Bug#553169: iceweasel sends malformed Cookie: headers (e.g. for google-analytics)

Mike Hommey mh at glandium.org
Mon Dec 28 15:40:30 UTC 2009 

tag 553169 wontfix
thanks

On Mon, Dec 28, 2009 at 12:06:17PM +0100, Marc Lehmann wrote:
> On Mon, Dec 28, 2009 at 11:54:11AM +0100, Mike Hommey <mh at glandium.org> wrote:
> > > In any case, the bugreport is pretty clear, the bug is pretty obvious, and
> > > if there is anything in the report is unclear I will happily clarify it.
> > 
> > Let me make things clear: if we ever change the way the Cookies are sent
> > to the servers, this will matter to those servers that do set cookies
> > with unquoted =
> 
> Why? The format of the cookie-header is determined by the browser only
> (note also that Set-Cookie and Cookie headers are different headers with
> different formats).

The data contained in the cookie is determined by the server, most of
the time.

> > And google servers are such servers. So if escaping cookies
> > is going to break interaction with google servers, it's definitely a stopper.
> 
> Mike... you keep repeating some issue with google *servers*, but for some
> reason, despite me asking you, you never explain how you come up with
> them.  Is it because I mentioned google-analytics in my example? This
> is just the format of the cookie, it is not sent or received by google
> servers in the example.

Google servers are a well known and widespreadly used set of servers
that happen to be heavy users of "=" characters in the cookie value.
Changing the browser behaviour is going to affect *at least* these
servers, and all others that rely on any such "special" characters *not*
to be escaped.

> If you are independently concerned about whether google servers are
> somehow broken, you should ask google, I am not in a position to test that
> (I am not affiliated with google), but if it is broken, they might be
> interested to know about it so they can fix it.

I am concerned that fixing your problem will break other things. Many
other things.

> However, your reply sounds like "the bug won't be fixed even though it causes
> known breakage, while evidence to the contrary doesn't exist, but who knwos
> what google does", then I am at a truly at a loss of words.
> 
> I didn't know it was debian policy to keep bugs unfixed that breaks stuff
> because they are scared that one company might have a bug (that would
> cause issues with other browsers who get it right...).
> 
> But in that case, my participation with this bugreport ends here, as I am
> not inclined to debug or fix google their servers, and google has nothing
> to do with the bug or the example - this discussion is then a waste of
> time, because I reported a bug in iceweasel in debian, not in google.
> 
> In any case, since for some reason you always bring in google servers
> into this discussion, while the problem doesn't even have anything to do
> with google servers, may I ask *you* if you are somehow affiliated with
> google? It seems strange to me that you hammer the google server issue all
> the time. What is so special about google?

The reason why I'm always getting back to google servers is given above,
plus the fact that your original problem was with the cookies set by
a google product.

Now, while I do agree that per rfc 2109, these characters shouldn't be
here, it also happens that:
- Firefox doesn't escape these characters,
- Epiphany/WebKit doesn't escape these characters,
- Lynx doesn't escape these characters,
- Internet Explorer doesn't escape these characters.

Now, what do you think is going to happen if Iceweasel starts escaping
these characters ?

Simple answer: I'll get a lot of bug reports that a lot of Google stuff
stops working. And others too.

I just did the research I kindly asked you to do, and it so happens that
quoting the cookie value *does* break Google[1].

So, what do you prefer ? Escaping cookie values in a barely used
browser, and breaking (at the very least) Google services with it, or
parsing cookies as explained in a previous message on your server ?

And if you think Google is alone using the = character in cookies, here
is the number of distinct hosts that set a cookie value containing an =
in my cookie list, but which cookie name doesn't start with __ut or
__gads (i.e.  these cookies are *not* from google analytics or google
ads):
sqlite> select count(distinct(host)) from moz_cookies where value like "%=%" and name not like "__ut%" and name != "__gads";
104

Well known sites in this list: linkedin.com, microsoft.com, orange.fr,
yahoo.com, imdb.com, dell.com, myspace.com, etc.

That's far from being marginal use.

That's a big show-stopper for me.

Mike

1.
$ COOKIE="PREF=ID=be50acb7d8ed3c28:U=d801a4866af32997:FF=1:LD=fr:NR=10:TM=1238476945:LM=1262011455:S=Ig1LKAo5QD7EKmVZ"
$ curl -s -A 'Lynx' 'http://images.google.com/images?hl=en&q=test' | grep -q 'Strict SafeSearch' && echo strict
$ curl -s -A 'Lynx' -b "$COOKIE" 'http://images.google.com/images?hl=en&q=test' | grep -q 'Strict SafeSearch' && echo strict
strict
$ echo "$COOKIE" | sed 's/=/%3D/g;s/%3D/=/;s/:/%3A/g' # because ":" too, is not allowed
PREF=ID%3Dbe50acb7d8ed3c28%3AU%3Dd801a4866af32997%3AFF%3D1%3ALD%3Dfr%3ANR%3D10%3ATM%3D1238476945%3ALM%3D1262011455%3AS%3DIg1LKAo5QD7EKmVZ
$ curl -s -A 'Lynx' -b "$(echo "$COOKIE" | sed 's/=/%3D/g;s/%3D/=/;s/:/%3A/g')" 'http://images.google.com/images?hl=en&q=test' | grep -q 'Strict SafeSearch' && echo strict
$

More information about the pkg-mozilla-maintainers mailing list