Bug#553169: iceweasel sends malformed Cookie: headers (e.g. for google-analytics)

[Mike Hommey]

On Thu, Dec 24, 2009 at 02:27:00AM +0100, Marc Lehmann wrote:
> On Wed, Dec 23, 2009 at 04:38:57PM +0100, Mike Hommey <mh at glandium.org> wrote:
> > The fact is, even the servers are not quoting the = signs in the
> 
> Wrong, servers rarely if ever send cookies - it's applications behind
> them, and it's up to them how buggy they are and how they format their
> headers - I know of no server that checks cookie header lines for
> well-formedness.

The google servers *do* send cookies with Set-Cookie, and they *do*
contain = characters unquoted.

> So obviously, yes, there are a lot of buggy programs out there, including
> server-side apps.
> 
> > does, and i do agree the property should be quoted. OTOH, as it
> > apparently works with the current way, I wonder...
> 
> Wrong, it apparently did _not_ work that way, otherwise I would have never
> found out.
> 
> Note that apps choking on some cookie in some way or another is not
> normally noticed by anybody, unless it leads to actual problems (in my
> case, a user couldn't login because the google cookie was acquired by
> sld.domain and sent to subdomain.sld.domain which choked on the malformed
> cookie thatw as sent back).
> 
> So by all appearances, this could be a rather big bug with wide area of
> effect, as it often isn't noticed, as apps are prepared to find no cookie,
> whether because the coockie header is broken or the cookie is not there
> makes little difference.
> 
> I see no evidence for your "apparently works".

It apparently works for google...

> If you try to make the point that if some apps are buggy, so all of them
> should be buggy, then, well, I keep hearing this for firefox/mozilla, but
> it still makes no sense to me.

My point was more about the fact that quoting them can actually break
interaction with the servers that currently are waiting for = to be
non-quoted. IOW, I do agree there is a bug, but I am unsure it is safe
to fix.

OTOH, I guess google, since they seem to be dealing properly with their
own cookie, are "just" splitting the cookie string at ; characters, then 
take the variable name until the first = and take the rest as the value.
If the server you are talking about doesn't do that, then yes, it will
probably fail to handle such cookies.

Another problem is that maybe some servers are unquoting the cookies
before they are passed to the applications/scripts in which case quoting
or not at transport level wouldn't change anything for the application.

If you could investigate all this, I would very much appreciate, but if
you can't, I'll just do it, but probably not before a while.

Thanks.

Mike