[interchange-bugs] [rt.icdevgroup.org #328] MV_SESSION_ID broken with IPv6
David Christensen via RT
interchange at rt.icdevgroup.org
Tue Nov 3 22:40:51 UTC 2009
Tue Nov 03 22:40:51 2009: Request 328 was acted upon.
Transaction: Ticket created by david
Queue: Interchange
Subject: MV_SESSION_ID broken with IPv6
Owner: Nobody
Requestors: david at endpoint.com
Status: new
Ticket <URL: http://rt.icdevgroup.org/Ticket/Display.html?id=328 >
In Vend/Dispatch.pm, we check the MV_SESSION_ID against a regex to validate the contents of the cookie to prevent session hijacking.
The current code checks against IPv4 addresses, but does not handle IPv6 correctly:
$CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})
[:_] (
( \d{1,3}\. # An IP ADDRESS
\d{1,3}\.
\d{1,3}\.
\d{1,3})
# A user name or domain
| ([A-Za-z0-9][-\@A-Za-z.0-9]+) )?
\b/x)
My proposal is to add to the list of valid IP addresses a regex that matches an IPv6 address as well, perhaps something along these lines:
/([:hex:]{,4}:)*(:[:hex:]{1,4})/
Exact pattern match is willing to be debated... :-)
More information about the interchange-bugs
mailing list