[Mailman-Developers] Mailman and cookies.

Chuq Von Rospach chuqui@plaidworks.com
Fri, 19 Oct 2001 14:54:32 -0700

Ran into a fun one the other day. I came to work, tried to log onto one of
my lists, and started getting server errors out of the web server. Mailman
was broken.

So I immediately went to my assistant to see if he'd changed anything -- and
it was working for him. Borrowed a co-worker's computer, and sure enough,
the system was working fine, except when I tried to use it.

Restarted the browser. Nothing. Cleared the cache. Rebooted my desktop.
Restarted the web server.

After 20 minutes or so, I finally tracked it down. Some other site at apple
had lodged a cookie in my browser. When Mailman tried to read my cookies to
validate my browser, it was causing the admin CGI to core dump.

This is bad on any number of levels. Mailman 2.0.5 isn't reading cookies
right; it seems to be making assumptions about what will be there. The
cookie (no, I don't have details about what was IN it) was set to
"apple.com". Why that would affect a program reading cookies for
www.lists.apple.com, I dunno.

But it ALSO bothers me that I can create a cookie that not only affects
mailman, but causes the CGI to core-dump. IT seems to me there's a serious
opportunity for havoc.

Barry, I think you need to take a look at your cookie code, and look for
ways to bullet-proof it. It seems to have some assumptions that I found out
the hard way aren't safe.