[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

Re: [ic] BUG :- Very severe, but I've got a fix

To: interchange-users@lists.akopia.com
Subject: Re: [ic] BUG :- Very severe, but I've got a fix
From: Mike Heins <mikeh@minivend.com>
Date: Fri, 2 Feb 2001 11:52:23 -0500
In-Reply-To: <3A7ADD15.B9A46376@scotweb.ltd.uk>
List-Id: Interchange Users (high volume) <interchange-users.lists.akopia.com>
References: <3A7ADD15.B9A46376@scotweb.ltd.uk>
Reply-To: interchange-users@lists.akopia.com
Sender: interchange-users-admin@lists.akopia.com

Quoting Murray Gibbins (Murray@scotweb.ltd.uk):
> [order products and enter https]
> 
> main:debug: arg is 
> main:debug: session='Rg3RHkkT' cookie='' chost=''
> main:debug: session name='Rg3RHkkT:193.195.20.134'
> 
> [ now in basket still in https still with no cookies, hit recalculate]
> 
> main:debug: arg is 
> 
> main:debug: session='Rg3RHkkT' cookie='' chost=''
> main:debug: session name='rvme5mXZ:193.195.20.134'

Yes, this will happen with cookies off, just as in the FAQ.

> main:debug: arg is 
> 
> ----------------------------------------
> 
> The problem is in the interchange perl
> 
> ../bin/interchange
> 
> snip-------
> 
> 			if(! $compare_host) {			    
> 				new_session() unless $CGI::secure;
> 				$Vend::Session->{shost} = $CGI::secure;
> 			}
> 			elsif ($compare_host ne $CGI::remote_addr) {
> 			    ::logDebug ('$compare_host ne $CGI::remote_addr '.$CGI::remote_addr);
> 				new_session() ;
> 			}
> 
> ---------------
> 
> should be
> ---------------
> 			if(! $compare_host) {
> 			    #::logDebug ("not compare host");
> 				new_session() unless $CGI::secure;
> 				$Vend::Session->{shost} = $CGI::secure;
> 			}
> 			elsif ($compare_host ne $CGI::remote_addr) {
> 			    #::logDebug ('$compare_host ne $CGI::remote_addr '.$CGI::remote_addr);
> 				new_session() unless ($CGI::secure && $Vend::Session->{shost});
> 			}

If $compare_host doesn't match $Vend::Session->{shost}, then you have
a security violation. If $compare_host is set and $CGI::secure is set,
then the IPs should match -- secure is not supposed to proxy, so you
won't have varying IPs as you might with non-secure.

Looks to me like the bug is:

	$Vend::Session->{shost} = $CGI::secure;

It should be: 

	$Vend::Session->{shost} = $CGI::remote_addr;

Try backing out your change and putting that in and seeing if it works.

I think Stefan pointed this out to me some time ago, but for some reason
I couldn't see it. Thanks for working on this to make me see the light.

-- 
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled. -- Dick Feynman

_______________________________________________
Interchange-users mailing list
Interchange-users@lists.akopia.com
http://lists.akopia.com/mailman/listinfo/interchange-users

Follow-Ups:
- Re: [ic] BUG :- Very severe, but I've got a fix
  - From: Murray Gibbins <Murray@scotweb.ltd.uk>
- Re: [ic] BUG :- Very severe, but I've got a fix
  - From: Murray Gibbins <Murray@scotweb.ltd.uk>

References:
- [ic] BUG :- Very severe, but I've got a fix
  - From: Murray Gibbins <Murray@scotweb.ltd.uk>

Prev by Date: [ic] BUG :- Very severe, but I've got a fix
Next by Date: Re: [ic] Interchange now a Red Hat product
Prev by thread: [ic] BUG :- Very severe, but I've got a fix
Next by thread: Re: [ic] BUG :- Very severe, but I've got a fix
Index(es):
- Date
- Thread