[ZBX-15479] Zabbix joins Cookie headers with a comma Created: 2019 Jan 21 Updated: 2019 Apr 29 Resolved: 2019 Apr 09 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Proxy (P), Server (S) |
Affects Version/s: | 3.0.24, 4.0.2, 4.2.0alpha3 |
Fix Version/s: | 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan) |
Type: | Problem report | Priority: | Major |
Reporter: | Bouke Haarsma | Assignee: | Aleksejs Sestakovs |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Zabbix 3.4.4 |
Issue Links: |
|
||||||||
Team: | Team C | ||||||||
Sprint: | Sprint 48, Jan 2019, Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019) | ||||||||
Story Points: | 0.5 |
Description |
Zabbix uses a comma to join multiple same header fields. However for cookies, this results in corrupted cookies. Cookie headers should be joined with a semicolon, as specified by the spec (RFC 6265). Steps to reproduce:
Result: The request specifies the headers as follows: Cookie: A=B, C=D This is parsed by some servers (e.g. ASP.NET) as a cookie with name "A" and value "B, C=D". Expected: Cookie: A=B; C=D This will be parsed by all RFC6265 compliant servers as two cookies; "A" with value "B" and "C" with value "D". Background: Note that the comma was a valid separator when the web was using "Netscape compliant cookies", especially RFC2109. However that RFC has been superseded by RFC 6265, and that only lists the semicolon as a valid separator:
Multiple cookies returned from the server will correctly be joined by a semicolon. However when a custom header cookie is specified, it will be appended to the server-specified cookies and separated by a comma. As a result of this, the last cookie returned by the server will be corrupted.
|
Comments |
Comment by Aigars Kadikis [ 2019 Jan 22 ] |
Hello Bouke, Your description is deep. Version 3.4 is not supported anymore. Could you please approve these findings are applicable to version 4.0? |
Comment by Bouke Haarsma [ 2019 Jan 22 ] |
I don't have Zabbix 4.0 available to me at the moment, so won't be able to verify. |
Comment by Vjaceslavs Bogdanovs [ 2019 Jan 23 ] |
Confirmed to be reproducible on 4.0. |
Comment by Bouke Haarsma [ 2019 Feb 21 ] |
I'm getting a lot of e-mail notifications from this ticket; almost 30 so far. How can I opt-out? |
Comment by richlv [ 2019 Feb 21 ] |
Try clicking "Stop watching this issue" in the upper right corner. It might be overridden by general settings in your profile, but that remains to be seen. |
Comment by Bouke Haarsma [ 2019 Feb 21 ] |
I wasn't watching the issue to begin with. I might be getting them as I'm the original reporter. Regardless I would still like to opt-out. |
Comment by Aleksejs Sestakovs [ 2019 Apr 05 ] |
Available in
|
Comment by Glebs Ivanovskis [ 2019 Apr 27 ] |
This code looks wrong: if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_COOKIE, (line + COOKIE_HEADER_STR_LEN * sizeof(char))))) First of all, it violates "two tab indentation" rule of Zabbix Coding Guidelines. Secondly, it has too many parentheses. And the most interesting part, what is this expression is supposed to mean? Why sizeof?
line + COOKIE_HEADER_STR_LEN * sizeof(char)
line is char* and according to pointer arithmetic rules in C, when integer is added to a pointer, it is implicitly multiplied by the size of type the pointer points to. |