[asterisk-bugs] [JIRA] (ASTERISK-21789) ast_http_get_cookies() fails in the presence of RFC2965 Cookie2 header

Stuart Henderson (JIRA) noreply at issues.asterisk.org
Tue Jun 4 06:25:03 CDT 2013


    [ https://issues.asterisk.org/jira/browse/ASTERISK-21789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=207009#comment-207009 ] 

Stuart Henderson commented on ASTERISK-21789:
---------------------------------------------

Unless I'm mistaken this is as simple as just using strcasecmp instead of strncasecmp isn't it? v->name is just "Cookie", no trailing : etc.
                
> ast_http_get_cookies() fails in the presence of RFC2965 Cookie2 header
> ----------------------------------------------------------------------
>
>                 Key: ASTERISK-21789
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21789
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/HTTP, Core/ManagerInterface
>    Affects Versions: 11.4.0
>         Environment: OpenBSD 5.3-current, amd64 (but not relevant to issue)
>            Reporter: Stuart Henderson
>            Severity: Minor
>
>  When sending cookies, some HTTP clients (for example the version of Apache Commons HttpClient used in railo 4.x) normally send an RFC 2965 Cookie2 header:
> {noformat}
> Cookie: mansession_id="e071e431"
> Cookie2: $Version="1"
> {noformat}
> This was recently deprecated by RFC 6265 but is still seen in the wild. Unfortunately ast_http_get_cookies() in http.c does this:
> {noformat}
> if (!strncasecmp(v->name, "Cookie", 6)) { 
>         char *tmp = ast_strdupa(v->value);
>         if (cookies) {  
>                 ast_variables_destroy(cookies);
>         }               
>         cookies = parse_cookies(tmp);
> }
> {noformat}
> i.e. only compares the first 6 characters, and because the Cookie2 header appears after the Cookie header, destroys the previously saved cookies. As a result Asterisk doesn't pick up the authentication cookie and so AMI fails as it thinks the request is not authenticated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list