Bug#553169: iceweasel sends malformed Cookie: headers (e.g. for google-analytics)

Thu, 29 Oct 2009 05:28:46 -0700 

Package: iceweasel
Version: 3.0.6-3
Severity: normal


Iceweasel sends malformed Cookie:-headers. A common example are cookies from
google-analytics, leading to this Cookie:-header:

Cookie: __utma=73875437.8485834585.4574587886.4535834548.4574587458.1; 
__utmz=83474878.9498399889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
__utmv=77383838.Lead

The problem here is the __utmz cookie, which contains seperator characters
(neither "=", "(", nor ")" are allowed unquoted).

I tested three server backend implementations and all stop parsing at the first 
"=".

This is often not an issue as those cookies come last, but when an
application-specific cookie comes after those, many implementations fail
to see it because of the mangled cookie value.

(the definition of an unquoted value can be found e.g. in rfc2616).

The solution is to properly quote the value (as quoted-string).

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii  debianutils             2.30             Miscellaneous utilities specific t
ii  fontconfig              2.6.0-3          generic font configuration library
hi  libc6                   2.7-18           GNU C Library: Shared libraries
ii  libglib2.0-0            2.20.0-2         The GLib library of C routines
ii  libgtk2.0-0             2.12.12-1~lenny1 The GTK+ graphical user interface 
ii  libnspr4-0d             4.7.1-4          NetScape Portable Runtime Library
ii  libstdc++6              4.4.1-4          The GNU Standard C++ Library v3
ii  procps                  1:3.2.7-11       /proc file system utilities
ii  psmisc                  22.6-1           Utilities that use the proc filesy
ii  xulrunner-1.9           1.9.0.14-0lenny1 XUL + XPCOM application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  latex-xft-fonts 0.1-8                    Xft-compatible versions of some La
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  mozplugger      1.10.2-2                 Plugin allowing external viewers t
pn  ttf-mathematica <none>                   (no description available)
pn  xfonts-mathml   <none>                   (no description available)
ii  xprint          2:1.4.2-10.lenny2        X11 print system (binary)
pn  xulrunner-1.9-g <none>                   (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to