Hi Thomas and others,
On 30/11/2014, at 10:19 AM, Thomas Lübking wrote:
> On Samstag, 29. November 2014 22:13:30 CEST, Ian Wadham wrote:
>> IOW, can I offer that as a workaround until we can release your fix? Or
>> does BKO leave stale cookies in the jar?
>
> Had a stale cookie there, might have been added by rekonq or konqueror (i
> usually used qupzilla lately)
> After kicking that (kcmshell4 cookies) the token login worked as well.
>
> DrKonqi added another cookie ("Bugzilla_login_request_cookie"), but that is
> no harm (did a third invalid bug report)
>
> Logging in with konqueror adds a second cookie ("Bugzilla_login") which
> expires 2038 and is among the ones I deleted before. I strongly believe that
> this will break it again, but won't risk to spam another bug for that purpose.
>
> Sum up:
> -------
> a) Password login works with 4.4.6 (at least bugs.kde.org version) and is
> robust against stale cookies in kcookiejar
> b) getting rid of bugs.kde.org cookies fixes token security, but
> c) web login via kio_http (or anything making use of kcookiejar) will (most
> likely) re-add a bad cookie
>
> => Since telling users to delete bugs.kde.org cookies on bugreporting is no
> viable solution, I'd propose to either go for passwod logins or unleash the
> cookie monster on all cookied from the bugzilla domain. (KCookieJar has a
> promising "eatCookie*" function set, but I'd have to look up how to access
> the global cookie jar.I have committed a fix to kde-runtime/drkonqi on the master branch, based on Thomas' idea of going straight to passwords-only security. See attachment [1]. This should fix https://bugs.kde.org/show_bug.cgi?id=337742 I tested it as much as I could on Apple OS X and it can certainly send bug reports and attachments to bugstest.kde.org, whether there are cookies for that site in KCookieJar or not. However, all of that is true if I go back to token-based security in Dr K on Apple OS X. This may be because the various KDE background processes, such as kdeinit4, kded4 and friends, do not work as intended on Apple OS X --- or I have set them up wrong. So could someone please do before-and-after tests of patch [1] on KDE 4 and Linux, using the bugstest.kde.org database? i.e. a) No patch [1], no cookies for bugs test.kde.org --- Dr K should succeed. b) No patch [1], cookies added --- Dr K should fail. c) Patch [1] added, cookies still present --- Dr K should succeed. See attachment [2] for a patch to set up Dr K to use the test database (cloned about 3 months ago). It should contain most of the accounts and data of the live bugs.kde.org database, but will send no embarrassing emails… Thanks in advance, Ian W. [1]
DrKonqiSecurity_5.patch
Description: Binary data
[2]
DrK_bugstest.patch
Description: Binary data
