[ic] Vend::Track lengthy headers cause ISEs in Apache

David Christensen david at endpoint.com
Thu May 20 21:45:58 UTC 2010

On May 20, 2010, at 4:32 PM, Jon Jensen wrote:

> On Thu, 20 May 2010, Brian J. Miller wrote:
>> Spent quite a while tracking this one down today, it would be a rather unusual occurrence, but if you have Track enabled and "excessively" long values for various data fields, such as code, description, category then when IC provides an outputted response and includes the X-Track header most versions of Apache will fall over returning a 500 Internal Server Error whenever the header's value hits the 8kb mark.
> Wow. That's really nasty. Very nice sleuthing, Brian.
> I don't know anyone who uses the X-Track response header for anything, and can't recall hearing of anyone using it in the last 10 years. At the very least, we should make "UserTrack no" the default in catalog.cfg. Anyone who wants it could still have it, and it wouldn't affect existing installations even after an upgrade.
> But arguably we should just get rid of the UserTrack code altogether. The X-Track header is a waste, and the logs are mostly redundant with what Apache logs or things like Google Analytics tracks. Anyone that wants custom tracking of ecommerce stuff probably would need to do their own Autoload to get the specific logging they want anyway.
> Anyone in support of removing the whole UserTrack module altogether?


> Anyone *not* in support of at least making "UserTrack no" the default in catalog.cfg?

+1 on the default if the above isn't ratified.  On a related note, we should verify that any data which is used in a header should be checked is using 7-bit ASCII only, or appropriately converted to use some other 7-bit-compatible encoding, such as MIME-B/Q.


David Christensen
End Point Corporation
david at endpoint.com

More information about the interchange-users mailing list