0012552: Use of a period "." in $g_cookie_prefix results in login error

View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0012552

mantisbt

authentication

public

2010-11-23 09:54

2011-04-05 14:23

Reporter

dregad

Assigned To

dhx

Priority

low

Severity

minor

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

git trunk

Target Version

1.2.5

Fixed in Version

1.2.5

Summary

0012552: Use of a period "." in $g_cookie_prefix results in login error

Description

If the cookie prefix string contains a ".", then the following (misleading) error message is displayed on the login page:

Your browser either does not know how to handle cookies, or refuses to handle them.

In gpc_set_cookie, $p_name is correctly set to "TEST.1", but in $_COOKIE, the stored value (array index) is "TEST_1_STRING_COOKIE"

The easy and obvious workaround is to not use a "." in the prefix string, but this should at least be documented in config_defaults_inc.php.

Steps To Reproduce

1. Define $g_cookie_prefix = "TEST.1" in config_inc.php
2. Try to login

Additional Information

Note: the period "." is a valid char cookie name, per RFC 2965 and 2616 which defines the valid chars for cookies as
       token = 1*<any CHAR except CTLs or separators>
       separators = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT
       CTL = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

Someone else seems to have noticed this behavior of PHP (see user note under setcookie documentation http://php.net/manual/en/function.setcookie.php#99845 [^]).

Tags

patch

Attached Files

0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch [^] (804 bytes) 2010-11-23 10:13 [Show Content] [Hide Content]

From 341991eee9b32bf671047b8c33b01c8569d63d2b Mon Sep 17 00:00:00 2001
From: Damien Regad <damien.regad@merckserono.net>
Date: Tue, 23 Nov 2010 16:10:11 +0100
Subject: [PATCH] Fix #12552: Period should not be used in g_cookie_prefix

Modified comment in config_defaults_inc.php to document this
---
 config_defaults_inc.php |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index b3f8bd8..41341d7 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -2764,7 +2764,7 @@
 
 	/**
 	 * --- cookie prefix ---------------
-	 * set this to a unique identifier.  No spaces.
+	 * set this to a unique identifier.  No spaces or periods.
 	 * @global string $g_cookie_prefix
 	 */
 	$g_cookie_prefix		= 'MANTIS';
-- 
1.7.1

Relationships

Notes
(0027459) dregad (developer) 2010-11-23 10:09	I wonder if this behavior could be caused by PHP handling of external variables (http://us2.php.net/variables.external [^]) which according to the note is converting spaces and dots to underscores. But I'm not sure if it's the case, because Mantis behavior is not fully consistent, even though the error message on login page is the same: $g_cookie_prefix = "TEST 2" In gpc_set_cookie, $p_name is set to "TEST 2_STRING_COOKIE", but there is no value stored in $_COOKIE

(0027697) dhx (developer) 2010-12-25 03:56	Committed, thanks Damien. I also updated the docbook documentation to reflect this changed comment.

Related Changesets
MantisBT: master e45cfb8d Timestamp: 2010-11-23 15:10:11 Author: Damien Regad Committer: dhx [ Details ] [ Diff ]	Fix 0012552: Periods should not be used in g_cookie_prefix Modified comment in config_defaults_inc.php to document this. The administration guide documentation has also been updated. Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
	mod - config_defaults_inc.php	[ Diff ] [ File ]
	mod - docbook/Admin_Guide/en-US/Configuration.xml	[ Diff ] [ File ]

MantisBT: master-1.2.x e28dae6a Timestamp: 2010-11-23 15:10:11 Author: Damien Regad Committer: dhx [ Details ] [ Diff ]	Fix 0012552: Periods should not be used in g_cookie_prefix Modified comment in config_defaults_inc.php to document this. The administration guide documentation has also been updated. Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
	mod - config_defaults_inc.php	[ Diff ] [ File ]
	mod - docbook/adminguide/en/configuration.sgml	[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2010-11-23 09:54	dregad	New Issue
2010-11-23 10:09	dregad	Note Added: 0027459
2010-11-23 10:13	dregad	File Added: 0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch
2010-11-23 10:14	dregad	Tag Attached: patch
2010-11-30 09:02	dhx	Status	new => acknowledged
2010-11-30 09:03	dhx	Target Version	=> 1.2.4
2010-12-14 06:09	dhx	Assigned To	=> dhx
2010-12-14 06:09	dhx	Status	acknowledged => assigned
2010-12-14 21:05	jreese	Target Version	1.2.4 => 1.2.5
2010-12-25 03:56	dhx	Changeset attached	=> MantisBT master e45cfb8d
2010-12-25 03:56	dhx	Changeset attached	=> MantisBT master-1.2.x e28dae6a
2010-12-25 03:56	dhx	Resolution	open => fixed
2010-12-25 03:56	dhx	Fixed in Version	=> 1.2.5
2010-12-25 03:56	dhx	Note Added: 0027697
2010-12-25 03:56	dhx	Status	assigned => resolved
2011-04-05 14:23	jreese	Status	resolved => closed

MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]

Time: 0.1061 seconds.
memory usage: 2,808 KB