Hi Thomas and others, On 30/11/2014, at 10:19 AM, Thomas Lübking wrote: > On Samstag, 29. November 2014 22:13:30 CEST, Ian Wadham wrote: >> IOW, can I offer that as a workaround until we can release your fix? Or >> does BKO leave stale cookies in the jar? > > Had a stale cookie there, might have been added by rekonq or konqueror (i > usually used qupzilla lately) > After kicking that (kcmshell4 cookies) the token login worked as well. > > DrKonqi added another cookie ("Bugzilla_login_request_cookie"), but that is > no harm (did a third invalid bug report) > > Logging in with konqueror adds a second cookie ("Bugzilla_login") which > expires 2038 and is among the ones I deleted before. I strongly believe that > this will break it again, but won't risk to spam another bug for that purpose. > > Sum up: > ------- > a) Password login works with 4.4.6 (at least bugs.kde.org version) and is > robust against stale cookies in kcookiejar > b) getting rid of bugs.kde.org cookies fixes token security, but > c) web login via kio_http (or anything making use of kcookiejar) will (most > likely) re-add a bad cookie > > => Since telling users to delete bugs.kde.org cookies on bugreporting is no > viable solution, I'd propose to either go for passwod logins or unleash the > cookie monster on all cookied from the bugzilla domain. (KCookieJar has a > promising "eatCookie*" function set, but I'd have to look up how to access > the global cookie jar.
I have committed a fix to kde-runtime/drkonqi on the master branch, based on Thomas' idea of going straight to passwords-only security. See attachment [1]. This should fix https://bugs.kde.org/show_bug.cgi?id=337742 I tested it as much as I could on Apple OS X and it can certainly send bug reports and attachments to bugstest.kde.org, whether there are cookies for that site in KCookieJar or not. However, all of that is true if I go back to token-based security in Dr K on Apple OS X. This may be because the various KDE background processes, such as kdeinit4, kded4 and friends, do not work as intended on Apple OS X --- or I have set them up wrong. So could someone please do before-and-after tests of patch [1] on KDE 4 and Linux, using the bugstest.kde.org database? i.e. a) No patch [1], no cookies for bugs test.kde.org --- Dr K should succeed. b) No patch [1], cookies added --- Dr K should fail. c) Patch [1] added, cookies still present --- Dr K should succeed. See attachment [2] for a patch to set up Dr K to use the test database (cloned about 3 months ago). It should contain most of the accounts and data of the live bugs.kde.org database, but will send no embarrassing emails… Thanks in advance, Ian W. [1]
DrKonqiSecurity_5.patch
Description: Binary data
[2]
DrK_bugstest.patch
Description: Binary data