github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed: detect comma plus white space as a cookie separator

Browse Source
This commit is contained in:
Breno Silva
2013-01-05 09:48:49 -04:00
parent 48030ca057
commit 80146b2c74
1 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
apache2/modsecurity.c
View File

@@ -403,11 +403,26 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
if (strcasecmp(te[i].key, "Cookie") == 0) { if (strcasecmp(te[i].key, "Cookie") == 0) {
if (msr->txcfg->cookie_format == COOKIES_V0) { if (msr->txcfg->cookie_format == COOKIES_V0) {
_cookies = apr_pstrdup(msr->mp, te[i].val); _cookies = apr_pstrdup(msr->mp, te[i].val);
while((*_cookies != 0)&&(*_cookies != ',')&&(*_cookies != ';')) _cookies++; while((*_cookies != 0)&&(*_cookies != ';')) _cookies++;
if(*_cookies == ',') if(*_cookies == ';') {
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ",");
else
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";"); parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";");
} else {
_cookies = apr_pstrdup(msr->mp, te[i].val);
while((*_cookies != 0)&&(*_cookies != ',')) _cookies++;
if(*_cookies == ',') {
_cookies++;
if(*_cookies == 0x20) {// looks like comma is the separator
if (msr->txcfg->debuglog_level >= 5) {
msr_log(msr, 5, "Cookie v0 parser: Using comma as a separator. Semi-colon was not identified!");
}
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ",");
} else {
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";");
}
} else {
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";");
}
}
} else { } else {
parse_cookies_v1(msr, te[i].val, msr->request_cookies); parse_cookies_v1(msr, te[i].val, msr->request_cookies);
} }