Closed Bug 121800 Opened 23 years ago Closed 21 years ago

Bad COLUMNLIST cookie

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Version:
2.10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: michal.bukovjan, Assigned: bbaetz)

References

Details

If I specify columns to display in the bug query result, the list of columns to
be displayed is stored in COLUMNLIST cookie.
The columns are separated by whitespace, which breaks standards, and also breaks
sending of other cookies to the same domain (the COLUMNLIST cookie is sent, though).

This cookie breaks cookie handling for NS 4.x, current Mozilla (0.9.7), and IE6
as well.

For instance, on our Intranet, we have http://quake.intranet/bugzilla for bugs,
and http://quake.intranet/manage for site management. Once the cookie COLUMNLIST
is set up, cookies to http://quake.intranet/manage do not get send. If I delete
that cookie, problem fixed.

Please either fix content of that cookie, or Mozilla :-) (and NS4, IE6 as well:-)
The COLUMNLIST cookie works without problems for me on ie6 on windows, ns4 on
windows, and mozilla on windows and linux, so spaces aren't the issue.

If you've referring to multiple bugzilla instalations' cookies interfering with
each other, that was bug 19910, which was fixed after 2.14. I don't think you
are, though.

Can you be a bit more specific about the problem? What version of bugzilla are
you running?
We are using Bugzilla 2.14.1.

The problem occurs on any browser, including IE6, NS4 and Moz 0.9.8. We tracked
this down via Apache logs and also empirically - once this COLUMNLIST cookie is
set, no other cookies get send to the domain.

We only have one Bugzilla installation, but multiple sites (non-bugzillas) are
running on that URL (handled via Apache rewrite rules). But Apache never
receives the other cookies (although they are actually set once requested on
browser, it is just (any) browser that does not send them.)

And last but not least, the content of the cookie really breaks standards (no
whitespace is allowed in cookie content.

Also, the COLUMNLIST cookie *DOES* work, it is just that no other oookie does.
In any case, if this is changed, at least the following places need to be
touched:

buglist.cgi:    @displaycolumns = split(/ /, $::COOKIE{'COLUMNLIST'});

the creation of $list here:
colchange.cgi:    print "Set-Cookie: COLUMNLIST=$list ; path=$cookiepath ;
expires=Sun, 30-Jun-2029 00:00:00 GMT\n";

colchange.cgi:    @collist = split(/ /, $::COOKIE{'COLUMNLIST'});

The code in buglist.cgi that uses the columnlist form parameter (if present)
already splits on /[ ,]+/ , so the other two splits should probably do the same,
and then the $list generated for Set-Cookie in colchange.cgi could be changed to
use "," instead of " " as the separator in these two places:

    my $list = join(" ", @collist);        

$vars->{collist_string}= value_quote(join(" ", @collist));        

If you're lucky, that's it. I would not object to this change.
Summary: Bad COLUMNLIST cookike → Bad COLUMNLIST cookie
I just had one of those :)
(Using Moz trunk 2002072718 on WinME.)

Cookie:
LASTORDER=bugs.delta_ts%2Cbugs.creation_ts%2Cbugs.delta_ts%2Cbugs.resolution%2Cbugs.delta_ts%2Cbugs.component%2C%20bugs.creation_ts%2C%20bugs.priority%2C%20bugs.bug_severity;
COLUMNLIST=opendate changeddate severity status resolution votes
target_milestone status_whiteboard summary; Bugzilla_login=tmptgr@hotmail.com;
BUGLIST=65008:74080:130041:159364:84106:159786:146884:45375:61893:3701:153177:141410:70141:52140:128322:86247:40106:104319:11008:109607:47108:151896:52500:98971:75077:9101:159768:56219:159743:152192:1777:56301:159440:139025:143365:85872:159407:126072:132551:151520:3247:17457:28586:156997:157004:639:68406:68427:55181:152913:137477:128807:76828:135331:150339:5998:7806:135980:20807:131466:159813:77572:40873:140628:152213:113536:123367:136392:144480:86504:17048:79411:103562:73192:98800:105951:73087:116934:60968:61846:138680:60861:140544:80392:148782:66012:131160:148207:159771:97806:119115:137079:159082:156909:159830:77718:44242:84622:111905:159823:124029:159191:140576:159834:159835:159799:159828:145503:55309:60734:159842:58724:94176:159477:65571:159713:115634:33966:133604:107089:134107:159833:109427:47909:112534:158888:118786:159051:102812:159856:32966:33339:159857:159761:115520:132965:138000:109569:138813:99828:151837:159859:145439:114877:159861:25742:137782:127713:159434:123563:158080:22775:48037:72451:138921:136326:130644:152725:134618:159868:121251:121257:121258:156593:157438:131043:159871:159832:159849:140867:7965:159873:159838:141153:138191:140802:158829:94340:15144:156584:120863:159864:159878:159860:127575:58327:47838:142969:159795:132755:159880:98158:158752:157072:122022:110349:159853:138472:113581:77730:152315:90613:121533:123821:155002:94339:153108:159889:159888:8275:155440:159547:153240:55690:159855:58937:78220:119491:117429:91643:153935:159359:157915:156317:136999:121615:159891:54786:159897:138549:153772:134889:120705:103843:155325:102132:105885:113934:48333:121414:152120:159854:159614:159586:146200:76495:97424:146915:146867:158377:147404:159089:146813:157401:112609:68538:59132:154120:159512:64908:82849:120327:152476:159537:146340:159910:49543:132019:147927:104501:71627:159911:26262:126730:57505:146742:112117:72540:48926:15322:157199:157415:157397:24418:141215:159431:139470:158544:138945:149109:158920:138452:159928:159920:154926:131927:130764:86249:126685:133345:156464:133242:148131:148126:155402:158438:24824:115714:75047:99256:78113:108365:88588:87736:80151:86999:148105:94519:136991:83012:159934:159777:153206:146099:158365:159908:83552:159534:157128:125118:141476:159314:158729:72361:126189:142070:16203:92116:46555:156577:68454:119744:30088:159774:94734:12559:141333:85895:119710:38966:159357:154187:159894:159942:77790:127131:157592:100572:114701:122750:158129:111689:104449:106580:38981:132759:159863:83202:51683:141227:123445:141619:74986:158211:130796:159207:60289:145882:155344:57332:159839:159953:159955:134113:159328:71874:57805:159773:143556:56765:158171:159961:156979:154999:159909:158364:159963:158820:9449:159733:159964:26638:34710:48202:103944:132957:65092:118883:141935:135272:158672:81615:142642:159924:151186:159927:159917:152429:159947:159968:105340:158528:88739:127985:127872:114962:147874:154230:120383:157055:148376:133835:159977:142855:140379:125849:159900:90695:159893:159564:155243:50633:136210:149627:25537:155018:159984:81724:159276:76525:159389:127567:159742:150232:159494:124996:155459:152739:142076:154896:159036:159989:151660:158282:159188:115473:159090:68434:135309:43543:53895:153633:158115:159844:148813:120494:153828:154018:159949:55416:64451:153815:133212:72444:32218:157993:159533:78510:90337:159736:160000:126919:158919:158598:126731:159985:89396:75121:87285:159704:84305:157673:148598:159791:143047:136915:152651:57420:107153:158632:151860:159930:146285:159912:136527:159646:143830:156043:158040:159936:136906:159981:159979:107484:149785:144533:155080:96736:86194:160009:160010:78037:159899:64560:14989:160012:160011:160013:153091:29300:159932:160014:159780:152090:126826:153083:159995:144595:145267:159348:159998:136221:160016:160003:159800:12493:1598

Removing the LASTORDER cookie enables me to load Bugzilla pages again.

Trunk 2002080718 on Windows ME.
Today, I also had to delete the COLUMNLIST cookie. Trunk 2002081808 on Windows
ME. OS should be All i think.
I could *swear* up and down that we had a patch for this already...  I could
swear I helped someone write it a while back (the solution was to url-encode the
cookie), but I can't for the life of me find it.  Anyone have a clue?
Keywords: qawanted
Whiteboard: dupeme
OS: Linux → All
Hardware: PC → All
Assignee: endico → nobody
Looking at my current cookies this appears to be fixed as of 2.17.6 (prob much
earlier).

I have fixed in my current install (2.16.1) with the following simple patches -
just in case anyone is interested ...

in buglist.cgi:
1262c1262
<     @displaycolumns = split(/ /, $::COOKIE{'COLUMNLIST'});
---
>     @displaycolumns = split(/ /, url_decode($::COOKIE{'COLUMNLIST'}));


in colchange.cgi:
84c84
<     my $list = join(" ", @collist);
---
>     my $list = url_quote(join(" ", @collist));
99c99
<     @collist = split(/ /, $::COOKIE{'COLUMNLIST'});
---
>     @collist = split(/ /, url_decode($::COOKIE{'COLUMNLIST'}));

I think this bug can be safely closed out now.

Closing per comment #8 (I no longer have the environement to test it, sorry).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
According to usually trustworthy sources:

  <justdave> switching to use CGI.pm is what fixed it though

Which is what bug 147833 was all about.
Depends on: 147833
Target Milestone: --- → Bugzilla 2.18
Keywords: qawanted
Whiteboard: dupeme
Assignee: nobody → bbaetz
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.