david at endpoint
Nov 3, 2009, 2:42 PM
Post #1 of 1
(522 views)
Permalink
|
|
Interchange Session bug with IPv6 only
|
|
In Vend/Dispatch.pm, we check the MV_SESSION_ID against a regex to
validate the contents of the cookie to prevent session hijacking.
The current code checks against IPv4 addresses, but does not handle
IPv6 correctly:
$CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})
[:_] (
( \d{1,3}\. # An IP ADDRESS
\d{1,3}\.
\d{1,3}\.
\d{1,3})
# A user name or domain
| ([A-Za-z0-9][-\@A-Za-z.0-9]+) )?
\b/x)
My proposal is to add to the list of valid IP addresses a regex that
matches an IPv6 address as well, perhaps something along these lines:
/([:hex:]{,4}:)*(:[:hex:]{1,4})/
Exact pattern match is willing to be debated... :-)
Regards,
David
--
David Christensen
End Point Corporation
david [at] endpoint
_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users
|
