Debian Bug report logs -
#385702
w3m rejects valid cookies based on false assumptions
Reported by: Nicolas George <nicolas.george@ens.fr>
Date: Sat, 2 Sep 2006 12:18:06 UTC
Severity: minor
Found in version w3m/0.5.1-5
Fixed in version w3m/0.5.3-25
Done: Tatsuya Kinoshita <tats@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#385702; Package w3m.
(full text, mbox, link).
Acknowledgement sent to Nicolas George <nicolas.george@ens.fr>:
New Bug report received and forwarded. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: w3m
Version: 0.5.1-5
"This cookie was rejected to prevent security violation. [wrong number of
dots]"
W3m rejects cookies for domain.tld (versus subdomain.domain.tld) unless when
tld is one of .com, .edu, .gov, .mil, .net, .org and .int. This is done on
the assumption that others TLD follow the .jp domain.subtld.tld model:
.co.jp for commercial sites, .ac.jp for academic sites, and so on. The
reason to reject such cookies is to prevent malicious sites from putting
cookies on whole subdomains, which would be akin tu putting cookies on the
whole .com or .org TLD.
But the assumption is wrong: a lot of country code TLD do not follow this
policy (including .jp, nowadays), and the hardcoded list of generic TLD in
w3m is incomplete. That makes browsing some sites very annoying, due to a
lot of rejected cookies (each pausing for some time, if cookies are
displayed), and sometimes impossible (if the site is badly written).
The code is in cookie.c, lines 302 to 313, where the special_domain variable
is used.
For the record, in Firefox, the corresponding feature seems to be in
toolkit/components/places/src/nsNavHistory.cpp (with a "This should be moved
somewhere else (like cookies)" comment), near the end, with a hardcoded list
of ccTLD with subtld policy. The complete hardcoded list is .uk and .kr.
Therefore, the simplest would be to simply remove this test, and accept
unconditionally cookies for domain.tld.
Regards,
--
Nicolas George
Irrelevant system information:
Debian Etch up to date
Linux she-seel 2.6.17.8-she-seel #1 PREEMPT Wed Aug 9 12:24:43 CEST 2006
x86_64 GNU/Linux
libc6 2.3.6.ds1-4
libgc1c2 6.7-2
libgpmg1 1.19.6-22
libncurses5 5.5-2
libssl0.9.8 0.9.8b-2
zlib1g 1.2.3-13
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#385702; Package w3m.
(Wed, 26 Oct 2011 16:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Amarilli <antoine.amarilli@ens.fr>:
Extra info received and forwarded to list. Copy sent to Tatsuya Kinoshita <tats@debian.org>.
(Wed, 26 Oct 2011 16:54:03 GMT) (full text, mbox, link).
Message #10 received at 385702@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
w3m 0.5.3 includes an option to work around this problem for specific
domains (function check_avoid_wrong_number_of_dots_domain in cookie.c).
However, this is not a satisfactory solution, so the problem still
stands.
--
Antoine Amarilli
[signature.asc (application/pgp-signature, inline)]
Severity set to 'minor' from 'normal'
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Tue, 15 Nov 2011 01:51:05 GMT) (full text, mbox, link).
Reply sent
to Tatsuya Kinoshita <tats@debian.org>:
You have taken responsibility.
(Sat, 10 Oct 2015 11:09:11 GMT) (full text, mbox, link).
Notification sent
to Nicolas George <nicolas.george@ens.fr>:
Bug acknowledged by developer.
(Sat, 10 Oct 2015 11:09:11 GMT) (full text, mbox, link).
Message #17 received at 385702-close@bugs.debian.org (full text, mbox, reply):
Source: w3m
Source-Version: 0.5.3-25
We believe that the bug you reported is fixed in the latest version of
w3m, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 385702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <tats@debian.org> (supplier of updated w3m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Oct 2015 19:44:12 +0900
Source: w3m
Binary: w3m w3m-img
Architecture: source amd64
Version: 0.5.3-25
Distribution: unstable
Urgency: medium
Maintainer: Tatsuya Kinoshita <tats@debian.org>
Changed-By: Tatsuya Kinoshita <tats@debian.org>
Description:
w3m - WWW browsable pager with excellent tables/frames support
w3m-img - inline image extension support utilities for w3m
Closes: 385702
Changes:
w3m (0.5.3-25) unstable; urgency=medium
.
* Update 020_debian.patch to v0.5.3+git20151010
- Remove incomplete special_domain tests (closes: #385702)
- Fix unknown key in keymap.lynx (LP: #265144)
* Set Priority to optional
Checksums-Sha1:
1b135c0dd95d5fd70dfad7a3be9d1fc43e433692 2027 w3m_0.5.3-25.dsc
bf7bde41e37360c88bdebc5f8c3150289ab60000 122676 w3m_0.5.3-25.debian.tar.xz
a9787b516c562810e08d120db8fd85d5b0414836 124316 w3m-img_0.5.3-25_amd64.deb
19702f2650ed02cc3115e22a7b1bd66ad225b91c 1015442 w3m_0.5.3-25_amd64.deb
Checksums-Sha256:
aa81650276e8779734cf2c36c9f961a814180cc5be96271bce63d6e638f9fcc9 2027 w3m_0.5.3-25.dsc
5c04e98d900fbd48e0a9696ac3368e3b8e7423c7b8665f2155c90d7eb83b644e 122676 w3m_0.5.3-25.debian.tar.xz
723bd8cb421155e5c63859e961148b1c66b2d1ff6be8a111ce42fde6c2cc60ef 124316 w3m-img_0.5.3-25_amd64.deb
9ebe666743466c9c757d92557712776c3c87d8a08cb29fca29c1e04d3f7f4933 1015442 w3m_0.5.3-25_amd64.deb
Files:
df304c9dbf0fd20f31c4b759619ac1bd 2027 web optional w3m_0.5.3-25.dsc
5c3ec12fa2d4dcbbbcb4d1bd03674ba6 122676 web optional w3m_0.5.3-25.debian.tar.xz
ac6eb1a92dac191725e8f6d01a96b95e 124316 web optional w3m-img_0.5.3-25_amd64.deb
387d2680adb6a5fb83774f5fef1465cb 1015442 web optional w3m_0.5.3-25_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWGO4cAAoJEOXvq5AIDqY8mpcP/2qi/u8pCGtEWjCv21VmH4XX
tf+YH3uWjelYEGac0Udz/o0wTx3zfqnjNVWn7dlITsgQIiwmXZR1sRg9yxZauXsr
8XfVK9WfUMy5VmsGE5LMe87ISlKraFebMl+DAquqTCLOMacCD5mAz+1d4mI7ljVX
L0eL+0kq+C1ccMexrByLWRFEpZz6B+nlGmGERo18egD5rirVYnI0UwqQfm589Zaz
9Qj224kdeH0UGE1NGc9qt9KtzbqwoKVDZyMnEu41koNwhWp+HXfM3BMB6RnTtS25
ZrOs3j6MgkamXrhGkofzad+hW3YJEMkg+ZjXFVPkg4HZjGBGj0ntt5Voob/g+1jy
45JSEyz7zzPbV6m0vem6l5YwdrBCCy5Jjr1uXhFb7yru+7q32cEUaHqRJ/TLLNOC
TegmcrufMFc+iH41yQQqdLEAc2dAybbohCYYtBXfkubDhu9vJDBAyPLcdqwXEw71
Fzad1kWB+plbw4oOYeHj6rc5OQxG4GXK9rm1pf84V5zpAo6nRdrvai83/DuEqZ1z
z1ujhR74rsiB7Vc+kgDg++jincrhbVxnL4B0FlSAAXNIk8sZCGarMgfFvu8re/z2
h/fBueAVceIEYdXxCZBvH4WeCeCF/0DOStrkC7/9pdZSecPXxxyRjLx1n9N+tpNZ
z1oZ3L4cT2XxNvmKAGtk
=8p+8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 05 Dec 2015 07:25:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jun 5 03:08:03 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.