You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/07/05 15:55:43 UTC
[trafficserver] branch master updated: Restrict access to request
headers for ESI variables
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 2f4a5b7 Restrict access to request headers for ESI variables
2f4a5b7 is described below
commit 2f4a5b7a3eb4904d59913d4b38e54a4caeecceae
Author: Kit Chan <ki...@apache.org>
AuthorDate: Tue Jul 3 17:32:56 2018 -0700
Restrict access to request headers for ESI variables
---
doc/admin-guide/plugins/esi.en.rst | 2 +-
plugins/esi/lib/Variables.cc | 6 ++++++
plugins/esi/test/vars_test.cc | 2 ++
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/doc/admin-guide/plugins/esi.en.rst b/doc/admin-guide/plugins/esi.en.rst
index f43f7cc..1bbb916 100644
--- a/doc/admin-guide/plugins/esi.en.rst
+++ b/doc/admin-guide/plugins/esi.en.rst
@@ -170,4 +170,4 @@ Differences from Spec - http://www.w3.org/TR/esi-lang
5. HTTP_COOKIE supports fetching for sub-key
-6. HTTP_HEADER supports accessing request headers as variables
+6. HTTP_HEADER supports accessing request headers as variables except "Cookie"
diff --git a/plugins/esi/lib/Variables.cc b/plugins/esi/lib/Variables.cc
index 8a8dec9..ca30485 100644
--- a/plugins/esi/lib/Variables.cc
+++ b/plugins/esi/lib/Variables.cc
@@ -235,6 +235,12 @@ Variables::getValue(const string &name) const
return EMPTY_STRING;
}
+ // Disallow Cookie retrieval though HTTP_HEADER
+ if (dict_index == HTTP_HEADER && ((attr_len == 6) && (strncasecmp(attr, "Cookie", 6) == 0))) {
+ _errorLog("[%s] Cannot use HTTP_HEADER to retrieve Cookie", __FUNCTION__);
+ return EMPTY_STRING;
+ }
+
// change variable name to use only the attribute field
search_key.assign(attr, attr_len);
diff --git a/plugins/esi/test/vars_test.cc b/plugins/esi/test/vars_test.cc
index dbe84ec..0bd11b7 100644
--- a/plugins/esi/test/vars_test.cc
+++ b/plugins/esi/test/vars_test.cc
@@ -445,12 +445,14 @@ main()
esi_vars.populate(HttpHeader("hdr1", -1, "hval1", -1));
esi_vars.populate(HttpHeader("Hdr2", -1, "hval2", -1));
esi_vars.populate(HttpHeader("@Intenal-hdr1", -1, "internal-hval1", -1));
+ esi_vars.populate(HttpHeader("cookie", -1, "x=y", -1));
assert(esi_vars.getValue("HTTP_HEADER{hdr1}") == "hval1");
assert(esi_vars.getValue("HTTP_HEADER{hdr2}") == "");
assert(esi_vars.getValue("HTTP_HEADER{Hdr2}") == "hval2");
assert(esi_vars.getValue("HTTP_HEADER{non-existent}") == "");
assert(esi_vars.getValue("HTTP_HEADER{@Intenal-hdr1}") == "internal-hval1");
+ assert(esi_vars.getValue("HTTP_HEADER{cookie}") == "");
}
{