[ic] Vend::Track lengthy headers cause ISEs in Apache

Gert van der Spoel gert at 3edge.com
Fri May 21 06:00:22 UTC 2010

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of David Christensen
> Sent: Friday, May 21, 2010 12:46 AM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] Vend::Track lengthy headers cause ISEs in Apache
> On May 20, 2010, at 4:32 PM, Jon Jensen wrote:
> > On Thu, 20 May 2010, Brian J. Miller wrote:
> >
> >> Spent quite a while tracking this one down today, it would be a
> rather unusual occurrence, but if you have Track enabled and
> "excessively" long values for various data fields, such as code,
> description, category then when IC provides an outputted response and
> includes the X-Track header most versions of Apache will fall over
> returning a 500 Internal Server Error whenever the header's value hits
> the 8kb mark.
> >
> > Wow. That's really nasty. Very nice sleuthing, Brian.
> >
> > I don't know anyone who uses the X-Track response header for
> anything, and can't recall hearing of anyone using it in the last 10
> years. At the very least, we should make "UserTrack no" the default in
> catalog.cfg. Anyone who wants it could still have it, and it wouldn't
> affect existing installations even after an upgrade.
> >
> > But arguably we should just get rid of the UserTrack code altogether.
> The X-Track header is a waste, and the logs are mostly redundant with
> what Apache logs or things like Google Analytics tracks. Anyone that
> wants custom tracking of ecommerce stuff probably would need to do
> their own Autoload to get the specific logging they want anyway.
> >
> > Anyone in support of removing the whole UserTrack module altogether?
> +1

-1 .. I don't think functionality should be removed until there is a clear
Someone without access to the server does not have access to Apache logs and
someone who just wants to run his shop perhaps does not want/think about
putting Google Analytics ... For starters those Usertrack logs are useful
enough to people. 

I am in support of making sure the ISE disappears, how that is done is up to
whoever spends time on it ... It is rare, it does not happen to everybody
and it is not a big deal (at least not for most of us). :) 

> > Anyone *not* in support of at least making "UserTrack no" the default
> in catalog.cfg?

I am fine with making UserTrack no the default .. So +1 to that ....
Mike suggests that in that case the 'Report' tab does not get shown, which
seems to make sense as I believe that that tab uses the data collected with
UserTrack yes .. Or have it show an alternative message 'You need to set
UserTrack yes to make use of this report facility'...

> +1 on the default if the above isn't ratified.  On a related note, we
> should verify that any data which is used in a header should be checked
> is using 7-bit ASCII only, or appropriately converted to use some other
> 7-bit-compatible encoding, such as MIME-B/Q.
> Regards,
> David
> --
> David Christensen
> End Point Corporation
> david at endpoint.com
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

More information about the interchange-users mailing list