Bug#281307: marked as done (flyspray: Cookie hacking prevention leads to dead ends)

Fri, 18 Apr 2008 19:39:55 -0700 

Your message dated Fri, 18 Apr 2008 22:36:06 -0400
with message-id <[EMAIL PROTECTED]>
and subject line flyspray has been removed from Debian, closing #281307
has caused the Debian Bug report #281307,
regarding flyspray: Cookie hacking prevention leads to dead ends
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
281307: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281307
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: flyspray
Version: 0.9.6-1
Severity: normal
Tags: patch

Hi,

Something in my chain (I think it's privoxy) sets expired cookies
to 'deleted' once they are expired.

This means that once I log out I get 'Stop hacking your cookies, you
naughty fellow!' and can't do anything useful from then on.

The bad thing about this is that there's no way out of this, short of
removing the cookies from firefox, which makes it magically work again.

I think it's probably best to just ignore invalid cookies, so please
apply this patch:


--- index.php.orig      2004-11-15 02:36:17.000000000 +0100
+++ index.php   2004-11-15 02:40:29.000000000 +0100
@@ -102,7 +102,7 @@
 
 
 // If the user has the right name cookies
-if ($_COOKIE['flyspray_userid'] && $_COOKIE['flyspray_passhash']) {
+if ($_COOKIE['flyspray_userid'] && preg_match ("/^\d*$/", 
$_COOKIE['flyspray_userid']) && $_COOKIE['flyspray_passhash']) {
 
     // Check to see if the user has been trying to hack their cookies to 
perform sql-injection
     if (!preg_match ("/^\d*$/", $_COOKIE['flyspray_userid']) OR (!preg_match 
("/^\d*$/", $_COOKIE['flyspray_project']))) {

--- End Message ---
--- Begin Message --- 
Version: 0.9.8-13+rm

The flyspray package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/428366 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.
Barry deFreese

--- End Message ---

Reply via email to