[JBoss JIRA] (MODCLUSTER-285) get_path_param in mod_proxy_cluster doesn't expect '; ' as separator
by Radoslav Husar (JIRA)
[ https://issues.jboss.org/browse/MODCLUSTER-285?page=com.atlassian.jira.pl... ]
Radoslav Husar updated MODCLUSTER-285:
--------------------------------------
Status: Pull Request Sent (was: Coding In Progress)
Git Pull Request: https://github.com/modcluster/mod_cluster/pull/153
> get_path_param in mod_proxy_cluster doesn't expect ';' as separator
> -------------------------------------------------------------------
>
> Key: MODCLUSTER-285
> URL: https://issues.jboss.org/browse/MODCLUSTER-285
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Affects Versions: 1.1.3.Final, 1.2.0.Final
> Reporter: Stefano Nichele
> Assignee: Radoslav Husar
> Fix For: 1.3.2.Alpha1
>
>
> Current version of get_path_param doesn't expect ';' as path parameters separator so this urls are not correctly handled:
> /test.jsp;jsessionid=123123.NODE01;name=vale
> See for instance the mod_proxy_balancer implementation (in httpd 2.2.21):
> {code}
> /* Retrieve the parameter with the given name
> * Something like 'JSESSIONID=12345...N'
> */
> static char *get_path_param(apr_pool_t *pool, char *url,
> const char *name, int scolon_sep)
> {
> char *path = NULL;
> char *pathdelims = "?&";
> if (scolon_sep) {
> pathdelims = ";?&";
> }
> for (path = strstr(url, name); path; path = strstr(path + 1, name)) {
> path += strlen(name);
> if (*path == '=') {
> /*
> * Session path was found, get it's value
> */
> ++path;
> if (strlen(path)) {
> char *q;
> path = apr_strtok(apr_pstrdup(pool, path), pathdelims, &q);
> return path;
> }
> }
> }
> return NULL;
> }
> {code}
> Severity of this bug to me is not so high since using more than one path parameters is not so common.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
9 years, 5 months
[JBoss JIRA] (MODCLUSTER-285) get_path_param in mod_proxy_cluster doesn't expect '; ' as separator
by Radoslav Husar (JIRA)
[ https://issues.jboss.org/browse/MODCLUSTER-285?page=com.atlassian.jira.pl... ]
Radoslav Husar updated MODCLUSTER-285:
--------------------------------------
Status: Resolved (was: Pull Request Sent)
Resolution: Done
> get_path_param in mod_proxy_cluster doesn't expect ';' as separator
> -------------------------------------------------------------------
>
> Key: MODCLUSTER-285
> URL: https://issues.jboss.org/browse/MODCLUSTER-285
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Affects Versions: 1.1.3.Final, 1.2.0.Final
> Reporter: Stefano Nichele
> Assignee: Radoslav Husar
> Fix For: 1.3.2.Alpha1
>
>
> Current version of get_path_param doesn't expect ';' as path parameters separator so this urls are not correctly handled:
> /test.jsp;jsessionid=123123.NODE01;name=vale
> See for instance the mod_proxy_balancer implementation (in httpd 2.2.21):
> {code}
> /* Retrieve the parameter with the given name
> * Something like 'JSESSIONID=12345...N'
> */
> static char *get_path_param(apr_pool_t *pool, char *url,
> const char *name, int scolon_sep)
> {
> char *path = NULL;
> char *pathdelims = "?&";
> if (scolon_sep) {
> pathdelims = ";?&";
> }
> for (path = strstr(url, name); path; path = strstr(path + 1, name)) {
> path += strlen(name);
> if (*path == '=') {
> /*
> * Session path was found, get it's value
> */
> ++path;
> if (strlen(path)) {
> char *q;
> path = apr_strtok(apr_pstrdup(pool, path), pathdelims, &q);
> return path;
> }
> }
> }
> return NULL;
> }
> {code}
> Severity of this bug to me is not so high since using more than one path parameters is not so common.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
9 years, 5 months
[JBoss JIRA] (MODCLUSTER-285) get_path_param in mod_proxy_cluster doesn't expect '; ' as separator
by Radoslav Husar (JIRA)
[ https://issues.jboss.org/browse/MODCLUSTER-285?page=com.atlassian.jira.pl... ]
Radoslav Husar edited comment on MODCLUSTER-285 at 7/31/15 5:42 AM:
--------------------------------------------------------------------
Note that this code (upstream Apache trunk) is still wrong and violates RFC. Imagine a query string:
{noformat}/my.jsp;notJSESSIONID=wrong;JSESSIONID=correct{noformat}
this method would return "wrong" instead od "correct".
was (Author: rhusar):
Note that this code (upstream Apache trunk) is still wrong and violates RFC. Imagine a query string:
{noformat}/my.jsp?notJSESSIONID=wrong;JSESSIONID=correct{noformat}
this method would return "wrong" instead od "correct".
> get_path_param in mod_proxy_cluster doesn't expect ';' as separator
> -------------------------------------------------------------------
>
> Key: MODCLUSTER-285
> URL: https://issues.jboss.org/browse/MODCLUSTER-285
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Affects Versions: 1.1.3.Final, 1.2.0.Final
> Reporter: Stefano Nichele
> Assignee: Radoslav Husar
> Fix For: 1.3.2.Alpha1
>
>
> Current version of get_path_param doesn't expect ';' as path parameters separator so this urls are not correctly handled:
> /test.jsp;jsessionid=123123.NODE01;name=vale
> See for instance the mod_proxy_balancer implementation (in httpd 2.2.21):
> {code}
> /* Retrieve the parameter with the given name
> * Something like 'JSESSIONID=12345...N'
> */
> static char *get_path_param(apr_pool_t *pool, char *url,
> const char *name, int scolon_sep)
> {
> char *path = NULL;
> char *pathdelims = "?&";
> if (scolon_sep) {
> pathdelims = ";?&";
> }
> for (path = strstr(url, name); path; path = strstr(path + 1, name)) {
> path += strlen(name);
> if (*path == '=') {
> /*
> * Session path was found, get it's value
> */
> ++path;
> if (strlen(path)) {
> char *q;
> path = apr_strtok(apr_pstrdup(pool, path), pathdelims, &q);
> return path;
> }
> }
> }
> return NULL;
> }
> {code}
> Severity of this bug to me is not so high since using more than one path parameters is not so common.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
9 years, 5 months
[JBoss JIRA] (MODCLUSTER-461) If Session ID key stored in URL contains sticky session cookie name it it used for routing
by Radoslav Husar (JIRA)
[ https://issues.jboss.org/browse/MODCLUSTER-461?page=com.atlassian.jira.pl... ]
Radoslav Husar commented on MODCLUSTER-461:
-------------------------------------------
The problem can be tracked down to original Apache httpd get_path_param function, which makes use of strstr() to locate the path element. This is indeed wrong and violates RFC.
Also tested this for Cookie-s, the wrongly named cookie is not being picked up by get_cookie_param.
This original problem would not have been even noticed, if modcluster first parsed the cookies which is more common way of specifying the jsession id, fixing in opened MODCLUSTER-462.
On related note, the path_param didn't treat colons correctly either, fixing by MODCLUSTER-285.
> If Session ID key stored in URL contains sticky session cookie name it it used for routing
> ------------------------------------------------------------------------------------------
>
> Key: MODCLUSTER-461
> URL: https://issues.jboss.org/browse/MODCLUSTER-461
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Affects Versions: 1.2.9.Final, 1.3.1.Final
> Environment: Using the stock mod_cluster configuration shipped with EWS/JWS and EAP.
> Enterprise Web Server 2.x and 3.x
> JBoss EAP 6.3 and 6.4
> Used Tomcat sample application.
> Reporter: Robert Bost
> Assignee: Radoslav Husar
> Labels: stickysession
>
> If I make a request with a valid JSESSIONID cookie and a URL like below, the value from the URL is used by mod_cluster for sticky session routing:
> {{curl -b "JSESSIONID=OTg+mUVLRceO2bqRIcsSJmlm.4e6189af-0502-3305-8ff3-fad7fee8b516" -v 'http://myserver/sample/hello.jsp;not.really.jsessionid=oops'}}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
9 years, 5 months