Bug 63623

Summary: konqueror ignores path information in cookies
Product: [Retired] Red Hat Public Beta Reporter: Michael Schwendt <bugs.michael>
Component: kdebaseAssignee: wdovlrrw <brosenkr>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: skipjack-beta2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-08-05 10:42:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 61901, 67218    

Description Michael Schwendt 2002-04-16 14:37:13 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408

Description of problem:
Unlike Mozilla (e.g.), Konqueror would send cookies regardless of the PATH
stored inside cookies. For instance, if a cookie were to be sent for all URLs
below /directory/, Konqueror would also submit the cookie for URLs above that path.


Version-Release number of selected component (if applicable):
3.0.0-9

How reproducible:
Always

Steps to Reproduce:
An example of a page that suffers from this:

  http://rhcontrib.bero.org

Log-in page is:

  http://rhcontrib.bero.org/bugzilla/query.cgi?GoAheadAndLogIn=1

Log-in cookie is set with path /bugzilla/, but with Konqueror pages above
/bugzilla also see the cookie, e.g:

  http://rhcontrib.bero.org/upload.php

This is not the case with Mozilla or Netscape Navigator.


Actual Results:  Konqueror has managed to access /upload.php.


Expected Results:  Konqueror should have failed to access /upload.php (like
Mozilla or Netscape Navigator).


Additional info:

Apart from a malfunction, this is a security problem.
Comment 1 Bernhard Rosenkraenzer 2002-08-05 10:42:32 UTC 
Fixed in the current version
Comment 2 Michael Schwendt 2002-08-06 08:40:53 UTC 
Confirmed with kdebase-3.0.2-7.