[ic] BUG :- Very severe, but I've got a fix
Murray Gibbins
Murray@scotweb.ltd.uk
Fri, 02 Feb 2001 17:18:00 +0000
Mike Heins wrote:
> If $compare_host doesn't match $Vend::Session->{shost}, then you have
> a security violation. If $compare_host is set and $CGI::secure is set,
> then the IPs should match -- secure is not supposed to proxy, so you
> won't have varying IPs as you might with non-secure.
>
Opps, sorry :-)
> Looks to me like the bug is:
>
> $Vend::Session->{shost} = $CGI::secure;
>
> It should be:
>
> $Vend::Session->{shost} = $CGI::remote_addr;
>
> Try backing out your change and putting that in and seeing if it works.
Will do first thing Monday, it's clocking off time on Scotland.
>
> I think Stefan pointed this out to me some time ago, but for some reason
> I couldn't see it. Thanks for working on this to make me see the light.
Cheers, just remember me on the changes/bug lists. :-)
--
____
\__/ Murray Gibbins murray@scotweb.ltd.uk
/ \ Programmer
_ \__/ _ ================================================
\\ || // Scotweb Limited, info@scotweb.ltd.uk
\\||// 13a Albert Terrace, http://www.scotweb.ltd.uk
\||/ Edinburgh EH10 5EA Tel: +44 (0) 131 270 82 33
|| Scotland. Europe. Fax: +44 (0) 7020 93 49 04