#14 Can't access Codestriker with corrupt cookies

closed-fixed
nobody
None
5
2004-08-26
2004-08-19
No

I accidentally used "I" as my e-mail address (with
Codestriker 1.8.1). Codestriker saved that in a
cookie. When I upgraded to 1.8.2, Codestriker wouldn't
even display the main page. The error I got was:

Input parameter email has invalid value: "I"

I think this can be fixed by checking the validity of a
cookie before loading it. Maybe tell
_set_property_from_cookie() to check against the same
regex that _untaint() checks against before accepting
the cookie value.

(I'm not sure if the upgrade from 1.8.1 to 1.8.2 is
significant).

Discussion

  • David Sitsky

    David Sitsky - 2004-08-26

    Logged In: YES
    user_id=208928

    Yes, the email anti-tainting was strengthened in these
    releases, so this explains your behaviour. As a quick
    workaround, I would delete the codestriker_cookie.

    I have modified the code so that if a cookie value is bad,
    it will be reset to blank, so this should fix the problem
    you had.

    Will be fixed in the 1.8.4 release out real soon now.

     
  • David Sitsky

    David Sitsky - 2004-08-26
    • status: open --> open-fixed
     
  • David Sitsky

    David Sitsky - 2004-08-26
    • status: open-fixed --> closed-fixed
     
  • David Sitsky

    David Sitsky - 2004-08-26

    Logged In: YES
    user_id=208928

    Actually I told a lie in my last comment. I've decided to
    relax the cookie checking code to be what it was in 1.8.1,
    so this won't happen again.

    The action classes really need to be tightened for input
    checking for the add comment page, much like the how it is
    for the create topic page. The cookie tainting is only last
    resort checking, and they certaintly aren't very user friendly.

     
  • Kannan Goundan

    Kannan Goundan - 2004-08-27

    Logged In: YES
    user_id=215287

    Did you take out the cookie tainting? Isn't that a step
    backwards? I think the idea of simply resetting a bad
    cookie (your first solution) is better. Is there a reason
    you decided against that?

     
  • David Sitsky

    David Sitsky - 2004-08-27

    Logged In: YES
    user_id=208928

    It actually isn't that easy just to reset the cookie, the
    way the code is structured, and it also has some nasty
    side-effects if we do that.

    Really, the cookie checking is only a last resort to ensure
    users aren't trying to bring the system down with malicious
    strings (ie nasty SQL queries). We need a level of UI
    checking (as is the create topic page) for checking email
    addresses in the add comment page. This is not the cookie
    code's purpose.

     

Log in to post a comment.