Bug 61560

Summary: Incorrect string matching used in ProxyPassReverseCookiePath and ProxyPassReverseCookieDomain
Product: Apache httpd-2 Reporter: bart <bart+apache>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: normal CC: matthias.lehr
Priority: P2 Keywords: FixedInTrunk
Version: 2.4.27   
Target Milestone: ---   
Hardware: All   
OS: All   

Description bart 2017-09-23 00:05:11 UTC
When using a reverse proxy, mod_proxy is not properly parsing the Set-Cookie header when modifying on the way back to the client.

The issue is in the definition of the string matcher:

    ap_proxy_strmatch_path = apr_strmatch_precompile(pconf, "path=", 0);
    ap_proxy_strmatch_domain = apr_strmatch_precompile(pconf, "domain=", 0);

The issue is obvious to see and easily reproduced if the origin server sets a cookie whose name ends in the word "path" or "domain".

For example, if the reverse proxy has a configuration directive such as:
ProxyPassReverseCookiePath  /  /my/nested/path

and the origin server sets a header like:
Set-Cookie: testPath=/hello;path=/

then the reverse proxy will rewrite the value of the cookie in the header to:
Set-Cookie: testPath=/my/nested/path;path=/

which is to say, it did NOT rewrite the cookie path (still "/"), but rather it rewrote the cookie value because the cookie name ended with the letters "path".
Comment 1 Christophe JAILLET 2018-05-25 20:13:34 UTC
A test case has been added in r1832275 for this corner case.

Thx for the report.
Comment 2 Christophe JAILLET 2018-05-25 22:29:08 UTC
Fixed in trunk in r1832280
Comment 3 Christophe JAILLET 2018-05-31 19:03:40 UTC
Proposed for backport in 1832643
Comment 4 Christophe JAILLET 2018-05-31 19:03:59 UTC
Comment 5 Christophe JAILLET 2018-08-03 05:16:45 UTC
*** Bug 62208 has been marked as a duplicate of this bug. ***
Comment 6 Christophe JAILLET 2018-08-03 05:19:32 UTC
Backported in 2.4.x in r1835171.
This is fixed in 2.4.34