Can't access Codestriker with corrupt cookies
Brought to you by:
sits
I accidentally used "I" as my e-mail address (with
Codestriker 1.8.1). Codestriker saved that in a
cookie. When I upgraded to 1.8.2, Codestriker wouldn't
even display the main page. The error I got was:
Input parameter email has invalid value: "I"
I think this can be fixed by checking the validity of a
cookie before loading it. Maybe tell
_set_property_from_cookie() to check against the same
regex that _untaint() checks against before accepting
the cookie value.
(I'm not sure if the upgrade from 1.8.1 to 1.8.2 is
significant).
Logged In: YES
user_id=208928
Yes, the email anti-tainting was strengthened in these
releases, so this explains your behaviour. As a quick
workaround, I would delete the codestriker_cookie.
I have modified the code so that if a cookie value is bad,
it will be reset to blank, so this should fix the problem
you had.
Will be fixed in the 1.8.4 release out real soon now.
Logged In: YES
user_id=208928
Actually I told a lie in my last comment. I've decided to
relax the cookie checking code to be what it was in 1.8.1,
so this won't happen again.
The action classes really need to be tightened for input
checking for the add comment page, much like the how it is
for the create topic page. The cookie tainting is only last
resort checking, and they certaintly aren't very user friendly.
Logged In: YES
user_id=215287
Did you take out the cookie tainting? Isn't that a step
backwards? I think the idea of simply resetting a bad
cookie (your first solution) is better. Is there a reason
you decided against that?
Logged In: YES
user_id=208928
It actually isn't that easy just to reset the cookie, the
way the code is structured, and it also has some nasty
side-effects if we do that.
Really, the cookie checking is only a last resort to ensure
users aren't trying to bring the system down with malicious
strings (ie nasty SQL queries). We need a level of UI
checking (as is the create topic page) for checking email
addresses in the add comment page. This is not the cookie
code's purpose.