[Mailman-Developers] mass subscribe bug
The Dragon De Monsyne
dragondm@nexus.Integral.org
Sat, 13 Jun 1998 23:41:16 -0500 (CDT)
On Sat, 13 Jun 1998, John Viega wrote:
> On Sat, Jun 13, 1998 at 08:04:35PM -0400, Scott wrote:
> >
> > i was following the example in the "private" script. i don't think
> > base64 is necessary, but would think that some kind of encoding makes
> > it safer -- if only because it looks random. md5 is another option
> > for that, but it produces lots of characters that need special http
> > escaping. i'm not sure whether or not base64 has the same problem.
> > perhaps plaintext or a simple hash is in order?
>
> base64's purpose is essentially the same as uuencode; to take binary
> streams and encode them into 7 bit characters.
>
> I'd say as long as there as these weird bugs, let's back off and go to
> plaintext...
I'm afraid I know little of cookies, but if it's a problem of
http escaping, I DO know that base64 will produce charecters that will
need escaping. There is a module for the apache webserver that generates
unique ID's for hits, and it encodes the binary ID using a _modified_
version of base64-encoding for this reason.
To quote:
"The UNIQUE_ID environment variable is constructed by encoding the
112-bit (value) ... using the alphabet [A-Za-z0-9@-] in a manner
similar to MIME base64 encoding, producing 19 characters. The MIME
base64 alphabet is actually [A-Za-z0-9+/] however + and / need to be
specially encoded in URLs, which makes them less desirable. "
....so, if cookies follow the same rules as URL's for escaping, then
indeed that could be the trouble.
>
-The Dragon De Monsyne