You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug in HTTP::Cookies version 6.01
Perl Version 5.10.1
Operating System: Ubuntu 10.04
BUG:
In package HTTP::Cookies, the function add_cookie_header() has a bug
that it copies prevoiusly existing cookies and concatenates them to the
request header. This sometimes causes duplication of cookies.
The Bug causes error 400 Bad Request, due to the request header being
too long when trying to log in to a server.This condition does not cause
an error until and unless the cookies are too long.
Workaround:
Rather than appending the existing cookies to the new cookies we should
check if the cookie already exists than skip appending it, otherwise
append it to the new cookies.
My Scenario:
I was trying to log on to an AD-FS server using NTLM Authentication.
We recieve 4 NTLM Request Cookies which are base64 encoded. But during
Authentication there are 3 redirections which are handled using
request() in LWP::UserAgent.
This make a indirect call to HTTP::Cookies each time.
Therefore, the same cookies are repeated 3 times.
As the cookies are too long we recieve an HTTP Bad Request, Error 400.
Place of Bug in Code:
if (@cval) {
if (my $old = $request->header("Cookie")) {
unshift(@cval, $old);
}
$request->header(Cookie => join("; ", @cval));
}
Fix:
This patch checks whether the cookie in @oldcookie has alredy been
included in @cval, if yes than it skips appending it to @cval,
if (@cval) {
if (my $old = $request->header("Cookie")) {
my @oldcookie = split(/;/, $old);
my $cookieflag;
my $ocookie;
my $ncookie;
foreach(@oldcookie){
$ocookie = $_;
$ocookie=~ s/^\s*//;
$ocookie=~ s/\s*$//;
chomp($ocookie);
$cookieflag = 1;
foreach(@cval){
$ncookie = $_;
$ncookie=~ s/^\s*//;
$ncookie=~ s/\s*$//;
chomp($ncookie);
if($ncookie eq $ocookie)
{
$cookieflag=0;
}
}
if($cookieflag==1)
{
unshift(@cval, $ocookie);
}
}
}
$request->header(Cookie => join("; ", @cval));
}
On Tue Mar 20 02:24:48 2012, vaibhavkhunger wrote:
>
> Bug in HTTP::Cookies version 6.01
> Perl Version 5.10.1
> Operating System: Ubuntu 10.04
>
> BUG:
> In package HTTP::Cookies, the function add_cookie_header() has a bug
> that it copies prevoiusly existing cookies and concatenates them to the
> request header. This sometimes causes duplication of cookies.
> The Bug causes error 400 Bad Request, due to the request header being
> too long when trying to log in to a server.This condition does not cause
> an error until and unless the cookies are too long.
>
>
> Workaround:
> Rather than appending the existing cookies to the new cookies we should
> check if the cookie already exists than skip appending it, otherwise
> append it to the new cookies.
>
>
>
> My Scenario:
> I was trying to log on to an AD-FS server using NTLM Authentication.
> We recieve 4 NTLM Request Cookies which are base64 encoded. But during
> Authentication there are 3 redirections which are handled using
> request() in LWP::UserAgent.
> This make a indirect call to HTTP::Cookies each time.
> Therefore, the same cookies are repeated 3 times.
> As the cookies are too long we recieve an HTTP Bad Request, Error 400.
>
>
>
> Place of Bug in Code:
>
> if (@cval) {
> if (my $old = $request->header("Cookie")) {
> unshift(@cval, $old);
> }
> $request->header(Cookie => join("; ", @cval));
> }
>
> Fix:
> This patch checks whether the cookie in @oldcookie has alredy been
> included in @cval, if yes than it skips appending it to @cval,
>
> if (@cval) {
> if (my $old = $request->header("Cookie")) {
> my @oldcookie = split(/;/, $old);
> my $cookieflag;
> my $ocookie;
> my $ncookie;
> foreach(@oldcookie){
> $ocookie = $_;
> $ocookie=~ s/^\s*//;
> $ocookie=~ s/\s*$//;
> chomp($ocookie);
> $cookieflag = 1;
> foreach(@cval){
> $ncookie = $_;
> $ncookie=~ s/^\s*//;
> $ncookie=~ s/\s*$//;
> chomp($ncookie);
> if($ncookie eq $ocookie)
> {
> $cookieflag=0;
> }
> }
> if($cookieflag==1)
> {
> unshift(@cval, $ocookie);
> }
> }
> }
> $request->header(Cookie => join("; ", @cval));
> }
Looks like this is still an issue. See https://github.com/libwww-perl/WWW-Mechanize/issues/52
The text was updated successfully, but these errors were encountered:
Migrated from rt.cpan.org#75897 (status was 'open')
Requestors:
Attachments:
From [email protected] on 2012-03-20 06:24:48:
From [email protected] on 2016-10-04 19:45:04:
The text was updated successfully, but these errors were encountered: