[asterisk-bugs] [JIRA] (ASTERISK-21789) ast_http_get_cookies() fails in the presence of RFC2965 Cookie2 header
Stuart Henderson (JIRA)
noreply at issues.asterisk.org
Tue Jun 4 06:25:03 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=207009#comment-207009 ]
Stuart Henderson commented on ASTERISK-21789:
---------------------------------------------
Unless I'm mistaken this is as simple as just using strcasecmp instead of strncasecmp isn't it? v->name is just "Cookie", no trailing : etc.
> ast_http_get_cookies() fails in the presence of RFC2965 Cookie2 header
> ----------------------------------------------------------------------
>
> Key: ASTERISK-21789
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21789
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/HTTP, Core/ManagerInterface
> Affects Versions: 11.4.0
> Environment: OpenBSD 5.3-current, amd64 (but not relevant to issue)
> Reporter: Stuart Henderson
> Severity: Minor
>
> When sending cookies, some HTTP clients (for example the version of Apache Commons HttpClient used in railo 4.x) normally send an RFC 2965 Cookie2 header:
> {noformat}
> Cookie: mansession_id="e071e431"
> Cookie2: $Version="1"
> {noformat}
> This was recently deprecated by RFC 6265 but is still seen in the wild. Unfortunately ast_http_get_cookies() in http.c does this:
> {noformat}
> if (!strncasecmp(v->name, "Cookie", 6)) {
> char *tmp = ast_strdupa(v->value);
> if (cookies) {
> ast_variables_destroy(cookies);
> }
> cookies = parse_cookies(tmp);
> }
> {noformat}
> i.e. only compares the first 6 characters, and because the Cookie2 header appears after the Cookie header, destroys the previously saved cookies. As a result Asterisk doesn't pick up the authentication cookie and so AMI fails as it thinks the request is not authenticated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list