Debian Bug report logs - #35523
lynx: cookie handling broken with non-printable characters

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: Chris Lawrence <quango@watervalley.net>

Date: Sat, 3 Apr 1999 23:48:02 UTC

Severity: normal

Found in version 2.8.1-3

Done: "H. Nanosecond" <aldomel@ix.netcom.com>

Bug is archived. No further changes may be made.

Forwarded to lynx-dev@sig.net

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#35523; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Chris Lawrence <quango@watervalley.net>:
New bug report received and forwarded. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Chris Lawrence <quango@watervalley.net>
To: submit@bugs.debian.org
Subject: lynx: cookie handling broken with non-printable characters
Date: Sat, 3 Apr 1999 17:45:10 -0600
Package: lynx
Version: 2.8.1-3

Cookies that are stored in the .lynx_cookies file get mangled if they
contain non-printable characters.  For example, if I receive a cookie like:

Set-Cookie: bunny="I3\012."
(where \012 is LF)

After a restart (i.e. quit and relaunch), Lynx will send back:

Cookie: bunny=I3\012.
(without the quotes and with \012 as a literal string, not an LF character).

This severely breaks CGI scripts that use the Python Cookie module to store
non-strings (like integers) in cookies, for example.

Lynx does manage to get it right when the cookies aren't stored (i.e. during
the same session).  So: apparently either the cookie file writing or parsing
is the problem.

-- System Information
Debian Release: 2.1
Kernel Version: Linux quango.watervalley.net 2.2.4 #20 Thu Apr 1 15:35:42 CST 1999 i486 unknown

Versions of the packages lynx depends on:
ii  libc6           2.0.7.19981211 GNU C Library: shared libraries
ii  slang1          1.2.2-2        The S-Lang programming library - runtime ver
ii  slang1          1.2.2-2        The S-Lang programming library - runtime ver
ii  zlib1g          1.1.3-2        compression library - runtime

--- Begin /etc/lynx.cfg (modified conffile)
STARTFILE:file://localhost/home/quango/lynx_bookmarks.html
HELPFILE:file://localhost/usr/doc/lynx/lynx_help/lynx_help_main.html
DEFAULT_INDEX_FILE:http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/MetaIndex.html
LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE
LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE
TRUSTED_EXEC:none
ALWAYS_TRUSTED_EXEC:none
TRUSTED_LYNXCGI:none
NNTPSERVER:news.watervalley.net
USE_MOUSE:TRUE
PRINTER:Okidata OL840:enscript --printer=lp < %s:FALSE
NO_DOT_FILES:FALSE
MINIMAL_COMMENTS:TRUE
GLOBAL_EXTENSION_MAP:/etc/mime.types
PERSONAL_EXTENSION_MAP:.mime.types
XLOADIMAGE_COMMAND:
GLOBAL_MAILCAP:/etc/mailcap
PERSONAL_MAILCAP:.mailcap
COLOR:0:lightgray:black
COLOR:1:blue:black
COLOR:2:yellow:blue
COLOR:3:green:black
COLOR:4:magenta:black
COLOR:5:blue:black
COLOR:6:red:black
COLOR:7:magenta:cyan

--- End /etc/lynx.cfg


Reply sent to "Christian Hudon" <chrish@debian.org>:
You have marked bug as forwarded. Full text and rfc822 format available.

Message #8 received at 35523-forwarded@bugs.debian.org (full text, mbox):

From: "Christian Hudon" <chrish@debian.org>
To: lynx-dev@sig.net
Cc: Chris Lawrence <quango@watervalley.net>, 35523-forwarded@bugs.debian.org
Subject: Bug#35523: lynx: cookie handling broken with non-printable characters (fwd)
Date: Sun, 4 Apr 1999 21:09:28 -0400
[Message part 1 (text/plain, inline)]
Hi,

I'm the Debian maintainer of the lynx package. I received the following bug 
report about lynx. I'm forwarding it to you.

  Christian
[Message part 2 (message/rfc822, inline)]
From: Chris Lawrence <quango@watervalley.net>
To: submit@bugs.debian.org
Subject: Bug#35523: lynx: cookie handling broken with non-printable characters
Date: Sat, 3 Apr 1999 17:45:10 -0600
Package: lynx
Version: 2.8.1-3

Cookies that are stored in the .lynx_cookies file get mangled if they
contain non-printable characters.  For example, if I receive a cookie like:

Set-Cookie: bunny="I3\012."
(where \012 is LF)

After a restart (i.e. quit and relaunch), Lynx will send back:

Cookie: bunny=I3\012.
(without the quotes and with \012 as a literal string, not an LF character).

This severely breaks CGI scripts that use the Python Cookie module to store
non-strings (like integers) in cookies, for example.

Lynx does manage to get it right when the cookies aren't stored (i.e. during
the same session).  So: apparently either the cookie file writing or parsing
is the problem.

-- System Information
Debian Release: 2.1
Kernel Version: Linux quango.watervalley.net 2.2.4 #20 Thu Apr 1 15:35:42 CST 1999 i486 unknown

Versions of the packages lynx depends on:
ii  libc6           2.0.7.19981211 GNU C Library: shared libraries
ii  slang1          1.2.2-2        The S-Lang programming library - runtime ver
ii  slang1          1.2.2-2        The S-Lang programming library - runtime ver
ii  zlib1g          1.1.3-2        compression library - runtime

--- Begin /etc/lynx.cfg (modified conffile)
STARTFILE:file://localhost/home/quango/lynx_bookmarks.html
HELPFILE:file://localhost/usr/doc/lynx/lynx_help/lynx_help_main.html
DEFAULT_INDEX_FILE:http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/MetaIndex.html
LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE
LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE
TRUSTED_EXEC:none
ALWAYS_TRUSTED_EXEC:none
TRUSTED_LYNXCGI:none
NNTPSERVER:news.watervalley.net
USE_MOUSE:TRUE
PRINTER:Okidata OL840:enscript --printer=lp < %s:FALSE
NO_DOT_FILES:FALSE
MINIMAL_COMMENTS:TRUE
GLOBAL_EXTENSION_MAP:/etc/mime.types
PERSONAL_EXTENSION_MAP:.mime.types
XLOADIMAGE_COMMAND:
GLOBAL_MAILCAP:/etc/mailcap
PERSONAL_MAILCAP:.mailcap
COLOR:0:lightgray:black
COLOR:1:blue:black
COLOR:2:yellow:blue
COLOR:3:green:black
COLOR:4:magenta:black
COLOR:5:blue:black
COLOR:6:red:black
COLOR:7:magenta:cyan

--- End /etc/lynx.cfg
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#35523; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Klaus Weide <kweide@tezcat.com>:
Extra info received and forwarded to list. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #13 received at 35523@bugs.debian.org (full text, mbox):

From: Klaus Weide <kweide@tezcat.com>
To: lynx-dev@sig.net
Cc: Chris Lawrence <quango@watervalley.net>, 35523@bugs.debian.org
Subject: Re: lynx-dev Bug#35523: lynx: cookie handling broken with non-printable characters (fwd)
Date: Mon, 5 Apr 1999 08:55:58 -0500 (CDT)
It just isn't possible to send a cookie like the following with HTTP:

    Set-Cookie: bunny="I3\012."
    (where \012 is LF)

Either the person reporting this misunderstands what's going on, or
is leaving out some information.

A LF char in a HTTP header ends that header line.  The above is
effectively the same as two lines:

    Set-Cookie: bunny="I3
    ."

which of course is completely invalid.  I don't know anything about the
"Python Cookie module", but if it has anything to do with CGI then
it shouldn't be possible to generate such a thing.

Even if this was not \012 aka LF but some other control character,
it would still violate

  1) the more recent State Management RFC and drafts,
  2) the HTTP specs, and
  3) probably the CGI specs (if CGI is involved).

It does not explicitly violate the "Preliminary Specification"
<http://home.netscape.com/newsref/std/cookie_spec.html> from Netscape,
which only says that "some encoding method such as URL style %XX
encoding is recommended, though no encoding is defined" and only
explicitly mentions "semi-colon, comma and white space", but that's just
further proof of the general sloppiness of that document.

I can't image which part of the Lynx cookie handling code would convert
a raw '\r' to the four characters '\\' '0' '1' '2', even if a raw '\r'
could get through.  Without a trace log, I just don't believe that can
happen.

Anyway, the persistent cookie support in lynx 2.8.1 is broken in several
ways.  AFAIK it was marked as "experimental" (it still is in recent
2.8.2dev.N code).  For example a cookie consisting only of

    Set-Cookie: bunny="anything"

shouldn't be stored in a cookie file *at all*, since there is no expiration
date, but lynx 2.8.1 does store it.  This is fixed in 2.8.2dev.N.

There may be problems (still present in lynx 2.8.2dev.N) related to the
dropping of surrounding quotes when persistent cookies are stored, but
we should get a better bug report.

If the Python Cookie module really tries to send raw binary data in HTTP
headers, then it is badly broken.  It should escape characters when required.
I find it more likely that it does that but, the bug reporter was not
looking at what is really being transmitted but at some cooked version.
But we would need to know what really goes over the wire.  Try lynx -trace
then sending Lynx.trace excerpts.

    Klaus    



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#35523; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Chris Lawrence <quango@watervalley.net>:
Extra info received and forwarded to list. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #18 received at 35523@bugs.debian.org (full text, mbox):

From: Chris Lawrence <lawrencc@clark.net>
To: Klaus Weide <kweide@tezcat.com>
Cc: lynx-dev@sig.net, 35523@bugs.debian.org
Subject: Re: lynx-dev Bug#35523: lynx: cookie handling broken with non-printable characters (fwd)
Date: Mon, 5 Apr 1999 10:55:44 -0400 (EDT)
On Mon, 5 Apr 1999, Klaus Weide wrote:
> It just isn't possible to send a cookie like the following with HTTP:
> 
>     Set-Cookie: bunny="I3\012."
>     (where \012 is LF)
> 
> Either the person reporting this misunderstands what's going on, or
> is leaving out some information.

It may be a literal \012.  I need to take a look at the raw HTTP
datastream from the CGI script, however.

> There may be problems (still present in lynx 2.8.2dev.N) related to the
> dropping of surrounding quotes when persistent cookies are stored, but
> we should get a better bug report.

I think that's the issue here.  My trace dump from Lynx shows the quotes
being sent during the same session but dropped after a quit and restart.
The quotes aren't being put in the .lynx_cookies file.


Chris
--
Chris Lawrence                      EMail: lawrencc@clark.net
Graduate Student, Political Science     or quango@watervalley.net
The University of Mississippi
Oxford, Mississippi, USA

               Amiga 4000/060 AmigaOS 3.1 & Linux/m68k 2.1
    -----> WWW home page at: http://www.clark.net/pub/lawrencc/ <----



Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#35523; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Chris Lawrence <quango@watervalley.net>:
Extra info received and forwarded to list. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #23 received at 35523@bugs.debian.org (full text, mbox):

From: Chris Lawrence <quango@watervalley.net>
To: Klaus Weide <kweide@tezcat.com>
Cc: lynx-dev@sig.net, 35523@bugs.debian.org
Subject: Re: lynx-dev Bug#35523: lynx: cookie handling broken with non-printable characters (fwd)
Date: Wed, 7 Apr 1999 22:48:33 -0500
On Apr 05, Chris Lawrence wrote:
> On Mon, 5 Apr 1999, Klaus Weide wrote:
> > It just isn't possible to send a cookie like the following with HTTP:
> > 
> >     Set-Cookie: bunny="I3\012."
> >     (where \012 is LF)
> > 
> > Either the person reporting this misunderstands what's going on, or
> > is leaving out some information.
> 
> It may be a literal \012.  I need to take a look at the raw HTTP
> datastream from the CGI script, however.

Here's a transcript of a telnet session; it is a literal \012:

Trying 216.92.38.187...
Connected to lordsutch.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 08 Apr 1999 03:45:00 GMT
Server: Apache/1.3.3
Cache-Control: no-cache
Content-Language: en
Expires: Thu, 08 Apr 1999 04:45:02 GMT
Pragma: no-cache
Set-Cookie: firstvisit="I923543100\012."; Max-Age=5184000;
Set-Cookie: visitor=dialup136.WaterValley.Net; Max-Age=5184000;
Set-Cookie: count="I1\012."; Max-Age=5184000;
Last-Modified: Mon, 05 Apr 1999 17:27:49 GMT
Connection: close
Content-Type: text/html

Connection closed by foreign host.

The problem: the quotes aren't being stored in the .lynx_cookies file.


Chris
-- 
=============================================================================
|        Chris Lawrence       |       Get your Debian/m68k 2.1 CD-ROMs      |
|   <quango@watervalley.net>  |      http://www.clark.net/pub/lawrencc/     |
|                             |                                             |
|   Grad Student, Pol. Sci.   |            Watch Babylon 5 on TNT           |
|  University of Mississippi  |   <*> http://tnt.turner.com/babylon5/ <*>   |
=============================================================================


Information forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#35523; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Klaus Weide <kweide@enteract.com>:
Extra info received and forwarded to list. Copy sent to Christian Hudon <chrish@debian.org>. Full text and rfc822 format available.

Message #28 received at 35523@bugs.debian.org (full text, mbox):

From: Klaus Weide <kweide@enteract.com>
To: 35523@bugs.debian.org
Cc: Chris Lawrence <quango@watervalley.net>
Subject: Re: Bug#35523: lynx: cookie handling broken with non-printable characters
Date: Fri, 9 Jul 1999 07:32:28 -0500 (CDT)
Fixed in upstream development code as of 2.8.3dev.3.

   Klaus



Bug closed, ack sent to submitter - they'd better know why ! Request was from "H. Nanosecond" <aldomel@ix.netcom.com> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:59:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.