Re: [Mailman-Developers] Bug Found in Mailman
[Ricardo Kustner]
On Wed, Jun 07, 2000 at 04:21:06PM +0200, Andrea Paparelli wrote:
Bug in Mailman version 1.1 File "/home/staff/mailman/Mailman/SecurityManager.py", line 117, in CheckCookie if cookiedata[keylen+1] <> '"' and cookiedata[-1] <> '"': IndexError: string index out of range
I stumbled on this a few times too... but it is very hard to reproduce... what I think went wrong in my situation most of those times is that somehow the cookie got mixed up with a different cookie which was set by a different program at the exact same server as mailman... anybody had simular experiences?
I haven't seen this happen with my users, but as the offending piece of code indeed is a hack that won't work reliably if the browser sends multiple cookies, I think this should be addressed somehow.
The real problem, I think, is that there's confusion on the subject of cookie content syntax.
The original Netscape proposal uses this (not very well-defined, IMO) cookie content syntax:
: NAME=VALUE : This string is a sequence of characters excluding semi-colon, : comma and white space. If there is a need to place such data in : the name or value, some encoding method such as URL style %XX : encoding is recommended, though no encoding is defined or : required.
A quick example: [ Server -> Client ] Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT
[ Client -> Server ] Cookie: CUSTOMER=WILE_E_COYOTE
Note that there are no quotes around the cookie value.
RFC 2109, however, has a more well-defined, but ever so slightly different content syntax:
: 4.1 Syntax: General : : The two state management headers, Set-Cookie and Cookie, have common : syntactic properties involving attribute-value pairs. The following : grammar uses the notation, and tokens DIGIT (decimal digits) and : token (informally, a sequence of non-special, non-white space : characters) from the HTTP/1.1 specification [RFC 2068] to describe : their syntax. : : av-pairs = av-pair *(";" av-pair) : av-pair = attr ["=" value] ; optional value : attr = token : value = word : word = token | quoted-string
Note that the cookies value can be a quoted-string. The example from the Netscape spec could look like this using the RFC syntax:
[ Server -> Client ] Set-Cookie: CUSTOMER="WILE_E_COYOTE"; Version="1"; Path="/"; Max-Age="3600"
[ Client -> Server ] Cookie: $Version="1"; CUSTOMER="WILE_E_COYOTE"; $Path="/"
(Some time back) I looked over misc/Cookie.py trying to find some way to make it cope reliably with both kinds of cookies, but wasn't really able to discover what's wrong with _CookiePattern :(
I suspect that using "Max-Age" attributes on Mailman cookies instead of the current (non-RFC) "Expires" attribute *might* help, but I really don't have any idea whether such a change will stop Mailman from working with certain browsers.
Harald
"HM" == Harald Meland <Harald.Meland@usit.uio.no> writes:
[about the quote hack in SecurityManager.py, Harald sez...]
HM> I haven't seen this happen with my users, but as the offending
HM> piece of code indeed is a hack that won't work reliably if the
HM> browser sends multiple cookies, I think this should be
HM> addressed somehow.How about by removing it? :)
See my previous post on the subject. -Barry
participants (2)
-
bwarsaw@beopen.com -
Harald Meland