Closed
Bug 179290
Opened 22 years ago
Closed 22 years ago
login cookie email needs to be escaped
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: ftobin+bugzilla, Assigned: bbaetz)
References
Details
(Keywords: regression)
Attachments
(1 file)
780 bytes,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912 Bugzilla is not remembering my login information from page to page. It has set cookies in my brower, but they aren't having any effect. Reproducible: Always Steps to Reproduce: 1. go to http://bugzilla.mozilla.org/ 2. follow the "Log in to an existing account" link 3. login; you are then brought to the query page 4. Follow the "Query" link at the bottom of the page (query.cgi) Actual Results: Looking at the bottom of the page, you'll note that you're not logged in anymore. Expected Results: It should have read my cookie and kept my login. This happens for *any* page. For instance, I can be viewing a bug, attach a comment (it asks for my login information), try to add another comment, and it re-asks for my login info.
Assignee | ||
Comment 1•22 years ago
|
||
Are you behind a transparent proxy of some sort/NAT, or does your IP address otherwise keep changing?
Reporter | ||
Comment 2•22 years ago
|
||
I have a real global IP, not behind any sort of proxy or firewall. This is a *new* problem; I've used Bugzilla before, from the same box, without any problems whatsoever.
Reporter | ||
Comment 3•22 years ago
|
||
I do have a couple of option set regarding cookies, but they should have no effect, and have not had an effect in the past regarding this bug: * I have set the "enable from originating site only" * I have set the "limit to session only" * I have set the "disable in mail and newsgroups" The bugs that bugzilla is setting are Bugilla_login (the value is my appropriate login) Bugzilla_logincookie (the value is 97738) The Host for each cookie is bugzilla.mozilla.org
Assignee | ||
Comment 4•22 years ago
|
||
Hmm. Do you have any other cookies for bugzilla.mozilla.org? If you turn those cookie options off, does it work?
Reporter | ||
Comment 5•22 years ago
|
||
After querying, I also get the cookies LASTORDER and BUGLIST. I also now get VERSION-Bugzilla (new, within the past few minutes, unless the search page set it). Turning those options off (and allowing all cookies from anywhere) makes no difference.
Assignee | ||
Comment 6•22 years ago
|
||
myk, can you select all the logincookies form the db directly, including the IP? ftobin, do other browsers work?
Reporter | ||
Comment 7•22 years ago
|
||
This is very strange; it works fine with lynx, but not with Mozilla, Konqueror, or Amaya.
No longer blocks: 179176
Reporter | ||
Comment 8•22 years ago
|
||
Never mind about amaya, it doesn't handle cookies anyways, it seems.
Reporter | ||
Comment 9•22 years ago
|
||
Since there is talk of IPs, I'll state my IP is 167.206.208.232.
Comment 10•22 years ago
|
||
mysql> select * from logincookies where userid = 37326; +--------+--------+----------------+-----------------+ | cookie | userid | lastused | ipaddr | +--------+--------+----------------+-----------------+ | 97845 | 37326 | 20021109193257 | 167.206.208.232 | | 97843 | 37326 | 20021109193231 | 167.206.208.232 | | 97841 | 37326 | 20021109193036 | 167.206.208.232 | | 97838 | 37326 | 20021109192823 | 167.206.208.232 | | 97835 | 37326 | 20021109192213 | 167.206.208.232 | | 97829 | 37326 | 20021109191110 | 167.206.208.232 | | 97828 | 37326 | 20021109190527 | 167.206.208.232 | | 97785 | 37326 | 20021109165108 | 167.206.208.232 | | 97783 | 37326 | 20021109164945 | 167.206.208.232 | | 97780 | 37326 | 20021109164612 | 167.206.208.232 | | 97779 | 37326 | 20021109164459 | 167.206.208.232 | | 97778 | 37326 | 20021109164439 | 167.206.208.232 | | 97775 | 37326 | 20021109164125 | 167.206.208.232 | | 97774 | 37326 | 20021109164036 | 167.206.208.232 | | 97773 | 37326 | 20021109164021 | 167.206.208.232 | | 97771 | 37326 | 20021109163937 | 167.206.208.232 | | 97770 | 37326 | 20021109163854 | 167.206.208.232 | | 97769 | 37326 | 20021109163753 | 167.206.208.232 | | 97767 | 37326 | 20021109163552 | 167.206.208.232 | | 97766 | 37326 | 20021109163530 | 167.206.208.232 | | 97755 | 37326 | 20021109160751 | 167.206.208.232 | | 97756 | 37326 | 20021109160946 | 167.206.208.232 | | 97752 | 37326 | 20021109160606 | 167.206.208.232 | | 97751 | 37326 | 20021109160455 | 167.206.208.232 | | 97750 | 37326 | 20021109160311 | 167.206.208.232 | | 97748 | 37326 | 20021109155755 | 167.206.208.232 | | 97747 | 37326 | 20021109155743 | 167.206.208.232 | | 97742 | 37326 | 20021109154851 | 167.206.208.232 | | 97741 | 37326 | 20021109154717 | 167.206.208.232 | | 97740 | 37326 | 20021109154505 | 167.206.208.232 | | 97738 | 37326 | 20021109154020 | 167.206.208.232 | | 97736 | 37326 | 20021109153854 | 167.206.208.232 | | 97735 | 37326 | 20021109153725 | 167.206.208.232 | | 97734 | 37326 | 20021109153711 | 167.206.208.232 | | 97733 | 37326 | 20021109153513 | 167.206.208.232 | | 97732 | 37326 | 20021109153443 | 167.206.208.232 | | 97729 | 37326 | 20021109153114 | 167.206.208.232 | | 97728 | 37326 | 20021109153048 | 167.206.208.232 | | 97724 | 37326 | 20021109152857 | 167.206.208.232 | | 97718 | 37326 | 20021109152213 | 167.206.208.232 | | 97688 | 37326 | 20021109143736 | 167.206.208.232 | | 97687 | 37326 | 20021109143653 | 167.206.208.232 | | 97684 | 37326 | 20021109143553 | 167.206.208.232 | | 97681 | 37326 | 20021109143428 | 167.206.208.232 | | 97675 | 37326 | 20021109143141 | 167.206.208.232 | | 97674 | 37326 | 20021109143112 | 167.206.208.232 | | 97668 | 37326 | 20021109142418 | 167.206.208.232 | | 97667 | 37326 | 20021109142411 | 167.206.208.232 | | 97666 | 37326 | 20021109142345 | 167.206.208.232 | | 97660 | 37326 | 20021109141909 | 167.206.208.232 | | 97656 | 37326 | 20021109141643 | 167.206.208.232 | | 97653 | 37326 | 20021109141618 | 167.206.208.232 | | 97651 | 37326 | 20021109141514 | 167.206.208.232 | | 97644 | 37326 | 20021109140152 | 167.206.208.232 | | 97643 | 37326 | 20021109140129 | 167.206.208.232 | | 97642 | 37326 | 20021109140128 | 167.206.208.232 | | 97641 | 37326 | 20021109140120 | 167.206.208.232 | | 97640 | 37326 | 20021109140116 | 167.206.208.232 | | 97639 | 37326 | 20021109140112 | 167.206.208.232 | | 97638 | 37326 | 20021109140106 | 167.206.208.232 | | 97635 | 37326 | 20021109140021 | 167.206.208.232 | | 97634 | 37326 | 20021109140004 | 167.206.208.232 | | 97632 | 37326 | 20021109135849 | 167.206.208.232 | | 97629 | 37326 | 20021109135429 | 167.206.208.232 | | 97686 | 37326 | 20021109143637 | 167.206.208.232 | +--------+--------+----------------+-----------------+ 65 rows in set (0.08 sec) FWIW, I saw this problem with some test installations on landfill that had a cookiepath other than /. Setting the cookiepath to / solved the problem (although theoretically it created others). The cookiepath for b.m.o is /.
Assignee | ||
Comment 11•22 years ago
|
||
You're not using some sort of proxy which strips cookies? Can you run a packet tracer (wuch as ethereal), and attach the response from a login session (only the response; we don't want your password formthe request... ;) Make sure that you include all teh data, not just the tcp headers.
Reporter | ||
Comment 12•22 years ago
|
||
I have no proxy or the sort. This is a 'real' connection to bugzilla.mozilla.org. The login reply HTTP headers (I'm assuming this is what you're requesting) are: HTTP/1.1 200 OK Date: Mon, 11 Nov 2002 00:18:35 GMT Server: Apache/1.3.26 (Unix) mod_throttle/3.1.2 Set-Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT Set-Cookie: Bugzilla_logincookie=98271 ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html
Reporter | ||
Comment 13•22 years ago
|
||
Actually, let me give the response to the login POST, followed by the GET request to query.cgi, so there is a complete cycle: The login response: HTTP/1.1 200 OK Date: Mon, 11 Nov 2002 00:32:22 GMT Server: Apache/1.3.26 (Unix) mod_throttle/3.1.2 Set-Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT Set-Cookie: Bugzilla_logincookie=98282 ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html The followup GET request to another page: GET /query.cgi HTTP/1.1 Host: bugzilla.mozilla.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us, en;q=0.50 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org; Bugzilla_logincookie
Reporter | ||
Comment 14•22 years ago
|
||
For some strange reason, when I posted comment #13, it didn't include the critical part of the HTTP GET request, where the Cookie is sent; let me try again: GET /query.cgi HTTP/1.1 Host: bugzilla.mozilla.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: en-us, en;q=0.50 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org; Bugzilla_logincookie=98282
Assignee | ||
Comment 15•22 years ago
|
||
Oooh! I got it. You email has a + in it. Reproduced locally; we need to escape the cookie value before sending it, now that we unescape via CGI.pm (The real fix is to use CGI::Cookie, which handles this for us, but thast not for today. -> me
Assignee: justdave → bbaetz
Blocks: 179176
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Summary: login cookie not read → login cookie email needs to be escaped
Target Milestone: --- → Bugzilla 2.18
Assignee | ||
Comment 16•22 years ago
|
||
This was in fact a deliberate change I kept with CGI.pm - think about what happens if you have a ;, for example. I didn't think we had a problem, becayse % isn't valid in an email, but I forgot about +. I prefer this solution to makign achange in the compat $::COOKIE stuff which we'll just have to revert after we do change to CGI::Cookie
Assignee | ||
Updated•22 years ago
|
Attachment #105784 -
Flags: review?
Comment 17•22 years ago
|
||
Comment on attachment 105784 [details] [diff] [review] patch Reproduced problem on local install, applied patch and problem was gone.
Attachment #105784 -
Flags: review? → review+
Reporter | ||
Comment 18•22 years ago
|
||
According to RFC 2822, % is valid in an email address, specifically in the localpart. addr-spec = local-part "@" domain local-part = dot-atom / quoted-string / obs-local-part dot-atom = [CFWS] dot-atom-text [CFWS] dot-atom-text = 1*atext *("." 1*atext) atext = ALPHA / DIGIT / ; Any character except controls, "!" / "#" / ; SP, and specials. "$" / "%" / ; Used for atoms "&" / "'" / "*" / "+" / "-" / "/" / "=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~"
Assignee | ||
Comment 19•22 years ago
|
||
Oh, hmm. We do allow %; my mistake. If dave a='s this, I'll check it in, and it will get picked up by bmo when myk does the update, which I believe is scheduled for tonight or tomrrow.
Comment 20•22 years ago
|
||
Comment on attachment 105784 [details] [diff] [review] patch a= justdave
Assignee | ||
Comment 21•22 years ago
|
||
Fixed in CVS
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 22•22 years ago
|
||
> Set-Cookie: Bugzilla_login= " . url_quote($enteredlogin)
I don't know whether this causes a problem since whitespace seems to be allowed
in cookies, but there is now a " " between the "=" and the enteredlogin.
Assignee | ||
Comment 23•22 years ago
|
||
I think that whitespace is irrelevent, since we trim whitespace anyway. At least, I could still log in with my change :) Again, this will all get fixed when we move to use CGI::Cookie
Reporter | ||
Comment 24•22 years ago
|
||
I can verify that your fix works for me now. Much thanks!
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•