Bug 61560 - Incorrect string matching used in ProxyPassReverseCookiePath and ProxyPassReverseCookieDomain
Summary: Incorrect string matching used in ProxyPassReverseCookiePath and ProxyPassRev...
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.4.27
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
: 62208 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-09-23 00:05 UTC by bart
Modified: 2018-08-03 05:19 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description bart 2017-09-23 00:05:11 UTC
When using a reverse proxy, mod_proxy is not properly parsing the Set-Cookie header when modifying on the way back to the client.

The issue is in the definition of the string matcher:

    ap_proxy_strmatch_path = apr_strmatch_precompile(pconf, "path=", 0);
    ap_proxy_strmatch_domain = apr_strmatch_precompile(pconf, "domain=", 0);

The issue is obvious to see and easily reproduced if the origin server sets a cookie whose name ends in the word "path" or "domain".

For example, if the reverse proxy has a configuration directive such as:
ProxyPassReverseCookiePath  /  /my/nested/path

and the origin server sets a header like:
Set-Cookie: testPath=/hello;path=/

then the reverse proxy will rewrite the value of the cookie in the header to:
Set-Cookie: testPath=/my/nested/path;path=/

which is to say, it did NOT rewrite the cookie path (still "/"), but rather it rewrote the cookie value because the cookie name ended with the letters "path".
Comment 1 Christophe JAILLET 2018-05-25 20:13:34 UTC
A test case has been added in r1832275 for this corner case.

Thx for the report.
Comment 2 Christophe JAILLET 2018-05-25 22:29:08 UTC
Fixed in trunk in r1832280
Comment 3 Christophe JAILLET 2018-05-31 19:03:40 UTC
Proposed for backport in 1832643
Comment 4 Christophe JAILLET 2018-05-31 19:03:59 UTC
r1832643
Comment 5 Christophe JAILLET 2018-08-03 05:16:45 UTC
*** Bug 62208 has been marked as a duplicate of this bug. ***
Comment 6 Christophe JAILLET 2018-08-03 05:19:32 UTC
Backported in 2.4.x in r1835171.
This is fixed in 2.4.34