[ZBX-15479] Zabbix joins Cookie headers with a comma Created: 2019 Jan 21  Updated: 2019 Apr 29  Resolved: 2019 Apr 09

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 3.0.24, 4.0.2, 4.2.0alpha3
Fix Version/s: 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan)

Type: Problem report Priority: Major
Reporter: Bouke Haarsma Assignee: Aleksejs Sestakovs
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Zabbix 3.4.4


Issue Links:
Causes
causes ZBX-16050 Zabbix HTTP poller crashes in libcurl... Closed
Team: Team C
Sprint: Sprint 48, Jan 2019, Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
Story Points: 0.5

 Description   

Zabbix uses a comma to join multiple same header fields. However for cookies, this results in corrupted cookies. Cookie headers should be joined with a semicolon, as specified by the spec (RFC 6265).

Steps to reproduce:

  1. Setup web performance check.
  2. The server should return a cookie header `Set-Cookie: A=B` in step 1.
  3. Step 2 should send a cookie header `Cookie: C=D`.
  4. Inspect the actual request sent by Zabbix in step 2.

Result:

The request specifies the headers as follows:

Cookie: A=B, C=D

This is parsed by some servers (e.g. ASP.NET) as a cookie with name "A" and value "B, C=D". 

Expected:

Cookie: A=B; C=D

This will be parsed by all RFC6265 compliant servers as two cookies; "A" with value "B" and "C" with value "D".

Background:

Note that the comma was a valid separator when the web was using "Netscape compliant cookies", especially RFC2109. However that RFC has been superseded by RFC 6265, and that only lists the semicolon as a valid separator:

4.2.1. Syntax

The user agent sends stored cookies to the origin server in the Cookie header. If the server conforms to the requirements in Section 4.1 (and the user agent conforms to the requirements in Section 5), the user agent will send a Cookie header that conforms to the following grammar:

cookie-header = "Cookie:" OWS cookie-string OWS
cookie-string = cookie-pair *( ";" SP cookie-pair )

Multiple cookies returned from the server will correctly be joined by a semicolon. However when a custom header cookie is specified, it will be appended to the server-specified cookies and separated by a comma. As a result of this, the last cookie returned by the server will be corrupted.

 



 Comments   
Comment by Aigars Kadikis [ 2019 Jan 22 ]

Hello Bouke,

Your description is deep. Version 3.4 is not supported anymore. Could you please approve these findings are applicable to version 4.0?

Comment by Bouke Haarsma [ 2019 Jan 22 ]

I don't have Zabbix 4.0 available to me at the moment, so won't be able to verify.

Comment by Vjaceslavs Bogdanovs [ 2019 Jan 23 ]

Confirmed to be reproducible on 4.0.

Comment by Bouke Haarsma [ 2019 Feb 21 ]

I'm getting a lot of e-mail notifications from this ticket; almost 30 so far. How can I opt-out? 

Comment by richlv [ 2019 Feb 21 ]

Try clicking "Stop watching this issue" in the upper right corner. It might be overridden by general settings in your profile, but that remains to be seen.

Comment by Bouke Haarsma [ 2019 Feb 21 ]

I wasn't watching the issue to begin with. I might be getting them as I'm the original reporter. Regardless I would still like to opt-out.

Comment by Aleksejs Sestakovs [ 2019 Apr 05 ]

Available in

  • 4.0.7rc1 r92107
  • 4.2.1rc1 r92108
  • 4.4.0alpha1 (trunk) r92109
Comment by Glebs Ivanovskis [ 2019 Apr 27 ]

This code looks wrong:

if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_COOKIE, (line +
					COOKIE_HEADER_STR_LEN * sizeof(char)))))

First of all, it violates "two tab indentation" rule of Zabbix Coding Guidelines. Secondly, it has too many parentheses. And the most interesting part, what is this expression is supposed to mean? Why sizeof?

line + COOKIE_HEADER_STR_LEN * sizeof(char)

line is char* and according to pointer arithmetic rules in C, when integer is added to a pointer, it is implicitly multiplied by the size of type the pointer points to.

Generated at Thu Mar 28 14:51:27 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.