Last Comment Bug 480044 - Use dashes instead of colons to separate bug IDs in the BUGLIST cookie, because colons are HTML-escaped, making the cookie bigger than the 4k limit
: Use dashes instead of colons to separate bug IDs in the BUGLIST cookie, becau...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: unspecified
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
Mentors:
: 290977 365587 561348 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-24 15:37 PST by Jesse Ruderman
Modified: 2011-03-03 16:02 PST (History)
8 users (show)
LpSolit: approval+
LpSolit: approval4.0+
LpSolit: approval3.6+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 4.x, v1 (1.11 KB, patch)
2011-02-13 15:54 PST, Frédéric Buclin
mkanat: review+
Details | Diff | Review
patch for 4.x, v1.1 (1.89 KB, patch)
2011-02-14 13:23 PST, Frédéric Buclin
mkanat: review+
Details | Diff | Review
patch for 3.6, v1 (1.88 KB, patch)
2011-02-14 13:31 PST, Frédéric Buclin
mkanat: review+
Details | Diff | Review

Description Jesse Ruderman 2009-02-24 15:37:51 PST
This happened to me twice (while using WebKit trunk).  I had to delete my Bugzilla cookies before I could see any pages on bugzilla.mozilla.org again.

Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Cookie: ...
Apache/2.2.3 (Red Hat) Server at bugzilla.mozilla.org Port 80
Comment 1 Jesse Ruderman 2009-02-24 15:38:47 PST
(According to bug 471971, the gigantic BUGLIST cookie has a different effect in Firefox.)
Comment 2 Max Kanat-Alexander 2009-02-25 00:21:34 PST
Doesn't that sound like a bug in WebKit or a problem in the web server? I would expect there to be limits on these sorts of things...

In any case, the problem is most likely limited to bmo, which does things differently with the buglist cookie than upstream does. Can you reproduce this on http://landfill.bugzilla.org/bugzilla-tip/ ?
Comment 3 Max Kanat-Alexander 2009-02-25 00:23:59 PST
Also, reducing severity, because although I understand it's really bad when it happens, you're the only person I've ever heard report this and one would think that if it was a common problem (say, in stable versions of common browsers) that we would hear about this quite frequently. But if it does become common or we do show that it's some actual standards violation in Bugzilla, I'd be happy to raise the severity again.
Comment 4 Jesse Ruderman 2009-02-25 15:47:38 PST
How is WebKit supposed to know what limit the Apache instance on bmo has?
Comment 5 Max Kanat-Alexander 2009-02-25 15:59:22 PST
(In reply to comment #4)
> How is WebKit supposed to know what limit the Apache instance on bmo has?

  No, I wouldn't expect that. I just figured that if Apache was instantiating some limit, that it was standard to some degree. Anyhow, it's possible that bmo is doing something bad with the cookie, as I said. I was just wondering if there was some standard on the subject.
Comment 6 Jo3hn Karp 2009-03-26 12:22:16 PDT
I have experienced this problem frequently (about once a week) for the past few months on our local Bugzilla installation.  This has crossed different stable versions of Bugzilla, specifically 3.0.6 and 3.2.2.  I and my colleagues usually use Firefox 3, so this is the only browser in which we have seen this bug.  The fact we're getting this bug in Firefox implies it's not a specefic WebKit issue.

The Bugzilla server is running Apache 2.0.59 in Fedora 8.  I recently upgraded our Bugzilla/Testopia installation from BZ 3.0.6 and Testopia 2.1 to BZ 3.2.2 and Testopia 2.2.  The "Bad Request" cookie bug remains with us.
Comment 7 Jesse Ruderman 2009-12-11 22:25:59 PST
Btw this can probably be used as a denial-of-service attack against Bugzilla users.
Comment 8 Max Kanat-Alexander 2009-12-12 12:26:19 PST
Hmm, I suppose it could be. I suppose we'll mark it security-sensitive until we understand what's causing it.
Comment 9 Frédéric Buclin 2009-12-12 12:44:02 PST
(In reply to comment #7)
> Btw this can probably be used as a denial-of-service attack against Bugzilla
> users.

How could this be a DoS? A user cannot have such gigantic cookies without some explicit action.
Comment 10 Jesse Ruderman 2009-12-12 13:12:18 PST
A malicious web page can make you load a long bug list using a hyperlink or frame.
Comment 11 Dave Miller [:justdave] (justdave@bugzilla.org) 2009-12-12 23:20:42 PST
I thought this was what that "this bug list is too big for Bugzilla's little mind" warning was supposed to prevent.  Are we triggering that too high, and need to cut it shorter?
Comment 12 Daniel Veditz [:dveditz] 2009-12-17 13:41:16 PST
Jesse often has queries that include/exclude long lists of bugs from previous queries. Is it possible that a bug list from such a query bypasses the "little mind" cut off?
Comment 13 Max Kanat-Alexander 2010-04-16 18:54:57 PDT
So, Apache has an 8K limit on inbound headers, so that's almost certainly the problem--when combined with a very large URL, the cookie the browser sends is exceeding Apache's limit.

Essentially, that makes this a dupe of bug 513989, in a way, although if Bugzilla then refuses *all* requests, that would still make this a security issue. If it just refuses further large buglist queries, that would simply make this a dupe of bug 513989.

Jesse: Does it refuse show_bug.cgi calls and index.cgi calls also, or just buglist.cgi calls?
Comment 14 Jesse Ruderman 2010-04-16 19:06:36 PDT
I think this happened for other bmo URLs too.
Comment 15 Max Kanat-Alexander 2010-04-23 10:16:00 PDT
*** Bug 561348 has been marked as a duplicate of this bug. ***
Comment 16 Jesse Ruderman 2010-04-23 12:09:33 PDT
Bug 561348 has steps to reproduce and has identified the root cause.  Go timeless!
Comment 17 Frédéric Buclin 2011-02-13 15:54:20 PST
Created attachment 512066 [details] [diff] [review]
patch for 4.x, v1

Replace colons by dashes, which are not escaped (I first thought about commas, but they are escaped too). I still split the BUGLIST cookie on colons to not break existing cookies.
Comment 18 Max Kanat-Alexander 2011-02-14 00:06:24 PST
Comment on attachment 512066 [details] [diff] [review]
patch for 4.x, v1

Looks good to me. Perhaps add a comment above the split(), on checkin.

I think that we should backport this to 3.6, but I don't think it needs a security advisory; we don't usually treat DoSes of this level as confidential.
Comment 19 Frédéric Buclin 2011-02-14 00:30:54 PST
(In reply to comment #18)
> I think that we should backport this to 3.6, but I don't think it needs a
> security advisory; we don't usually treat DoSes of this level as confidential.

But we could still commit it to 3.4 as a security improvement, isn't it?
Comment 20 Max Kanat-Alexander 2011-02-14 00:43:56 PST
> But we could still commit it to 3.4 as a security improvement, isn't it?

  Yeah, I suppose we could, that makes sense.
Comment 21 Frédéric Buclin 2011-02-14 12:40:57 PST
Removing the sec flag, per comment 18. I'm going to commit it now.
Comment 22 Frédéric Buclin 2011-02-14 13:23:55 PST
Created attachment 512256 [details] [diff] [review]
patch for 4.x, v1.1

I forgot to fix one place.
Comment 23 Frédéric Buclin 2011-02-14 13:31:59 PST
Created attachment 512260 [details] [diff] [review]
patch for 3.6, v1

Backport for 3.x
Comment 24 Frédéric Buclin 2011-02-14 14:04:21 PST
The patch for 3.6 doesn't apply to the 3.4 branch at all. I don't want to take the risk to break something on an old branch because I omitted to fix one place by accident, so I'm retargetting this bug to 3.6.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified buglist.cgi
modified Bugzilla/User.pm
Committed revision 7716.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified buglist.cgi
modified Bugzilla/User.pm
Committed revision 7554.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified buglist.cgi
modified process_bug.cgi
modified Bugzilla/Template.pm
Committed revision 7238.
Comment 25 Frédéric Buclin 2011-03-03 16:00:03 PST
*** Bug 365587 has been marked as a duplicate of this bug. ***
Comment 26 Frédéric Buclin 2011-03-03 16:02:53 PST
*** Bug 290977 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.