Not handling coral_no_serv response correctly

sethcohn - May 19, 2008 - 17:57
Project:Coral Defender
Version:5.x-1.0
Component:Code
Category:bug report
Priority:critical
Assigned:Andrew M Riley
Status:patch (reviewed & tested by the community)
Description

See http://www.cs.nyu.edu/pipermail/coral-announce/2005q1/000010.html

First, when Coral redirects a client back to the origin server, it appends
a "?coral-no-serve" to the end of the URL, i.e.,

   http://www.example.net/foo --> http://www.example.net/foo?coral-no-serve
An
unmodified server (i.e., not running any dynamic cgi script) will
safely ignore this additional query string; it simply serves the file
"foo".  So, basic servers will not require any changes to handle this
query-string added by Coral.

However, if servers use Apache's mod_rewrite to redirect all non-Coral
requests to Coral, they need to be careful to check that no query
"?coral-no-serve" is present.  Consider the following message flow:

   client -> server:         http://example.net/
   server redirects client
   client -> coral:          http://example.net.nyud.net:8090/
   coral redirects client
   client -> server:         http://example.net/?coral-no-serve
Servers
ignoring this query-string and redirecting the client *again* back
to Coral would cause a loop.

Currently, coral_defender does not handle this query response correctly, leading to a endless loop (and then error) as the request bounces between the site and Coral, each passing it to the other... This should be a pretty simple fix: look for the query string, and if found, don't pass off to coral.

This must be fixed in order to properly handle quota limits, or else coral'd endusers fail to reach your pages at all once the problem arises. This makes the module unusable right now.

Doesn't look like the dev version handles this properly either...

#1

sethcohn - May 30, 2008 - 15:39
Status:active» patch (code needs review)

Patch to fix this issue. Please review and commit.

Added a check in the condition for coral-no-serve in the query, and if so, don't jump back to Coral.

AttachmentSize
coral-no-serve.patch705 bytes

#2

Andrew M Riley - June 30, 2008 - 12:43
Assigned to:Anonymous» Andrew M Riley
Status:patch (code needs review)» patch (reviewed & tested by the community)

Sorry for the delay, I was on vacation. I'll will be importing this patch into the devel branch.

 
 

Drupal is a registered trademark of Dries Buytaert.