MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012552mantisbtauthenticationpublic2010-11-23 09:542011-04-05 14:23
Reporterdregad 
Assigned Todhx 
PrioritylowSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiongit trunk 
Target Version1.2.5Fixed in Version1.2.5 
Summary0012552: Use of a period "." in $g_cookie_prefix results in login error
DescriptionIf the cookie prefix string contains a ".", then the following (misleading) error message is displayed on the login page:

    Your browser either does not know how to handle cookies, or refuses to handle them.

In gpc_set_cookie, $p_name is correctly set to "TEST.1", but in $_COOKIE, the stored value (array index) is "TEST_1_STRING_COOKIE"

The easy and obvious workaround is to not use a "." in the prefix string, but this should at least be documented in config_defaults_inc.php.
Steps To Reproduce1. Define $g_cookie_prefix = "TEST.1" in config_inc.php
2. Try to login
Additional InformationNote: the period "." is a valid char cookie name, per RFC 2965 and 2616 which defines the valid chars for cookies as
       token = 1*<any CHAR except CTLs or separators>
       separators = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT
       CTL = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

Someone else seems to have noticed this behavior of PHP (see user note under setcookie documentation http://php.net/manual/en/function.setcookie.php#99845 [^]).

Tagspatch
Attached Filespatch file icon 0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch [^] (804 bytes) 2010-11-23 10:13 [Show Content]

- Relationships

-  Notes
User avatar (0027459)
dregad (developer)
2010-11-23 10:09

I wonder if this behavior could be caused by PHP handling of external variables (http://us2.php.net/variables.external [^]) which according to the note is converting spaces and dots to underscores.

But I'm not sure if it's the case, because Mantis behavior is not fully consistent, even though the error message on login page is the same:
$g_cookie_prefix = "TEST 2"
In gpc_set_cookie, $p_name is set to "TEST 2_STRING_COOKIE", but there is no value stored in $_COOKIE
User avatar (0027697)
dhx (reporter)
2010-12-25 03:56

Committed, thanks Damien.

I also updated the docbook documentation to reflect this changed comment.

- Related Changesets
MantisBT: master e45cfb8d
Timestamp: 2010-11-23 15:10:11
Author: Damien Regad
Committer: dhx
Details ] Diff ]
Fix 0012552: Periods should not be used in g_cookie_prefix

Modified comment in config_defaults_inc.php to document this. The
administration guide documentation has also been updated.

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
mod - config_defaults_inc.php Diff ] File ]
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff ] File ]
MantisBT: master-1.2.x e28dae6a
Timestamp: 2010-11-23 15:10:11
Author: Damien Regad
Committer: dhx
Details ] Diff ]
Fix 0012552: Periods should not be used in g_cookie_prefix

Modified comment in config_defaults_inc.php to document this. The
administration guide documentation has also been updated.

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
mod - config_defaults_inc.php Diff ] File ]
mod - docbook/adminguide/en/configuration.sgml Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-11-23 09:54 dregad New Issue
2010-11-23 10:09 dregad Note Added: 0027459
2010-11-23 10:13 dregad File Added: 0001-Fix-12552-Period-should-not-be-used-in-g_cookie_pref.patch
2010-11-23 10:14 dregad Tag Attached: patch
2010-11-30 09:02 dhx Status new => acknowledged
2010-11-30 09:03 dhx Target Version => 1.2.4
2010-12-14 06:09 dhx Assigned To => dhx
2010-12-14 06:09 dhx Status acknowledged => assigned
2010-12-14 21:05 jreese Target Version 1.2.4 => 1.2.5
2010-12-25 03:56 dhx Changeset attached => MantisBT master e45cfb8d
2010-12-25 03:56 dhx Changeset attached => MantisBT master-1.2.x e28dae6a
2010-12-25 03:56 dhx Resolution open => fixed
2010-12-25 03:56 dhx Fixed in Version => 1.2.5
2010-12-25 03:56 dhx Note Added: 0027697
2010-12-25 03:56 dhx Status assigned => resolved
2011-04-05 14:23 jreese Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1229 seconds.
memory usage: 3,045 KB
Powered by Mantis Bugtracker