[ic] BUG :- Very severe, but I've got a fix

Mike Heins mikeh@minivend.com
Fri, 2 Feb 2001 11:52:23 -0500 

Quoting Murray Gibbins (Murray@scotweb.ltd.uk):
> [order products and enter https]
> 
> main:debug: arg is 
> main:debug: session='Rg3RHkkT' cookie='' chost=''
> main:debug: session name='Rg3RHkkT:193.195.20.134'
> 
> [ now in basket still in https still with no cookies, hit recalculate]
> 
> main:debug: arg is 
> 
> main:debug: session='Rg3RHkkT' cookie='' chost=''
> main:debug: session name='rvme5mXZ:193.195.20.134'

Yes, this will happen with cookies off, just as in the FAQ.

> main:debug: arg is 
> 
> ----------------------------------------
> 
> The problem is in the interchange perl
> 
> ../bin/interchange
> 
> snip-------
> 
> 			if(! $compare_host) {			    
> 				new_session() unless $CGI::secure;
> 				$Vend::Session->{shost} = $CGI::secure;
> 			}
> 			elsif ($compare_host ne $CGI::remote_addr) {
> 			    ::logDebug ('$compare_host ne $CGI::remote_addr '.$CGI::remote_addr);
> 				new_session() ;
> 			}
> 
> ---------------
> 
> should be
> ---------------
> 			if(! $compare_host) {
> 			    #::logDebug ("not compare host");
> 				new_session() unless $CGI::secure;
> 				$Vend::Session->{shost} = $CGI::secure;
> 			}
> 			elsif ($compare_host ne $CGI::remote_addr) {
> 			    #::logDebug ('$compare_host ne $CGI::remote_addr '.$CGI::remote_addr);
> 				new_session() unless ($CGI::secure && $Vend::Session->{shost});
> 			}

If $compare_host doesn't match $Vend::Session->{shost}, then you have
a security violation. If $compare_host is set and $CGI::secure is set,
then the IPs should match -- secure is not supposed to proxy, so you
won't have varying IPs as you might with non-secure.

Looks to me like the bug is:

	$Vend::Session->{shost} = $CGI::secure;

It should be: 

	$Vend::Session->{shost} = $CGI::remote_addr;

Try backing out your change and putting that in and seeing if it works.

I think Stefan pointed this out to me some time ago, but for some reason
I couldn't see it. Thanks for working on this to make me see the light.

-- 
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled. -- Dick Feynman