Bug 55039 - "RequestHeader edit" can't access environment variables
Summary: "RequestHeader edit" can't access environment variables
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_headers (show other bugs)
Version: 2.2.3
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: MassUpdate
: 47066 (view as bug list)
Depends on:
Reported: 2013-05-31 20:59 UTC by felix.almeida
Modified: 2018-11-08 07:19 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description felix.almeida 2013-05-31 20:59:42 UTC

First of all, let me give you some context. The Apache 2.2's webpage which describes mod_headers' "RequestHeader" directive says (specifically for the "edit" action):

	RequestHeader edit header value replacement [early|env=[!]variable]
	If this request header exists, its value is transformed according to a regular expression search-and-replace. The value argument is a regular expression, and the replacement is a replacement string, which may contain backreferences. Both a value and a replacement are a regular expression and a replacement string respectively.

That's fine, but I faced a situation in my production environment where I had two JSESSIONIDs defined in the "Cookie" header (don't ask me why) and this was confusing the load balancing algorithm (mod_proxy_balancer). Without getting into too much details, what I had to do was to clean up the "Cookie" header to leave there only the JSESSIONID that I need. This is how I thought I could do that:

	SetEnvIf Cookie "JSESSIONID=([^;]+\.server.)" MYSESSIONID=$1
	RequestHeader edit* Cookie "(^JSESSIONID=[^;]+; |; JSESSIONID=[^;]+)" ""
	RequestHeader edit Cookie "(.*)" "$1; JSESSIONID=%{MYSESSIONID}e" env=MYSESSIONID

The first two lines above work fine, but unfortunately the last one doesn't because the "RequestHeader edit" directive cannot reference environment variables in its replacement string (why?). :~(

If I understood correctly what the webpage mentioned above says, the replacement string is just that (a fixed string) which may also contain backreferences to groups in the value's regular expression, however, since I was trying to append the content of an environment variable there (in this case MYSESSIONID), I ended up with, for instance, the following result (which is not what I wanted):

	Cookie: language=en; JSESSIONID=KKb2Ry1NJTw8tWznLH2hLCkSTkq0nnyKwSys0MbSxLvymKb89Cgn!-253102450; customer_type=Residential; JSESSIONID=%{MYSESSIONID}e

I was looking for something like this:

	Cookie: language=en; JSESSIONID=KKb2Ry1NJTw8tWznLH2hLCkSTkq0nnyKwSys0MbSxLvymKb89Cgn!-253102450; customer_type=Residential; JSESSIONID=60685FA3BC4F0345196D00BFBFBFFC79.server2

Please, would it be possible to add this capability to the "RequestHeader edit" directive so we would be able to use environments variables inside the replacement string as well?

Thanks a lot!

PS: I'm running Apache 2.2.3 on RHEL 5.7
Comment 1 felix.almeida 2013-05-31 21:22:19 UTC
*** Bug 47066 has been marked as a duplicate of this bug. ***
Comment 2 William A. Rowe Jr. 2018-11-07 21:09:10 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.