Ticket #1143 (closed defect: fixed)

Opened 2 years ago

Last modified 19 months ago

TiddlyWiki creates invalid cookies

Reported by: simonmcmanus Owned by: MartinBudden
Priority: major Milestone: 2.6.1
Component: core Version:
Severity: medium Keywords:
Cc:

Description

TiddlyWiki allows users to create cookies which contain brackets which are illegal characters.

See :

 http://trac.tiddlywiki.org/ticket/1142

and :

RFCs 2965 and 2616

Change History

Changed 2 years ago by SaqImtiaz

Originally posted by FND:

"cf.  http://svn.tiddlywiki.org/Trunk/verticals/tiddlydocs/Plugins/HIJACK_saveOptionCookie.js"

Changed 2 years ago by FND

  • milestone changed from 2.6 to 2.6.1

Changed 22 months ago by FND

TiddlyWiki actually does ensure cookie values are valid:  http://trac.tiddlywiki.org/browser/Trunk/core/js/Options.js?rev=12048#L7 It does not encode cookie names though. If used correctly, no macro should create invalid cookie names - it is unclear whether invalid user input should be handled at this level.

What was the original scenario revealing this issue?

Changed 22 months ago by simonmcmanus

The original scenario was using tiddler names to store the state of a slider.

Changed 22 months ago by FND

  • status changed from new to closed
  • resolution set to invalid

I'm afraid that statement lacks information allowing me to reproduce the issue.

Marking as invalid for now. Please reopen when more information is available.

Changed 22 months ago by FND

  • status changed from closed to reopened
  • resolution invalid deleted

originally posted by simonmcmanus: 

To reproduce :

[1] Add the following line into a tiddler served by TiddlyWeb :

<<slider chkTestS)lider [[OptionsPanel]] "Click Me!!!" "Open advanced options">>

[2] Click done.

[3] Click the "Click Me!!!" button.

[4] Refresh the page

[5] You will see this error :

400 Bad Request: ('malformed cookie: Illegal key value: chkTestS)lider',)


You will be unable to see any content on the TiddlyWeb server until you have manually deleted the cookie.

The same issue occurs if you use :

<<slider "chkTestS)lider" [[OptionsPanel]] "Click Me!!!" "Open advanced options">>

and

<<slider 'chkTestS)lider' [[OptionsPanel]] "Click Me!!!" "Open advanced options">>

Changed 22 months ago by FND

chkTestS)lider

As suspected, this is a user error. It is currently unclear whether or where this should be handled. (It seems undesirable for users to enter a cookie name in the first place.)

Changed 20 months ago by FND

  • owner changed from FND to MartinBudden
  • status changed from reopened to new

Martin suggested a simple fix that would ensure things don't break: add an alert in saveOptionsCookie if the cookie name is invalid.

While not pretty, this would satisfy the basic requirements.

Changed 19 months ago by MartinBudden

  • status changed from new to closed
  • resolution set to fixed

Fixed in changeset:12283

Note: See TracTickets for help on using tickets.