[Mailman-Users] Cookie problems

Steve Lay S.W.Lay at ucles-red.cam.ac.uk
Tue Jul 18 14:24:56 CEST 2000 

Dan Mick <Dan.Mick at West.Sun.COM> writes:

>I've seen all the complaints about admin cookies, and I've been trying
>for the last two hours to reproduce any problem (using Netscape 4.73
>on Solaris, and Mailman 2.0beta4) and I can't repro anything but the
>one problem I already knew about.
>
>If anyone has a repro scenario, it would be interesting to hear
>about it.

There is a problem with SecurityManager.py, it's in 1.1, it's in 2.0b4,
it's been in the jitterbug database for a while and I've seen talk of it on
the mailman developers list recently (though I don't subscribe to this).

Someway down this file there's an explanation of a fix for a bug that
exists in some browsers.  Mailman cookies start and end in double-quote
characters which get stripped by these buggy browsers.  The fix is supposed
to add them back in but it is broken here's the lines that try and do this:

            if cookiedata[keylen+1] <> '"' and cookiedata[-1] <> '"':
                cookiedata = key + '="' + cookiedata[keylen+1:] + '"'

All this happens before the cookie is sent for interpretation to the
functions Cookie.py.  In the above code "keylen" is the length of the name
of the cookie that mailman is expecting to get and cookiedata is the string
of characters that were
received from the browser - the flaw is that mailman wasn't expecting to
get more than one cookie.  If you fiddle with the paths associated with
cookies you'll reduce the chances of multiple cookies being sent but you
won't fix the cause of this bug.  Mailman 1.1 already has commented out
debug code to print the cookie before and after this fix which I
uncommented to prove to myself that this really was broken - it is.

The problem happens when the cookie string is something like:

listname.archive=<some-unquoted-cookie-data>;
listname.admin=<other-cookie-data>

If this gets sent as part of an *admin* request it will be munged into
this:

listname.admin="e =<some-unquoted-cookie-data>;
listname.admin=<other-cookie-data>"

I've got log lines in my debug log to prove it!

You won't get stung by this bug if you are using a browser that preserves
the quotes around the cookie values because then the fix is not applied
(cookiedata[-1] would be a quote).  Also, the order in which cookies are
returned by the browser is not defined (where the paths are the same) and
so you may find you're getting away with it more often than not.  However,
my IE 4 for Mac is 100% reliable - it always removes the quotes and it
always gets stung by this bug when I switch from admin to archive and then
back again.

The fix is surely simple for a python programmer: scan the cookie and
insert a quote after each '=' sign if there isn't one, likewise before ';'
and of course at the end of the string.

If this was C/C++ I'd have patched my own source tree last week!

Steve Lay

More information about the Mailman-Users mailing list