login cookie email needs to be escaped

RESOLVED FIXED in Bugzilla 2.18

Status

()

Bugzilla
Bugzilla-General
--
major
RESOLVED FIXED
16 years ago
6 years ago

People

(Reporter: Frank Tobin, Assigned: bbaetz)

Tracking

({regression})

unspecified
Bugzilla 2.18
x86
Linux
regression

Details

Attachments

(1 attachment)

780 bytes, patch
Jacob Steenhagen
: review+
myk
Details | Diff | Splinter Review
(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912

Bugzilla is not remembering my login information from page to page. It has set
cookies in my brower, but they aren't having any effect.

Reproducible: Always

Steps to Reproduce:
1. go to http://bugzilla.mozilla.org/
2. follow the "Log in to an existing account" link
3. login; you are then brought to the query page
4. Follow the "Query" link at the bottom of the page (query.cgi)
Actual Results:  
Looking at the bottom of the page, you'll note that you're not logged in anymore.

Expected Results:  
It should have read my cookie and kept my login.

This happens for *any* page.  For instance, I can be viewing a bug, attach a
comment (it asks for my login information), try to add another comment, and it
re-asks for my login info.
(Assignee)

Comment 1

16 years ago
Are you behind a transparent proxy of some sort/NAT, or does your IP address
otherwise keep changing?
(Reporter)

Updated

16 years ago
Blocks: 179176
(Reporter)

Comment 2

16 years ago
I have a real global IP, not behind any sort of proxy or firewall.  This is a
*new* problem; I've used Bugzilla before, from the same box, without any
problems whatsoever.
(Reporter)

Comment 3

16 years ago
I do have a couple of option set regarding cookies, but they should have no
effect, and have not had an effect in the past regarding this bug:

* I have set the "enable from originating site only"
* I have set the "limit to session only"
* I have set the "disable in mail and newsgroups"

The bugs that bugzilla is setting are
Bugilla_login   (the value is my appropriate login)
Bugzilla_logincookie (the value is 97738)

The Host for each cookie is bugzilla.mozilla.org
(Assignee)

Comment 4

16 years ago
Hmm. Do you have any other cookies for bugzilla.mozilla.org? If you turn those
cookie options off, does it work?
(Reporter)

Comment 5

16 years ago
After querying, I also get the cookies LASTORDER and BUGLIST.

I also now get VERSION-Bugzilla (new, within the past few minutes, unless the
search page set it).

Turning those options off (and allowing all cookies from anywhere) makes no
difference.
(Assignee)

Comment 6

16 years ago
myk, can you select all the logincookies form the db directly, including the IP?

ftobin, do other browsers work?
(Reporter)

Comment 7

16 years ago
This is very strange; it works fine with lynx, but not with Mozilla, Konqueror,
or Amaya.
No longer blocks: 179176
(Reporter)

Comment 8

16 years ago
Never mind about amaya, it doesn't handle cookies anyways, it seems.
(Reporter)

Comment 9

16 years ago
Since there is talk of IPs, I'll state my IP is 167.206.208.232.
mysql> select * from logincookies where userid = 37326;
+--------+--------+----------------+-----------------+
| cookie | userid | lastused       | ipaddr          |
+--------+--------+----------------+-----------------+
|  97845 |  37326 | 20021109193257 | 167.206.208.232 |
|  97843 |  37326 | 20021109193231 | 167.206.208.232 |
|  97841 |  37326 | 20021109193036 | 167.206.208.232 |
|  97838 |  37326 | 20021109192823 | 167.206.208.232 |
|  97835 |  37326 | 20021109192213 | 167.206.208.232 |
|  97829 |  37326 | 20021109191110 | 167.206.208.232 |
|  97828 |  37326 | 20021109190527 | 167.206.208.232 |
|  97785 |  37326 | 20021109165108 | 167.206.208.232 |
|  97783 |  37326 | 20021109164945 | 167.206.208.232 |
|  97780 |  37326 | 20021109164612 | 167.206.208.232 |
|  97779 |  37326 | 20021109164459 | 167.206.208.232 |
|  97778 |  37326 | 20021109164439 | 167.206.208.232 |
|  97775 |  37326 | 20021109164125 | 167.206.208.232 |
|  97774 |  37326 | 20021109164036 | 167.206.208.232 |
|  97773 |  37326 | 20021109164021 | 167.206.208.232 |
|  97771 |  37326 | 20021109163937 | 167.206.208.232 |
|  97770 |  37326 | 20021109163854 | 167.206.208.232 |
|  97769 |  37326 | 20021109163753 | 167.206.208.232 |
|  97767 |  37326 | 20021109163552 | 167.206.208.232 |
|  97766 |  37326 | 20021109163530 | 167.206.208.232 |
|  97755 |  37326 | 20021109160751 | 167.206.208.232 |
|  97756 |  37326 | 20021109160946 | 167.206.208.232 |
|  97752 |  37326 | 20021109160606 | 167.206.208.232 |
|  97751 |  37326 | 20021109160455 | 167.206.208.232 |
|  97750 |  37326 | 20021109160311 | 167.206.208.232 |
|  97748 |  37326 | 20021109155755 | 167.206.208.232 |
|  97747 |  37326 | 20021109155743 | 167.206.208.232 |
|  97742 |  37326 | 20021109154851 | 167.206.208.232 |
|  97741 |  37326 | 20021109154717 | 167.206.208.232 |
|  97740 |  37326 | 20021109154505 | 167.206.208.232 |
|  97738 |  37326 | 20021109154020 | 167.206.208.232 |
|  97736 |  37326 | 20021109153854 | 167.206.208.232 |
|  97735 |  37326 | 20021109153725 | 167.206.208.232 |
|  97734 |  37326 | 20021109153711 | 167.206.208.232 |
|  97733 |  37326 | 20021109153513 | 167.206.208.232 |
|  97732 |  37326 | 20021109153443 | 167.206.208.232 |
|  97729 |  37326 | 20021109153114 | 167.206.208.232 |
|  97728 |  37326 | 20021109153048 | 167.206.208.232 |
|  97724 |  37326 | 20021109152857 | 167.206.208.232 |
|  97718 |  37326 | 20021109152213 | 167.206.208.232 |
|  97688 |  37326 | 20021109143736 | 167.206.208.232 |
|  97687 |  37326 | 20021109143653 | 167.206.208.232 |
|  97684 |  37326 | 20021109143553 | 167.206.208.232 |
|  97681 |  37326 | 20021109143428 | 167.206.208.232 |
|  97675 |  37326 | 20021109143141 | 167.206.208.232 |
|  97674 |  37326 | 20021109143112 | 167.206.208.232 |
|  97668 |  37326 | 20021109142418 | 167.206.208.232 |
|  97667 |  37326 | 20021109142411 | 167.206.208.232 |
|  97666 |  37326 | 20021109142345 | 167.206.208.232 |
|  97660 |  37326 | 20021109141909 | 167.206.208.232 |
|  97656 |  37326 | 20021109141643 | 167.206.208.232 |
|  97653 |  37326 | 20021109141618 | 167.206.208.232 |
|  97651 |  37326 | 20021109141514 | 167.206.208.232 |
|  97644 |  37326 | 20021109140152 | 167.206.208.232 |
|  97643 |  37326 | 20021109140129 | 167.206.208.232 |
|  97642 |  37326 | 20021109140128 | 167.206.208.232 |
|  97641 |  37326 | 20021109140120 | 167.206.208.232 |
|  97640 |  37326 | 20021109140116 | 167.206.208.232 |
|  97639 |  37326 | 20021109140112 | 167.206.208.232 |
|  97638 |  37326 | 20021109140106 | 167.206.208.232 |
|  97635 |  37326 | 20021109140021 | 167.206.208.232 |
|  97634 |  37326 | 20021109140004 | 167.206.208.232 |
|  97632 |  37326 | 20021109135849 | 167.206.208.232 |
|  97629 |  37326 | 20021109135429 | 167.206.208.232 |
|  97686 |  37326 | 20021109143637 | 167.206.208.232 |
+--------+--------+----------------+-----------------+
65 rows in set (0.08 sec)

FWIW, I saw this problem with some test installations on landfill that had a
cookiepath other than /.  Setting the cookiepath to / solved the problem
(although theoretically it created others).  The cookiepath for b.m.o is /.
(Assignee)

Comment 11

16 years ago
You're not using some sort of proxy which strips cookies?

Can you run a packet tracer (wuch as ethereal), and attach the response from a
login session (only the response; we don't want your password formthe request... ;)

Make sure that you include all teh data, not just the tcp headers.
(Reporter)

Comment 12

16 years ago
I have no proxy or the sort.  This is a 'real' connection to
bugzilla.mozilla.org.  The login reply HTTP headers (I'm assuming this is what
you're requesting) are:

HTTP/1.1 200 OK
Date: Mon, 11 Nov 2002 00:18:35 GMT
Server: Apache/1.3.26 (Unix) mod_throttle/3.1.2
Set-Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org ; path=/;
expires=Sun, 30-Jun-2029 00:00:00 GMT
Set-Cookie: Bugzilla_logincookie=98271 ; path=/; expires=Sun, 30-Jun-2029
00:00:00 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
(Reporter)

Comment 13

16 years ago
Actually, let me give the response to the login POST, followed by the GET
request to query.cgi, so there is a complete cycle:

The login response:

HTTP/1.1 200 OK
Date: Mon, 11 Nov 2002 00:32:22 GMT
Server: Apache/1.3.26 (Unix) mod_throttle/3.1.2
Set-Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org ; path=/;
expires=Sun, 30-Jun-2029 00:00:00 GMT
Set-Cookie: Bugzilla_logincookie=98282 ; path=/; expires=Sun, 30-Jun-2029
00:00:00 GMT
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

The followup GET request to another page:

GET /query.cgi HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Language: en-us, en;q=0.50
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org; Bugzilla_logincookie
(Reporter)

Comment 14

16 years ago
For some strange reason, when I posted comment #13, it didn't include the
critical part of the HTTP GET request, where the Cookie is sent; let me try again:

GET /query.cgi HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Language: en-us, en;q=0.50
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org; Bugzilla_logincookie=98282
(Assignee)

Comment 15

16 years ago
Oooh!

I got it. You email has a + in it. Reproduced locally; we need to escape the
cookie value before sending it, now that we unescape via CGI.pm (The real fix is
to use CGI::Cookie, which handles this for us, but thast not for today.

-> me
Assignee: justdave → bbaetz
Blocks: 179176
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Summary: login cookie not read → login cookie email needs to be escaped
Target Milestone: --- → Bugzilla 2.18
(Assignee)

Comment 16

16 years ago
Created attachment 105784 [details] [diff] [review]
patch

This was in fact a deliberate change I kept with CGI.pm - think about what
happens if you have a ;, for example. I didn't think we had a problem, becayse
% isn't valid in an email, but I forgot about +.

I prefer this solution to makign achange in the compat $::COOKIE stuff which
we'll just have to revert after we do change to CGI::Cookie
(Assignee)

Updated

16 years ago
Attachment #105784 - Flags: review?

Comment 17

16 years ago
Comment on attachment 105784 [details] [diff] [review]
patch

Reproduced problem on local install, applied patch and problem was gone.
Attachment #105784 - Flags: review? → review+
(Reporter)

Comment 18

16 years ago
According to RFC 2822, % is valid in an email address, specifically in the
localpart.

addr-spec       =       local-part "@" domain
local-part      =       dot-atom / quoted-string / obs-local-part
dot-atom        =       [CFWS] dot-atom-text [CFWS]
dot-atom-text   =       1*atext *("." 1*atext)
atext           =       ALPHA / DIGIT / ; Any character except controls,
                        "!" / "#" /     ;  SP, and specials.
                        "$" / "%" /     ;  Used for atoms
                        "&" / "'" /
                        "*" / "+" /
                        "-" / "/" /
                        "=" / "?" /
                        "^" / "_" /
                        "`" / "{" /
                        "|" / "}" /
                        "~"
(Assignee)

Comment 19

16 years ago
Oh, hmm. We do allow %; my mistake.

If dave a='s this, I'll check it in, and it will get picked up by bmo when myk
does the update, which I believe is scheduled for tonight or tomrrow.
(Assignee)

Comment 21

16 years ago
Fixed in CVS
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 22

16 years ago
> Set-Cookie: Bugzilla_login= " . url_quote($enteredlogin)
I don't know whether this causes a problem since whitespace seems to be allowed
in cookies, but there is now a " " between the "=" and the enteredlogin.
(Assignee)

Comment 23

16 years ago
I think that whitespace is irrelevent, since we trim whitespace anyway. At 
least, I could still log in with my change :)

Again, this will all get fixed when we move to use CGI::Cookie
(Reporter)

Comment 24

16 years ago
I can verify that your fix works for me now.  Much thanks!
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.