[Mailman-Developers] Bug Found in Mailman
Harald Meland
Harald.Meland@usit.uio.no
12 Jun 2000 18:28:29 +0200
[Ricardo Kustner]
> On Wed, Jun 07, 2000 at 04:21:06PM +0200, Andrea Paparelli wrote:
> > Bug in Mailman version 1.1
> > File "/home/staff/mailman/Mailman/SecurityManager.py", line 117, in
> > CheckCookie
> > if cookiedata[keylen+1] <> '"' and cookiedata[-1] <> '"':
> > IndexError: string index out of range
>
> I stumbled on this a few times too... but it is very hard to reproduce...
> what I think went wrong in my situation most of those times is that somehow
> the cookie got mixed up with a different cookie which was set by a different
> program at the exact same server as mailman...
> anybody had simular experiences?
I haven't seen this happen with my users, but as the offending piece
of code indeed is a hack that won't work reliably if the browser sends
multiple cookies, I think this should be addressed somehow.
The real problem, I think, is that there's confusion on the subject of
cookie content syntax.
The original Netscape proposal uses this (not very well-defined, IMO)
cookie content syntax:
: NAME=VALUE
: This string is a sequence of characters excluding semi-colon,
: comma and white space. If there is a need to place such data in
: the name or value, some encoding method such as URL style %XX
: encoding is recommended, though no encoding is defined or
: required.
A quick example:
[ Server -> Client ]
Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT
[ Client -> Server ]
Cookie: CUSTOMER=WILE_E_COYOTE
Note that there are no quotes around the cookie value.
RFC 2109, however, has a more well-defined, but ever so slightly
different content syntax:
: 4.1 Syntax: General
:
: The two state management headers, Set-Cookie and Cookie, have common
: syntactic properties involving attribute-value pairs. The following
: grammar uses the notation, and tokens DIGIT (decimal digits) and
: token (informally, a sequence of non-special, non-white space
: characters) from the HTTP/1.1 specification [RFC 2068] to describe
: their syntax.
:
: av-pairs = av-pair *(";" av-pair)
: av-pair = attr ["=" value] ; optional value
: attr = token
: value = word
: word = token | quoted-string
Note that the cookies value can be a quoted-string. The example from
the Netscape spec could look like this using the RFC syntax:
[ Server -> Client ]
Set-Cookie: CUSTOMER="WILE_E_COYOTE"; Version="1"; Path="/"; Max-Age="3600"
[ Client -> Server ]
Cookie: $Version="1"; CUSTOMER="WILE_E_COYOTE"; $Path="/"
(Some time back) I looked over misc/Cookie.py trying to find some way
to make it cope reliably with both kinds of cookies, but wasn't really
able to discover what's wrong with _CookiePattern :(
I suspect that using "Max-Age" attributes on Mailman cookies instead
of the current (non-RFC) "Expires" attribute *might* help, but I
really don't have any idea whether such a change will stop Mailman
from working with certain browsers.
--
Harald