Bug 134421

Summary: Konqueror cannot load a webpage that other browsers can.
Product: [Unmaintained] kio Reporter: jarlath <jarlathreidy>
Component: httpAssignee: Dawit Alemayehu <adawit>
Status: RESOLVED FIXED    
Severity: critical    
Priority: VHI    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description jarlath 2006-09-21 01:35:42 UTC
Version:           3.5.2 (using KDE 3.5.2, Kubuntu Package 4:3.5.2-0ubuntu18.1 dapper)
Compiler:          Target: i486-linux-gnu
OS:                Linux (i686) release 2.6.15-27-686

konqueror cannot load the webpage www.bhphoto.com or www.bhphotovideo.com although firefox can. I have tried entering the address in the address bar as well as using the ALT+F2 shortcut. The latter method results in no konqueror window opening at all - even to inform of a failure.
Comment 1 Allan Sandfeld 2006-11-19 17:34:41 UTC
Confirmed, actually I can't fetch it using any KDE program. So I assume it is kio-http that has a problem with that server
Comment 2 Niels 2006-11-19 22:31:35 UTC
www.bhphoto.com loads fine on my standard 3.5.5 Konqueror.
Comment 3 Dawit Alemayehu 2007-09-01 16:30:02 UTC
This is an incidental but very nasty bug that was introduced when we added support for automatically accepting session cookies, i.e. cookies that do not specify expiration date.

This also causes a security vulnerability! Increased Priority and severity levels to maximum. Currently testing fix.
Comment 4 Dawit Alemayehu 2007-09-01 19:27:45 UTC
r707375 | adawit | 2007-09-01 13:19:13 -0400 (Sat, 01 Sep 2007) | 3 lines

- Fix BR# 134421 and as a result fix a cross-site cookie injection vulnerability.
- Simplyfy the code that saves the contents of the cookiejar in KCookieServer.


Index: kcookiejar.cpp
===================================================================
--- kcookiejar.cpp      (revision 653731)
+++ kcookiejar.cpp      (revision 707375)
@@ -981,44 +981,27 @@
 //
 KCookieAdvice KCookieJar::cookieAdvice(KHttpCookiePtr cookiePtr)
 {
-    QStringList domains;
-
     if (m_rejectCrossDomainCookies && cookiePtr->isCrossDomain())
        return KCookieReject;

-    if (m_autoAcceptSessionCookies && (cookiePtr->expireDate() == 0 ||
-        m_ignoreCookieExpirationDate))
-       return KCookieAccept;
+    QStringList domains;

     extractDomains(cookiePtr->host(), domains);

-    // If the cookie specifies a domain, check whether it is valid and
-    // correct otherwise.
+    // If the cookie specifies a domain, check whether it is valid. Otherwise,
+    // accept the cookie anyways but removes the domain="" value to prevent
+    // cross-site cookie injection.
     if (!cookiePtr->domain().isEmpty())
     {
-       bool valid = false;
-
-       // This checks whether the cookie is valid based on
-       // what ::extractDomains returns
-       if (!valid)
-       {
-          if (domains.contains(cookiePtr->domain()))
-             valid = true;
-       }
-
-       if (!valid)
-       {
-          // Maybe it points to a sub-domain
-          if (cookiePtr->domain().endsWith("."+cookiePtr->host()))
-             valid = true;
-       }
-
-       if (!valid)
-       {
+      if (!domains.contains(cookiePtr->domain()) &&
+          !cookiePtr->domain().endsWith("."+cookiePtr->host()))
           cookiePtr->fixDomain(QString::null);
-       }
     }

+    if (m_autoAcceptSessionCookies && (cookiePtr->expireDate() == 0 ||
+        m_ignoreCookieExpirationDate))
+       return KCookieAccept;
+
     KCookieAdvice advice = KCookieDunno;
     bool isFQDN = true; // First is FQDN
     QStringList::Iterator it = domains.begin(); // Start with FQDN which first in the list.
Index: tests/cookie.test
===================================================================
--- tests/cookie.test   (revision 653731)
+++ tests/cookie.test   (revision 707375)
@@ -144,3 +144,8 @@
 CHECK http://z.foobar.com/
 CHECK http://www.foobar.com/
 CHECK http://foobar.com/
+CLEAR COOKIES
+## Check domain restrictions #8
+CONFIG AcceptSessionCookies true
+COOKIE ACCEPT http://www.foobar.com Set-Cookie: from=foobar.com; domain=bar.com; Path="/"
+CHECK http://bar.com
Index: kcookieserver.cpp
===================================================================
--- kcookieserver.cpp   (revision 653731)
+++ kcookieserver.cpp   (revision 707375)
@@ -86,7 +86,8 @@
    mPendingCookies->setAutoDelete(true);
    mRequestList = new RequestList;
    mAdvicePending = false;
-   mTimer = 0;
+   mTimer = new QTimer();
+   connect( mTimer, SIGNAL( timeout()), SLOT( slotSave()));
    mConfig = new KConfig("kcookiejarrc");
    mCookieJar->loadConfig( mConfig );

@@ -186,6 +187,7 @@
     KHttpCookiePtr cookie = list->first();
     while (cookie)
     {
+        kdDebug(7104) << "checkCookies: Asking cookie advice for " << cookie->host() << endl;
         KCookieAdvice advice = mCookieJar->cookieAdvice(cookie);
         switch(advice)
         {
@@ -256,7 +258,7 @@
                break;

            default:
-               qWarning(__FILE__":%d Problen!", __LINE__);
+               qWarning(__FILE__":%d Problem!", __LINE__);
                cookie = mPendingCookies->next();
                break;
            }
@@ -292,26 +294,22 @@
           request = mRequestList->next();
         }
     }
-    if (mCookieJar->changed() && !mTimer)
+    if (mCookieJar->changed())
         saveCookieJar();
 }

 void KCookieServer::slotSave()
 {
-   delete mTimer;
-   mTimer = 0;
    QString filename = locateLocal("data", "kcookiejar/cookies");
    mCookieJar->saveCookies(filename);
 }

 void KCookieServer::saveCookieJar()
 {
-    if( mTimer )
+    if( mTimer->isActive() )
         return;

-    mTimer = new QTimer();
-    connect( mTimer, SIGNAL( timeout()), SLOT( slotSave()));
-    mTimer->start( 1000*60*SAVE_DELAY );
+    mTimer->start( 1000*60*SAVE_DELAY, true );
 }

 void KCookieServer::putCookie( QStringList& out, KHttpCookie *cookie,
@@ -391,12 +389,12 @@
       mRequestList->append( request );
       return QString::null; // Talk to you later :-)
    }
-
+
    QString cookies = mCookieJar->findCookies(url, false, windowId);
-
-   if (mCookieJar->changed() && !mTimer)
+
+   if (mCookieJar->changed())
       saveCookieJar();
-
+
    return cookies;
 }

@@ -491,8 +489,7 @@
          if( cookieMatches(it.current(), domain, fqdn, path, name) )
          {
             mCookieJar->eatCookie( it.current() );
-            if (!mTimer)
-               saveCookieJar();
+            saveCookieJar();
             break;
          }
       }
@@ -504,8 +501,7 @@
 KCookieServer::deleteCookiesFromDomain(QString domain)
 {
    mCookieJar->eatCookiesForDomain(domain);
-   if (!mTimer)
-      saveCookieJar();
+   saveCookieJar();
 }


@@ -521,16 +517,14 @@
 KCookieServer::deleteSessionCookies( long windowId )
 {
   mCookieJar->eatSessionCookies( windowId );
-  if(!mTimer)
-    saveCookieJar();
+  saveCookieJar();
 }

 void
 KCookieServer::deleteSessionCookiesFor(QString fqdn, long windowId)
 {
   mCookieJar->eatSessionCookies( fqdn, windowId );
-  if(!mTimer)
-    saveCookieJar();
+  saveCookieJar();
 }

 // DCOP function
@@ -538,8 +532,7 @@
 KCookieServer::deleteAllCookies()
 {
    mCookieJar->eatAllCookies();
-   if (!mTimer)
-      saveCookieJar();
+   saveCookieJar();
 }