__atuvc cookie and modperl exception

addthis.com May 14, 2012 09:26AM EDT

The __atuvc cookie can cause an exception in Apache for systems based on Apache's modperl2. I believe the cause is that in this cookie the comma is not URI escaped. Apache will log an error 'Expected token not present' if modperl2 is used. If the application calls the jar method on the request handler without an eval, Apache will display 'Internal server error' to the visitor.

Reproducing this error is easy. Any page with the script below on it will cause an error in an Apache/Modperl2 system. It may only be logged, but if a call to the jar() method is done without an eval, 'Internal Server Error' is displayed to the visitor.

<script type="text/javascript">
document.cookie = '__atuvc=12|19,1|20; expires=Thu, 15 May 2014 03:32:03 UTC; path=/';
</script>

The problem with the above script lies in the value, that contains a comma that is not escaped and should be. Five non-control ASCII characters should be escaped in cookies, one of which is the comma. (whitespace, double quote, comma, semicolon, and backslash)

Kind regards,
Arjan Widlak.

Post Your Public Answer

Your name (required)
Your email address (required)
Answer (required)

Still need help?


General Topics

Getting Started
Plugins for Blogs & CMS
Customizing AddThis
Buttons & Counters
Analytics
Accounts & Settings
Sharing Tools and Toolbars
 

Developers

API and SDK Overview
Client API
Welcome Bar API
Trending Content Box API
Content Feeds
Analytics API
Sharing Endpoints
Services API
Web Service Framework
iOS
Android
Flash