Bug #2986
closedCookie format specifier is broken
Description
The %{name}C format specifier doesn't log cookie value correctly.
Example request with header:
Cookie: test1=1; test2=2; test3=3
Using following configuration:
accesslog.format = "[%{test1}C][%{test2}C][%{test3}C]"
test1 cookie value gets logged, but test2 and test3 don't:
[1][][]
Files
Updated by xoneca about 5 years ago
- File lighttpd-fix-mod_accesslog-cookie-print.patch lighttpd-fix-mod_accesslog-cookie-print.patch added
Seems fixed with attached patch.
Updated by xoneca about 5 years ago
- File lighttpd-fix-mod_accesslog-cookie-print.patch lighttpd-fix-mod_accesslog-cookie-print.patch added
Sorry, I overlooked the removal of the last line in the patch. I've reworked the patch.
Updated by gstrauss about 5 years ago
Thanks. I'll try to review this patch later this week.
Updated by gstrauss about 5 years ago
This appears to preserve the existing behavior of how whitespace is handled, and also fixes the issue you are seeing:
--- a/src/mod_accesslog.c
+++ b/src/mod_accesslog.c
@@ -1098,7 +1098,7 @@ REQUESTDONE_FUNC(log_access_write) {
buffer_free(bstr);
break;
} else {
- do { ++str; } while (*str != ' ' && *str != '\t' && *str != '\0');
+ do { ++str; } while (*str != ';' && *str != ' ' && *str != '\t' && *str != '\0');
}
while (*str == ' ' || *str == '\t') ++str;
} while (*str++ == ';');
Updated by xoneca about 5 years ago
Sure, fix as you wish.
Your proposed change has a couple edge cases, though: an empty cookie (i.e. two semicolons in a row), skips the next cookie. And if the cookie value starts with semicolon and space, no cookies are read. These are very edge cases, so I can live with them :)
You don't have to be concernet with the witespace behaviour of my patch: whitespace is implicitly skipped as we only care to find the next semicolon. Indeed, could have used strchrnul to find the next semicolon, instead of the while loop.
Updated by xoneca about 5 years ago
I wasn't sure, but it seems empty cookies are allowed by the RFC [1]:
4. Serialize the cookie-list into a cookie-string by processing each
cookie in the cookie-list in order:
1. Output the cookie's name, the %x3D ("=") character, and the
cookie's value.
--> 2. If there is an unprocessed cookie in the cookie-list, output
--> the characters %x3B and %x20 ("; ").
Updated by xoneca about 5 years ago
- File lighttpd-fix-mod_accesslog-cookie-print.patch lighttpd-fix-mod_accesslog-cookie-print.patch added
Patch using strchrnul instead of a while loop. Tested with all discussed edge cases.
Updated by gstrauss about 5 years ago
strchrnul() is a GNU extension and is not as portable as C or POSIX standard library calls.
Updated by gstrauss about 5 years ago
--- a/src/mod_accesslog.c
+++ b/src/mod_accesslog.c
@@ -1098,7 +1098,7 @@ REQUESTDONE_FUNC(log_access_write) {
buffer_free(bstr);
break;
} else {
- do { ++str; } while (*str != ' ' && *str != '\t' && *str != '\0');
+ while (*str != ';' && *str != ' ' && *str != '\t' && *str != '\0') ++str;
}
while (*str == ' ' || *str == '\t') ++str;
} while (*str++ == ';');
Updated by gstrauss about 5 years ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.55
Updated by gstrauss almost 5 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 330c39c694a28e32162519c8843f3253ca9546f0.
Also available in: Atom