Closed Bug 179290 Opened 22 years ago Closed 22 years ago

login cookie email needs to be escaped

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: ftobin+bugzilla, Assigned: bbaetz)

References

Details

(Keywords: regression)

Attachments

(1 file)

patch
780 bytes, patch
jacob
: review+
myk
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912

Bugzilla is not remembering my login information from page to page. It has set
cookies in my brower, but they aren't having any effect.

Reproducible: Always

Steps to Reproduce:
1. go to http://bugzilla.mozilla.org/
2. follow the "Log in to an existing account" link
3. login; you are then brought to the query page
4. Follow the "Query" link at the bottom of the page (query.cgi)
Actual Results:  
Looking at the bottom of the page, you'll note that you're not logged in anymore.

Expected Results:  
It should have read my cookie and kept my login.

This happens for *any* page.  For instance, I can be viewing a bug, attach a
comment (it asks for my login information), try to add another comment, and it
re-asks for my login info.
Are you behind a transparent proxy of some sort/NAT, or does your IP address
otherwise keep changing?
Blocks: 179176
I have a real global IP, not behind any sort of proxy or firewall.  This is a
*new* problem; I've used Bugzilla before, from the same box, without any
problems whatsoever.
I do have a couple of option set regarding cookies, but they should have no
effect, and have not had an effect in the past regarding this bug:

* I have set the "enable from originating site only"
* I have set the "limit to session only"
* I have set the "disable in mail and newsgroups"

The bugs that bugzilla is setting are
Bugilla_login   (the value is my appropriate login)
Bugzilla_logincookie (the value is 97738)

The Host for each cookie is bugzilla.mozilla.org
Hmm. Do you have any other cookies for bugzilla.mozilla.org? If you turn those
cookie options off, does it work?
After querying, I also get the cookies LASTORDER and BUGLIST.

I also now get VERSION-Bugzilla (new, within the past few minutes, unless the
search page set it).

Turning those options off (and allowing all cookies from anywhere) makes no
difference.
myk, can you select all the logincookies form the db directly, including the IP?

ftobin, do other browsers work?
This is very strange; it works fine with lynx, but not with Mozilla, Konqueror,
or Amaya.
No longer blocks: 179176
Never mind about amaya, it doesn't handle cookies anyways, it seems.
Since there is talk of IPs, I'll state my IP is 167.206.208.232.
mysql> select * from logincookies where userid = 37326;
+--------+--------+----------------+-----------------+
| cookie | userid | lastused       | ipaddr          |
+--------+--------+----------------+-----------------+
|  97845 |  37326 | 20021109193257 | 167.206.208.232 |
|  97843 |  37326 | 20021109193231 | 167.206.208.232 |
|  97841 |  37326 | 20021109193036 | 167.206.208.232 |
|  97838 |  37326 | 20021109192823 | 167.206.208.232 |
|  97835 |  37326 | 20021109192213 | 167.206.208.232 |
|  97829 |  37326 | 20021109191110 | 167.206.208.232 |
|  97828 |  37326 | 20021109190527 | 167.206.208.232 |
|  97785 |  37326 | 20021109165108 | 167.206.208.232 |
|  97783 |  37326 | 20021109164945 | 167.206.208.232 |
|  97780 |  37326 | 20021109164612 | 167.206.208.232 |
|  97779 |  37326 | 20021109164459 | 167.206.208.232 |
|  97778 |  37326 | 20021109164439 | 167.206.208.232 |
|  97775 |  37326 | 20021109164125 | 167.206.208.232 |
|  97774 |  37326 | 20021109164036 | 167.206.208.232 |
|  97773 |  37326 | 20021109164021 | 167.206.208.232 |
|  97771 |  37326 | 20021109163937 | 167.206.208.232 |
|  97770 |  37326 | 20021109163854 | 167.206.208.232 |
|  97769 |  37326 | 20021109163753 | 167.206.208.232 |
|  97767 |  37326 | 20021109163552 | 167.206.208.232 |
|  97766 |  37326 | 20021109163530 | 167.206.208.232 |
|  97755 |  37326 | 20021109160751 | 167.206.208.232 |
|  97756 |  37326 | 20021109160946 | 167.206.208.232 |
|  97752 |  37326 | 20021109160606 | 167.206.208.232 |
|  97751 |  37326 | 20021109160455 | 167.206.208.232 |
|  97750 |  37326 | 20021109160311 | 167.206.208.232 |
|  97748 |  37326 | 20021109155755 | 167.206.208.232 |
|  97747 |  37326 | 20021109155743 | 167.206.208.232 |
|  97742 |  37326 | 20021109154851 | 167.206.208.232 |
|  97741 |  37326 | 20021109154717 | 167.206.208.232 |
|  97740 |  37326 | 20021109154505 | 167.206.208.232 |
|  97738 |  37326 | 20021109154020 | 167.206.208.232 |
|  97736 |  37326 | 20021109153854 | 167.206.208.232 |
|  97735 |  37326 | 20021109153725 | 167.206.208.232 |
|  97734 |  37326 | 20021109153711 | 167.206.208.232 |
|  97733 |  37326 | 20021109153513 | 167.206.208.232 |
|  97732 |  37326 | 20021109153443 | 167.206.208.232 |
|  97729 |  37326 | 20021109153114 | 167.206.208.232 |
|  97728 |  37326 | 20021109153048 | 167.206.208.232 |
|  97724 |  37326 | 20021109152857 | 167.206.208.232 |
|  97718 |  37326 | 20021109152213 | 167.206.208.232 |
|  97688 |  37326 | 20021109143736 | 167.206.208.232 |
|  97687 |  37326 | 20021109143653 | 167.206.208.232 |
|  97684 |  37326 | 20021109143553 | 167.206.208.232 |
|  97681 |  37326 | 20021109143428 | 167.206.208.232 |
|  97675 |  37326 | 20021109143141 | 167.206.208.232 |
|  97674 |  37326 | 20021109143112 | 167.206.208.232 |
|  97668 |  37326 | 20021109142418 | 167.206.208.232 |
|  97667 |  37326 | 20021109142411 | 167.206.208.232 |
|  97666 |  37326 | 20021109142345 | 167.206.208.232 |
|  97660 |  37326 | 20021109141909 | 167.206.208.232 |
|  97656 |  37326 | 20021109141643 | 167.206.208.232 |
|  97653 |  37326 | 20021109141618 | 167.206.208.232 |
|  97651 |  37326 | 20021109141514 | 167.206.208.232 |
|  97644 |  37326 | 20021109140152 | 167.206.208.232 |
|  97643 |  37326 | 20021109140129 | 167.206.208.232 |
|  97642 |  37326 | 20021109140128 | 167.206.208.232 |
|  97641 |  37326 | 20021109140120 | 167.206.208.232 |
|  97640 |  37326 | 20021109140116 | 167.206.208.232 |
|  97639 |  37326 | 20021109140112 | 167.206.208.232 |
|  97638 |  37326 | 20021109140106 | 167.206.208.232 |
|  97635 |  37326 | 20021109140021 | 167.206.208.232 |
|  97634 |  37326 | 20021109140004 | 167.206.208.232 |
|  97632 |  37326 | 20021109135849 | 167.206.208.232 |
|  97629 |  37326 | 20021109135429 | 167.206.208.232 |
|  97686 |  37326 | 20021109143637 | 167.206.208.232 |
+--------+--------+----------------+-----------------+
65 rows in set (0.08 sec)

FWIW, I saw this problem with some test installations on landfill that had a
cookiepath other than /.  Setting the cookiepath to / solved the problem
(although theoretically it created others).  The cookiepath for b.m.o is /.
You're not using some sort of proxy which strips cookies?

Can you run a packet tracer (wuch as ethereal), and attach the response from a
login session (only the response; we don't want your password formthe request... ;)

Make sure that you include all teh data, not just the tcp headers.
I have no proxy or the sort.  This is a 'real' connection to
bugzilla.mozilla.org.  The login reply HTTP headers (I'm assuming this is what
you're requesting) are:

HTTP/1.1 200 OK
Date: Mon, 11 Nov 2002 00:18:35 GMT
Server: Apache/1.3.26 (Unix) mod_throttle/3.1.2
Set-Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org ; path=/;
expires=Sun, 30-Jun-2029 00:00:00 GMT
Set-Cookie: Bugzilla_logincookie=98271 ; path=/; expires=Sun, 30-Jun-2029
00:00:00 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Actually, let me give the response to the login POST, followed by the GET
request to query.cgi, so there is a complete cycle:

The login response:

HTTP/1.1 200 OK
Date: Mon, 11 Nov 2002 00:32:22 GMT
Server: Apache/1.3.26 (Unix) mod_throttle/3.1.2
Set-Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org ; path=/;
expires=Sun, 30-Jun-2029 00:00:00 GMT
Set-Cookie: Bugzilla_logincookie=98282 ; path=/; expires=Sun, 30-Jun-2029
00:00:00 GMT
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

The followup GET request to another page:

GET /query.cgi HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Language: en-us, en;q=0.50
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org; Bugzilla_logincookie
For some strange reason, when I posted comment #13, it didn't include the
critical part of the HTTP GET request, where the Cookie is sent; let me try again:

GET /query.cgi HTTP/1.1
Host: bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020912
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
Accept-Language: en-us, en;q=0.50
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
Cookie: Bugzilla_login=ftobin+bugzilla@neverending.org; Bugzilla_logincookie=98282
Oooh!

I got it. You email has a + in it. Reproduced locally; we need to escape the
cookie value before sending it, now that we unescape via CGI.pm (The real fix is
to use CGI::Cookie, which handles this for us, but thast not for today.

-> me
Assignee: justdave → bbaetz
Blocks: 179176
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Summary: login cookie not read → login cookie email needs to be escaped
Target Milestone: --- → Bugzilla 2.18
Attached patch patchSplinter Review 
This was in fact a deliberate change I kept with CGI.pm - think about what
happens if you have a ;, for example. I didn't think we had a problem, becayse
% isn't valid in an email, but I forgot about +.

I prefer this solution to makign achange in the compat $::COOKIE stuff which
we'll just have to revert after we do change to CGI::Cookie
Attachment #105784 - Flags: review?
Comment on attachment 105784 [details] [diff] [review]
patch

Reproduced problem on local install, applied patch and problem was gone.
Attachment #105784 - Flags: review? → review+
According to RFC 2822, % is valid in an email address, specifically in the
localpart.

addr-spec       =       local-part "@" domain
local-part      =       dot-atom / quoted-string / obs-local-part
dot-atom        =       [CFWS] dot-atom-text [CFWS]
dot-atom-text   =       1*atext *("." 1*atext)
atext           =       ALPHA / DIGIT / ; Any character except controls,
                        "!" / "#" /     ;  SP, and specials.
                        "$" / "%" /     ;  Used for atoms
                        "&" / "'" /
                        "*" / "+" /
                        "-" / "/" /
                        "=" / "?" /
                        "^" / "_" /
                        "`" / "{" /
                        "|" / "}" /
                        "~"
Oh, hmm. We do allow %; my mistake.

If dave a='s this, I'll check it in, and it will get picked up by bmo when myk
does the update, which I believe is scheduled for tonight or tomrrow.
Comment on attachment 105784 [details] [diff] [review]
patch

a= justdave
Fixed in CVS
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
> Set-Cookie: Bugzilla_login= " . url_quote($enteredlogin)
I don't know whether this causes a problem since whitespace seems to be allowed
in cookies, but there is now a " " between the "=" and the enteredlogin.
I think that whitespace is irrelevent, since we trim whitespace anyway. At 
least, I could still log in with my change :)

Again, this will all get fixed when we move to use CGI::Cookie
I can verify that your fix works for me now.  Much thanks!
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: