From 069322678ed9d00e11645e8d411de06bd5c3b38b Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 3 Aug 2015 20:09:34 +0000 Subject: [PATCH] Allow cookies set by mod_rewrite to contain ':' by accepting ';' as an alternate separator. PR47241. Submitted By: , covener Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1693963 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ docs/manual/rewrite/flags.xml | 9 +++++++++ modules/mappers/mod_rewrite.c | 22 +++++++++++++++------- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 9bc6611d0f..f49e42b03d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting + ';' as an alternate separator. PR47241. + [, Eric Covener] + *) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with apxs -q. PR58202. [Daniel Shahaf ] diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml index 58eaae5e00..e3685d87ef 100644 --- a/docs/manual/rewrite/flags.xml +++ b/docs/manual/rewrite/flags.xml @@ -137,6 +137,15 @@ follows:

[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly] +

If a literal ':' character is needed in any of the cookie fields, an +alternate syntax is available. To opt-in to the alternate syntax, the cookie +"Name" should be preceded with a ';' character, and field separators should be +specified as ';'.

+ + +[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly] + +

You must declare a name, a value, and a domain for the cookie to be set.

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index a4f5efceec..3135e5e0c6 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -2510,10 +2510,18 @@ static void add_cookie(request_rec *r, char *s) char *tok_cntx; char *cookie; + /* long-standing default, but can't use ':' in a cookie */ + const char *sep = ":"; - var = apr_strtok(s, ":", &tok_cntx); - val = apr_strtok(NULL, ":", &tok_cntx); - domain = apr_strtok(NULL, ":", &tok_cntx); + /* opt-in to ; separator if first character is a ; */ + if (s && *s == ';') { + sep = ";"; + s++; + } + + var = apr_strtok(s, sep, &tok_cntx); + val = apr_strtok(NULL, sep, &tok_cntx); + domain = apr_strtok(NULL, sep, &tok_cntx); if (var && val && domain) { request_rec *rmain = r; @@ -2529,10 +2537,10 @@ static void add_cookie(request_rec *r, char *s) if (!data) { char *exp_time = NULL; - expires = apr_strtok(NULL, ":", &tok_cntx); - path = expires ? apr_strtok(NULL, ":", &tok_cntx) : NULL; - secure = path ? apr_strtok(NULL, ":", &tok_cntx) : NULL; - httponly = secure ? apr_strtok(NULL, ":", &tok_cntx) : NULL; + expires = apr_strtok(NULL, sep, &tok_cntx); + path = expires ? apr_strtok(NULL, sep, &tok_cntx) : NULL; + secure = path ? apr_strtok(NULL, sep, &tok_cntx) : NULL; + httponly = secure ? apr_strtok(NULL, sep, &tok_cntx) : NULL; if (expires) { apr_time_exp_t tms; -- 2.40.0