Can't access Codestriker with corrupt cookies

Brought to you by: sits

#14 Can't access Codestriker with corrupt cookies

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2004-08-26

Created: 2004-08-19

Creator: Kannan Goundan

Private: No

I accidentally used "I" as my e-mail address (with
Codestriker 1.8.1). Codestriker saved that in a
cookie. When I upgraded to 1.8.2, Codestriker wouldn't
even display the main page. The error I got was:

Input parameter email has invalid value: "I"

I think this can be fixed by checking the validity of a
cookie before loading it. Maybe tell
_set_property_from_cookie() to check against the same
regex that _untaint() checks against before accepting
the cookie value.

(I'm not sure if the upgrade from 1.8.1 to 1.8.2 is
significant).

Discussion

David Sitsky - 2004-08-26

Logged In: YES
user_id=208928

Yes, the email anti-tainting was strengthened in these
releases, so this explains your behaviour. As a quick
workaround, I would delete the codestriker_cookie.

I have modified the code so that if a cookie value is bad,
it will be reset to blank, so this should fix the problem
you had.

Will be fixed in the 1.8.4 release out real soon now.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

David Sitsky - 2004-08-26

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

David Sitsky - 2004-08-26

status: open-fixed --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

David Sitsky - 2004-08-26

Logged In: YES
user_id=208928

Actually I told a lie in my last comment. I've decided to
relax the cookie checking code to be what it was in 1.8.1,
so this won't happen again.

The action classes really need to be tightened for input
checking for the add comment page, much like the how it is
for the create topic page. The cookie tainting is only last
resort checking, and they certaintly aren't very user friendly.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kannan Goundan - 2004-08-27

Logged In: YES
user_id=215287

Did you take out the cookie tainting? Isn't that a step
backwards? I think the idea of simply resetting a bad
cookie (your first solution) is better. Is there a reason
you decided against that?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

David Sitsky - 2004-08-27

Logged In: YES
user_id=208928

It actually isn't that easy just to reset the cookie, the
way the code is structured, and it also has some nasty
side-effects if we do that.

Really, the cookie checking is only a last resort to ensure
users aren't trying to bring the system down with malicious
strings (ie nasty SQL queries). We need a level of UI
checking (as is the create topic page) for checking email
addresses in the add comment page. This is not the cookie
code's purpose.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.