[Mailman-Developers] Bug Found in Mailman

Harald Meland Harald.Meland@usit.uio.no
12 Jun 2000 18:28:29 +0200 

[Ricardo Kustner]

> On Wed, Jun 07, 2000 at 04:21:06PM +0200, Andrea Paparelli wrote:
> > Bug in Mailman version 1.1
> >   File "/home/staff/mailman/Mailman/SecurityManager.py", line 117, in
> > CheckCookie
> >     if cookiedata[keylen+1] <> '"' and cookiedata[-1] <> '"':
> > IndexError: string index out of range
> 
> I stumbled on this a few times too... but it is very hard to reproduce...
> what I think went wrong in my situation most of those times is that somehow
> the cookie got mixed up with a different cookie which was set by a different
> program at the exact same server as mailman...
> anybody had simular experiences?

I haven't seen this happen with my users, but as the offending piece
of code indeed is a hack that won't work reliably if the browser sends
multiple cookies, I think this should be addressed somehow.

The real problem, I think, is that there's confusion on the subject of
cookie content syntax.

The original Netscape proposal uses this (not very well-defined, IMO)
cookie content syntax:

: NAME=VALUE
:      This string is a sequence of characters excluding semi-colon,
:      comma and white space. If there is a need to place such data in
:      the name or value, some encoding method such as URL style %XX
:      encoding is recommended, though no encoding is defined or
:      required.

A quick example:
[ Server -> Client ]
  Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT

[ Client -> Server ]
  Cookie: CUSTOMER=WILE_E_COYOTE

Note that there are no quotes around the cookie value.


RFC 2109, however, has a more well-defined, but ever so slightly
different content syntax:

: 4.1  Syntax:  General
: 
:    The two state management headers, Set-Cookie and Cookie, have common
:    syntactic properties involving attribute-value pairs.  The following
:    grammar uses the notation, and tokens DIGIT (decimal digits) and
:    token (informally, a sequence of non-special, non-white space
:    characters) from the HTTP/1.1 specification [RFC 2068] to describe
:    their syntax.
: 
:    av-pairs        =       av-pair *(";" av-pair)
:    av-pair         =       attr ["=" value]        ; optional value
:    attr            =       token
:    value           =       word
:    word            =       token | quoted-string

Note that the cookies value can be a quoted-string.  The example from
the Netscape spec could look like this using the RFC syntax:

[ Server -> Client ]
  Set-Cookie: CUSTOMER="WILE_E_COYOTE"; Version="1"; Path="/"; Max-Age="3600"

[ Client -> Server ]
  Cookie: $Version="1"; CUSTOMER="WILE_E_COYOTE"; $Path="/"


(Some time back) I looked over misc/Cookie.py trying to find some way
to make it cope reliably with both kinds of cookies, but wasn't really
able to discover what's wrong with _CookiePattern :(

I suspect that using "Max-Age" attributes on Mailman cookies instead
of the current (non-RFC) "Expires" attribute *might* help, but I
really don't have any idea whether such a change will stop Mailman
from working with certain browsers.
-- 
Harald