[interchange-bugs] [rt.icdevgroup.org #328] MV_SESSION_ID broken with IPv6

David Christensen via RT interchange at rt.icdevgroup.org
Tue Nov 3 22:40:51 UTC 2009


Tue Nov 03 22:40:51 2009: Request 328 was acted upon.
Transaction: Ticket created by david
       Queue: Interchange
     Subject: MV_SESSION_ID broken with IPv6
       Owner: Nobody
  Requestors: david at endpoint.com
      Status: new
 Ticket <URL: http://rt.icdevgroup.org/Ticket/Display.html?id=328 >


In Vend/Dispatch.pm, we check the MV_SESSION_ID against a regex to validate the contents of the cookie to prevent session hijacking.

The current code checks against IPv4 addresses, but does not handle IPv6 correctly:

$CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})
						[:_] (
							(	\d{1,3}\.   # An IP ADDRESS
								\d{1,3}\.
								\d{1,3}\.
								\d{1,3})
							# A user name or domain
							|	([A-Za-z0-9][-\@A-Za-z.0-9]+) )?
							\b/x)

My proposal is to add to the list of valid IP addresses a regex that matches an IPv6 address as well, perhaps something along these lines:

/([:hex:]{,4}:)*(:[:hex:]{1,4})/

Exact pattern match is willing to be debated... :-)




More information about the interchange-bugs mailing list