Closed
Bug 111960
Opened 23 years ago
Closed 23 years ago
should ignore newline character in Set-Cookie header
Categories
(Core :: Networking: HTTP, defect, P3)
Tracking
()
VERIFIED
WONTFIX
mozilla0.9.9
People
(Reporter: dloose84, Assigned: badami)
References
()
Details
(Whiteboard: [patch needs r/sr=])
Attachments
(5 files)
136.41 KB,
application/octet-stream
|
Details | |
12.30 KB,
application/octet-stream
|
Details | |
1.76 KB,
patch
|
Details | Diff | Splinter Review | |
760 bytes,
patch
|
morse
:
review+
darin.moz
:
superreview+
|
Details | Diff | Splinter Review |
895 bytes,
text/plain
|
Details |
I've had this problem since I started using mozilla with M18. Whenever I try to login to my school's registration page, it prints the following data at the top of the page and sends me back to the login page: 0 HTTP/1.1 200 OK Transfer-Encoding: chunked Date: Mon, 26 Nov 2001 16:42:20 GMT Allow: GET, HEAD Server: Oracle_Web_Listener/4.0.8.2.1EnterpriseEdition Content-Type: text/html Set-Cookie: SESSID=; expires=Monday, 01-Jan-1990 08:00:00 GMT; Content-length: 3160 Connection: Keep-Alive Keep-Alive: timeout=10, max=999 c58 This data is printed in Windows 98 using .9.6 but the login process proceeds anyway. This is reproducible at http://registrar.wpi.edu but a valid account is needed to see the error. I have not seen it anywhere else. A screenshot of the error is at http://www.wpi.edu/~dloose/moz-error.jpg
Comment 1•23 years ago
|
||
Dave: Do you see those http-header information with any other browser as well? Can you fire up this page and see if it prints the header? --> http://jigsaw.w3.org/HTTP/ChunkedScript And: The machine seems to be a win2k box -- is there any chance you find out what version they use? (os, os-patchlevel, iis)
Comment 2•23 years ago
|
||
Reporter: Is the font with which the http-header is rendered your default font? If not, maybe the Oracle application is to blame?
Comment 3•23 years ago
|
||
reporter: are you connecting via a proxy server?
I don't see the header information with other browsers, but I haven't yet found a browser that will log me in. I've tried Opera, Konqueror, Galeon, and maybe a few others. I'm running FreeBSD 4.4, by the way. I don't connect via a proxy server and no one has responded to me yet so I don't know what version of Win2k they're running. I tried this bug report as a last resort of sorts. Nobody else has been able to help me, so I was hoping that maybe it was a mozilla problem.
Comment 5•23 years ago
|
||
reporter: can you generate a network packet trace using a tool such as ngrep.sourceforge.net? if so, that would greatly help in determining what could be going wrong here. thx!
Comment 6•23 years ago
|
||
This is a postscript file which shows what the page looks like with the exposed header files.
Comment 7•23 years ago
|
||
I've added an attachment to this bug as it seems that we're experiencing the same issue. Here's a report from our systems admin who is experiencing the problem (he's tried to create a bugzilla account but he's been unsuccessful so he asked me to submit one): While logging attempting to login into a server (Oracle_Web_Listener/4.0.8.1.0 EnterpriseEdition) via ssl (port 443) using cookie based authentication, after entering a valid User-id and Pin and clicking "Login" you are returned to the login page with the following at the top of Login page: 0 HTTP/1.1 200 OK Transfer-Encoding: chunked Date: Wed, 23 Jan 2002 20:10:02 GMT Allow: GET, HEAD Server: Oracle_Web_Listener/4.0.8.1.0EnterpriseEdition Content-Type: text/html Set-Cookie: SESSID=; expires=Monday, 01-Jan-1990 08:00:00 GMT; Content-length: 3783 Connection: Keep-Alive Keep-Alive: timeout=10, max=999 ec7 I've received this problem using Mozilla 0.9.6 on Solaris 8, Mozilla 0.9.2 on Linux (RH 7.2 Kernel 2.4.16), Mozilla 0.9.7 on Linux (RH 7.2 Kernel 2.4.16). It would appear that Mozilla is treating the cookie as HTML instead of a cookie being sent as part of the header information. I've tried logging into this site using Netscape v4.78 for Linux (RH 7.2 Kernel 2.4.16) and in Windows 2000 using IE5 with success. I've also attached a PostScript file of a print out of the exact behavior of returned after entering User-ID, Pin and clicking "Login".
Comment 8•23 years ago
|
||
reporter: can you confirm the problem using a more recent nightly build?
Comment 9•23 years ago
|
||
We just pulled down the latest Linux build (2002012308) and now it's doing something different... it's not showing the data on top of the page anymore, but it doesn't appear to be processing the cookie data correctly. Since this page uses SSL, we're creating a SSL dumper to dump the interaction between server and browser to see what's going on... once we generate a dump, would you find a copy of this dump useful?
Comment 10•23 years ago
|
||
yes, but what would be even more useful to me would be a HTTP log. you can set the following environment variables to cause mozilla to dump information about what our HTTP code is doing: setenv NSPR_LOG_MODULES nsHttp:5 setenv NSPR_LOG_FILE http.log please attach the "http.log" file to this bug. thx!
Comment 11•23 years ago
|
||
Daren, attached is the log you requested. We were looking at it, and around line 1907 it gets interesting. Between that line and line 2092, the pin is entered and the user is flipped back to the login prompt instead of proceeding thru the screens.
Comment 12•23 years ago
|
||
Was wondering if a solution to this bug has been found. Noticed while looking through the http.log that there seems to be a 'LF' after the Set-Cookie between lines 1314-1315. I don't know if this is from the Mozilla debugging log code if it this is the actuall header sent back, but could this be the issue? Here's a dump of what I'm refering including Hex: Snippet of Oracle response to Mozilla: (lines 1309 - 1319) 1026[810c0a0]: http response [ 1026[810c0a0]: HTTP/1.1 200 OK 1026[810c0a0]: Transfer-Encoding: chunked 1026[810c0a0]: Date: Thu, 24 Jan 2002 13:32:47 GMT 1026[810c0a0]: Allow: GET, HEAD 1026[810c0a0]: Server: Oracle_Web_Listener/4.0.8.1.0EnterpriseEdition 1026[810c0a0]: Content-Type: text/html 1026[810c0a0]: Set-Cookie: TESTID=set; SESSID=; expires=Monday, 01-Jan-1990 08:00:00 GMT; 1026[810c0a0]: Content-Length: 3783 1026[810c0a0]: Connection: Keep-Alive 1026[810c0a0]: Keep-Alive: timeout=10, max=999 1026[810c0a0]: ] Hex Dump of Oracle response to Mozilla: (lines 1309 - 1319) 00014DD0 20 68 74 74 70 20 72 65 73 70 6F 6E 73 65 20 5B http response [ 00014DE0 0A 31 30 32 36 5B 38 31 30 63 30 61 30 5D 3A 20 .1026[810c0a0]: 00014DF0 20 20 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F HTTP/1.1 200 O 00014E00 4B 0A 31 30 32 36 5B 38 31 30 63 30 61 30 5D 3A K.1026[810c0a0]: 00014E10 20 20 20 54 72 61 6E 73 66 65 72 2D 45 6E 63 6F Transfer-Enco 00014E20 64 69 6E 67 3A 20 63 68 75 6E 6B 65 64 0A 31 30 ding: chunked.10 00014E30 32 36 5B 38 31 30 63 30 61 30 5D 3A 20 20 20 44 26[810c0a0]: D 00014E40 61 74 65 3A 20 54 68 75 2C 20 32 34 20 4A 61 6E ate: Thu, 24 Jan 00014E50 20 32 30 30 32 20 31 33 3A 33 32 3A 34 37 20 47 2002 13:32:47 G 00014E60 4D 54 0A 31 30 32 36 5B 38 31 30 63 30 61 30 5D MT.1026[810c0a0] 00014E70 3A 20 20 20 41 6C 6C 6F 77 3A 20 47 45 54 2C 20 : Allow: GET, 00014E80 48 45 41 44 0A 31 30 32 36 5B 38 31 30 63 30 61 HEAD.1026[810c0a 00014E90 30 5D 3A 20 20 20 53 65 72 76 65 72 3A 20 4F 72 0]: Server: Or 00014EA0 61 63 6C 65 5F 57 65 62 5F 4C 69 73 74 65 6E 65 acle_Web_Listene 00014EB0 72 2F 34 2E 30 2E 38 2E 31 2E 30 45 6E 74 65 72 r/4.0.8.1.0Enter 00014EC0 70 72 69 73 65 45 64 69 74 69 6F 6E 0A 31 30 32 priseEdition.102 00014ED0 36 5B 38 31 30 63 30 61 30 5D 3A 20 20 20 43 6F 6[810c0a0]: Co 00014EE0 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type: text 00014EF0 2F 68 74 6D 6C 0A 31 30 32 36 5B 38 31 30 63 30 /html.1026[810c0 00014F00 61 30 5D 3A 20 20 20 53 65 74 2D 43 6F 6F 6B 69 a0]: Set-Cooki 00014F10 65 3A 20 54 45 53 54 49 44 3D 73 65 74 3B 0A 53 e: TESTID=set;.S 00014F20 45 53 53 49 44 3D 3B 20 65 78 70 69 72 65 73 3D ESSID=; expires= 00014F30 4D 6F 6E 64 61 79 2C 20 30 31 2D 4A 61 6E 2D 31 Monday, 01-Jan-1 00014F40 39 39 30 20 30 38 3A 30 30 3A 30 30 20 47 4D 54 990 08:00:00 GMT 00014F50 3B 0A 31 30 32 36 5B 38 31 30 63 30 61 30 5D 3A ;.1026[810c0a0]: 00014F60 20 20 20 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 Content-Lengt 00014F70 68 3A 20 33 37 38 33 0A 31 30 32 36 5B 38 31 30 h: 3783.1026[810 00014F80 63 30 61 30 5D 3A 20 20 20 43 6F 6E 6E 65 63 74 c0a0]: Connect 00014F90 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0A ion: Keep-Alive. 00014FA0 31 30 32 36 5B 38 31 30 63 30 61 30 5D 3A 20 20 1026[810c0a0]: 00014FB0 20 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 69 6D Keep-Alive: tim 00014FC0 65 6F 75 74 3D 31 30 2C 20 6D 61 78 3D 39 39 39 eout=10, max=999 00014FD0 0A 31 30 32 36 5B 38 31 30 63 30 61 30 5D 3A 20 .1026[810c0a0]: 00014FE0 5D 0A 31 30 32 36 5B 38 31 30 63 30 61 30 5D 3A ].1026[810c0a0]: -Adam
Comment 13•23 years ago
|
||
cc'ing morse, owner of the mozilla cookies module. morse: this server is sending a Set-Cookie header w/ an embedded newline. seems mozilla is failing to treat the newline as ordinary whitespace. you think we should bother fixing this one? my feeling is that this should be an evangelism bug purely because allowing embedded newlines like this may interfere with future developments of the HTTP protocol. that is, we probably shouldn't support this bad-form. what do you think?
Comment 14•23 years ago
|
||
What does the http spec say about embedded newlines in headers? Seems to me that if other browsers (notably IE) accepts it, then we probably should too. I've seen many similar bug reports in the past describing this same symptom. So I don't think this is the only site affected. If we can come up with a fix for it, I think we should.
Comment 15•23 years ago
|
||
Reading through the RFC for HTTP 1.0 and HTTP 1.1 it states that New lines are NOT allowed in the HTTP Header. Though Browsers such as Netscape 4.78 and IE5 do NOT have trouble with this embedded newline. -Adam
Comment 16•23 years ago
|
||
the http code could easily replace the newline with a space character and then compact whitespace, but we can't guarantee that mozilla will always support this broken behavior. is this just a misconfiguration of oracle?
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3
Target Milestone: --- → mozilla0.9.9
Comment 17•23 years ago
|
||
My recommendation is to convert the newlines to spaces, especially since IE seems to be doing that. Many sites seem to have this error since I've seen this happen many times. It's easier to handle it than it is to find all these sites and then evangelize them.
Comment 18•23 years ago
|
||
morse: agreed... modifying summary... reassigning to vinay
Assignee: darin → badami
Status: ASSIGNED → NEW
Summary: HTTP header data displayed at top of page → should ignore newline character in Set-Cookie header
Comment 19•23 years ago
|
||
Is set-cookie header the only header that potentially has this problem?
Comment 20•23 years ago
|
||
morse: the thing is the HTTP spec allows embedded newlines in headers, but the next line is supposed to be indented with whitespace. also, if all of the headers ended with LF (instead of CRLF) we'd have a problem because we wouldn't be able to determine if this line was a continuation or another header altogether. so, we have to be careful. in this case all of the headers end with CRLF so we can discern the continuation. we should do this for all headers... it probably involves fixing code in nsHttpHeaderArray::SetHeader.
Assignee | ||
Comment 21•23 years ago
|
||
Think we should do the same with \r ???
Comment 22•23 years ago
|
||
vinay: i thought about this some more, and i'm starting to think that it would be best to actually remove the '\n' and '\r' characters instead of simply overwriting each with a space. content providers probably never meant to inject the newline char(s). so, how about this instead: nsCAutoString buf; if (strpbrk(value, "\r\n")) { buf.Assign(value); buf.StripChars("\r\n"); value = buf.get(); }
Assignee | ||
Comment 23•23 years ago
|
||
Darin Let us go with what u r proposing. Since we do not have a reproducible test case, if this comes back as a reopen, we can then look at just replacing the \r\n with spaces.
Comment 24•23 years ago
|
||
Comment on attachment 69223 [details] [diff] [review] as Darin's comments r=morse
Attachment #69223 -
Flags: review+
Comment 25•23 years ago
|
||
I can be your test case if you want. I have a valid account with this product, SCT/Oracle Application with the 'LF' between set-cookies. -Adam
Comment 26•23 years ago
|
||
Fixed!! I would like to thank the Mozilla team for the quick response and fix for the Big co's screwups. THANK YOU.. -Adam
Comment 27•23 years ago
|
||
Comment on attachment 69223 [details] [diff] [review] as Darin's comments sr=darin vinay: thx for writing up this patch!
Attachment #69223 -
Flags: superreview+
Assignee | ||
Comment 28•23 years ago
|
||
Adam Are u saying that this now works ? The fix for the problem is not yet checked in. Can u be a bit more specific about comment 26.
Comment 29•23 years ago
|
||
Vinay, Yes... After putting that comment in and re-reading the dialog, I realized that you hadn't patched the main cvs branch, that Joe Smoe get's the source from. Under Linux 2.4.16, Stock RH7.2 libs, compiled the cvs checked out source, compiled, and ran mozilla against the SCT/OAS that was causing issues with cookies being displayed as HTML in the browser. It worked, I was able to enter user-id, password (as before) and this time when I clicked login, I actually was logged in, no cooki information dumped to the screen. Tested this login in and out, and moving around, with no problems. Then realized that the patch that has been floating around was a diff from your local copy verse the cvs repository. So I sucked down the two patches - 'remove \n in headers' (applied), then - 'as Darin's comments' (applied) and recompiled. I received the same behaviour as before the patch(es) were installed, but after I downloaded the source via cvs and compiled it. It worked. I've checked with the Dept that maintains the SCT/OSA app and they have made NO changes since I appended to this bug. Leads me to wonder, if perhaps 'LF' isn't the problem? Or wasn't completely the problem? If you needs http.log or any other information please let me know. -Adam
Assignee | ||
Comment 30•23 years ago
|
||
Wrote a env.c cgi that echoes the env back.Also sets a cookie with a name=value and the value having a \n in it. Compiled it and deployed it on a apache as a nph-cgi so that apache does not barf about the \n in the cookie header. Tested it on IE/Nav4.7/Mozilla. First request we get no cookie. Second request we get a cookie back with value being only line1 and not containing line2. All browsers behave similarly. Based on this suggesting that we do not try patching this.
Assignee | ||
Comment 31•23 years ago
|
||
I would suggest not patching this until someone comes up with a test case that demonstrates that IE/Moz behave differently on Cookies with \n embedded in the value.
Comment 32•23 years ago
|
||
vinay: does endl correspond to CRLF or LF? if it corresponds to LF then you are testing the wrong thing. we need to test what happens when we send headers that end with CRLF and contain an embedded LF. i'm guessing that your CGI was run on a linux box and therefore generates LF after each header instead of CRLF. please confirm. a network trace might be the best way to determine what's really going on. thx!
Assignee | ||
Comment 33•23 years ago
|
||
endl results in a CRLF. Tested and verified this with a network trace.
Comment 34•23 years ago
|
||
vinay: ok, interesting. morse: see comment #30 and #31... what do you think? should we leave this be?
Comment 35•23 years ago
|
||
I would agree. If all browsers behave the same way, then we shouldn't try to be different. Who knows what site we'll break if we do.
Assignee | ||
Comment 36•23 years ago
|
||
MArking as WONTFIX based on findings and comments 34 35.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•