You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2018/07/05 18:35:38 UTC
[trafficserver] 01/02: Restrict access to request headers for ESI
variables
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit cea07c03274807c1588dbdf03baa1537d958c92f
Author: Kit Chan <ki...@apache.org>
AuthorDate: Tue Jul 3 17:32:56 2018 -0700
Restrict access to request headers for ESI variables
(cherry picked from commit 2f4a5b7a3eb4904d59913d4b38e54a4caeecceae)
---
doc/admin-guide/plugins/esi.en.rst | 2 +-
plugins/esi/lib/Variables.cc | 6 ++++++
plugins/esi/test/vars_test.cc | 2 ++
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/doc/admin-guide/plugins/esi.en.rst b/doc/admin-guide/plugins/esi.en.rst
index 29595d8..ebe504b 100644
--- a/doc/admin-guide/plugins/esi.en.rst
+++ b/doc/admin-guide/plugins/esi.en.rst
@@ -170,4 +170,4 @@ Differences from Spec - http://www.w3.org/TR/esi-lang
5. HTTP_COOKIE supports fetching for sub-key
-6. HTTP_HEADER supports accessing request headers as variables
+6. HTTP_HEADER supports accessing request headers as variables except "Cookie"
diff --git a/plugins/esi/lib/Variables.cc b/plugins/esi/lib/Variables.cc
index 8a8dec9..ca30485 100644
--- a/plugins/esi/lib/Variables.cc
+++ b/plugins/esi/lib/Variables.cc
@@ -235,6 +235,12 @@ Variables::getValue(const string &name) const
return EMPTY_STRING;
}
+ // Disallow Cookie retrieval though HTTP_HEADER
+ if (dict_index == HTTP_HEADER && ((attr_len == 6) && (strncasecmp(attr, "Cookie", 6) == 0))) {
+ _errorLog("[%s] Cannot use HTTP_HEADER to retrieve Cookie", __FUNCTION__);
+ return EMPTY_STRING;
+ }
+
// change variable name to use only the attribute field
search_key.assign(attr, attr_len);
diff --git a/plugins/esi/test/vars_test.cc b/plugins/esi/test/vars_test.cc
index 5da39ee..5982abf 100644
--- a/plugins/esi/test/vars_test.cc
+++ b/plugins/esi/test/vars_test.cc
@@ -444,12 +444,14 @@ main()
esi_vars.populate(HttpHeader("hdr1", -1, "hval1", -1));
esi_vars.populate(HttpHeader("Hdr2", -1, "hval2", -1));
esi_vars.populate(HttpHeader("@Intenal-hdr1", -1, "internal-hval1", -1));
+ esi_vars.populate(HttpHeader("cookie", -1, "x=y", -1));
assert(esi_vars.getValue("HTTP_HEADER{hdr1}") == "hval1");
assert(esi_vars.getValue("HTTP_HEADER{hdr2}") == "");
assert(esi_vars.getValue("HTTP_HEADER{Hdr2}") == "hval2");
assert(esi_vars.getValue("HTTP_HEADER{non-existent}") == "");
assert(esi_vars.getValue("HTTP_HEADER{@Intenal-hdr1}") == "internal-hval1");
+ assert(esi_vars.getValue("HTTP_HEADER{cookie}") == "");
}
{