any request with either multiple Cookie
header or a single one containing comma(s)?

Because turning multiple Cookie headers into a single one with semicolon(s) is
not the same HTTP request (while the comma preserves semantics), the only
possible action would be to reject.

Also, it seems to me that Cookie is an application thingy, not an HTTP one, so
why would httpd reject it if the HTTP header is valid?
With comma separated cookies, the application can detect and reject, not if
httpd changes the semantics..

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63434] Multiple Cookie headers combined to one comma-separated header line

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

--- Comment #4 from Armin Abfalterer <[hidden email]> ---
(In reply to Yann Ylavic from comment #3)
> So, since comma in a header is equivalent to multiple headers, do you
> propose that httpd rejects (with status 4xx) any request with either
> multiple Cookie header or a single one containing comma(s)?
>
> Because turning multiple Cookie headers into a single one with semicolon(s)
> is not the same HTTP request (while the comma preserves semantics), the only
> possible action would be to reject.

I'd propose either to reject a request with multiple Cookie headers or to turn
multiple Cookie headers into one where each cookie-pair is separated by
semicolon.

In any case I'd propose to reject a request with comma separated cookie-pairs
in a Cookie header.

> Also, it seems to me that Cookie is an application thingy, not an HTTP one,
> so why would httpd reject it if the HTTP header is valid?
> With comma separated cookies, the application can detect and reject, not if
> httpd changes the semantics..

In my opinion separated cookie pairs are a HTTP protocol violation so httpd
should not allow this at all; e.g. such request should not hit backend servers
when mod_proxy is in use

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63434] Multiple Cookie headers combined to one comma-separated header line

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63434

--- Comment #5 from Armin Abfalterer <[hidden email]> ---
Created attachment 36600
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36600&action=edit
patch that turns multiple Cookie headers into single header

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]