You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2018/07/05 18:35:38 UTC

[trafficserver] 01/02: Restrict access to request headers for ESI variables

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit cea07c03274807c1588dbdf03baa1537d958c92f
Author: Kit Chan <ki...@apache.org>
AuthorDate: Tue Jul 3 17:32:56 2018 -0700

    Restrict access to request headers for ESI variables
    
    (cherry picked from commit 2f4a5b7a3eb4904d59913d4b38e54a4caeecceae)
---
 doc/admin-guide/plugins/esi.en.rst | 2 +-
 plugins/esi/lib/Variables.cc       | 6 ++++++
 plugins/esi/test/vars_test.cc      | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/admin-guide/plugins/esi.en.rst b/doc/admin-guide/plugins/esi.en.rst
index 29595d8..ebe504b 100644
--- a/doc/admin-guide/plugins/esi.en.rst
+++ b/doc/admin-guide/plugins/esi.en.rst
@@ -170,4 +170,4 @@ Differences from Spec - http://www.w3.org/TR/esi-lang
 
 5. HTTP_COOKIE supports fetching for sub-key
 
-6. HTTP_HEADER supports accessing request headers as variables
+6. HTTP_HEADER supports accessing request headers as variables except "Cookie"
diff --git a/plugins/esi/lib/Variables.cc b/plugins/esi/lib/Variables.cc
index 8a8dec9..ca30485 100644
--- a/plugins/esi/lib/Variables.cc
+++ b/plugins/esi/lib/Variables.cc
@@ -235,6 +235,12 @@ Variables::getValue(const string &name) const
     return EMPTY_STRING;
   }
 
+  // Disallow Cookie retrieval though HTTP_HEADER
+  if (dict_index == HTTP_HEADER && ((attr_len == 6) && (strncasecmp(attr, "Cookie", 6) == 0))) {
+    _errorLog("[%s] Cannot use HTTP_HEADER to retrieve Cookie", __FUNCTION__);
+    return EMPTY_STRING;
+  }
+
   // change variable name to use only the attribute field
   search_key.assign(attr, attr_len);
 
diff --git a/plugins/esi/test/vars_test.cc b/plugins/esi/test/vars_test.cc
index 5da39ee..5982abf 100644
--- a/plugins/esi/test/vars_test.cc
+++ b/plugins/esi/test/vars_test.cc
@@ -444,12 +444,14 @@ main()
     esi_vars.populate(HttpHeader("hdr1", -1, "hval1", -1));
     esi_vars.populate(HttpHeader("Hdr2", -1, "hval2", -1));
     esi_vars.populate(HttpHeader("@Intenal-hdr1", -1, "internal-hval1", -1));
+    esi_vars.populate(HttpHeader("cookie", -1, "x=y", -1));
 
     assert(esi_vars.getValue("HTTP_HEADER{hdr1}") == "hval1");
     assert(esi_vars.getValue("HTTP_HEADER{hdr2}") == "");
     assert(esi_vars.getValue("HTTP_HEADER{Hdr2}") == "hval2");
     assert(esi_vars.getValue("HTTP_HEADER{non-existent}") == "");
     assert(esi_vars.getValue("HTTP_HEADER{@Intenal-hdr1}") == "internal-hval1");
+    assert(esi_vars.getValue("HTTP_HEADER{cookie}") == "");
   }
 
   {