[ic] Interchange Session bug with IPv6 only
David Christensen
david at endpoint.com
Tue Nov 3 22:42:02 UTC 2009
In Vend/Dispatch.pm, we check the MV_SESSION_ID against a regex to
validate the contents of the cookie to prevent session hijacking.
The current code checks against IPv4 addresses, but does not handle
IPv6 correctly:
$CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})
[:_] (
( \d{1,3}\. # An IP ADDRESS
\d{1,3}\.
\d{1,3}\.
\d{1,3})
# A user name or domain
| ([A-Za-z0-9][-\@A-Za-z.0-9]+) )?
\b/x)
My proposal is to add to the list of valid IP addresses a regex that
matches an IPv6 address as well, perhaps something along these lines:
/([:hex:]{,4}:)*(:[:hex:]{1,4})/
Exact pattern match is willing to be debated... :-)
Regards,
David
--
David Christensen
End Point Corporation
david at endpoint.com
More information about the interchange-users
mailing list