Ticket #7325 (closed Bug: fixed)
Plone Hotfix 20071106 breaks long status messages (depends on browser behavior)
| Reported by: | slinkp | Owned by: | hannosch |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Infrastructure | Keywords: | hotfix status message 502 gateway |
| Cc: | security@… |
Description
With Plone hotfix 20071106 installed on Plone 2.5, the cookies are set with embedded newlines, which is not compliant with the relevant RFCs. Firefox seems to tolerate it. Don't know about IE. Twill/mechanize behaves badly - the cookies sent with the next request are mangled; not just PSMs, but the auth cookies are lost.
The attached patch fixes this.
Attachments
-
hotfix.patch
(460 bytes) -
added by slinkp 4 years ago.
Change History
comment:1 Changed 4 years ago by wichert
- Cc security@… added
- Owner changed from somebody to hannosch
- Component changed from Unknown to Infrastructure
comment:2 follow-up: ↓ 3 Changed 4 years ago by alecm
Not sure what the exact differences between base64.encodestring and binascii.b2a_base64 would be here. The binascii methods seem to be intended to handle single lines only. Is this always the case with status messages (seems unlikely)? Is this simply about removing the trailing newline? MJ any ideas?
comment:3 in reply to: ↑ 2 Changed 4 years ago by mj
Replying to alecm:
Not sure what the exact differences between base64.encodestring and binascii.b2a_base64 would be here.
base64.encodestring puts in newlines every 76 characters, not a good thing in a cookie indeed. binascii.b2a_base64 does not.
comment:4 Changed 4 years ago by davisagli
- Keywords 502 gateway added
Note that when accessing a zope instance via apache's mod_proxy, this causes apache to display a 502 Gateway Error, with the following in the apache error log: proxy: bad HTTP/1.1 header returned
This issue is still present in Plone 3.0.3.
