Bug 63623 - konqueror ignores path information in cookies
konqueror ignores path information in cookies
Status: CLOSED RAWHIDE
Product: Red Hat Public Beta
Classification: Retired
Component: kdebase (Show other bugs)
skipjack-beta2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: wdovlrrw
Ben Levenson
: Security
Depends On:
Blocks: 61901 67218
  Show dependency treegraph
 
Reported: 2002-04-16 10:37 EDT by Michael Schwendt
Modified: 2007-04-18 12:42 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-08-05 06:42:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Schwendt 2002-04-16 10:37:13 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408

Description of problem:
Unlike Mozilla (e.g.), Konqueror would send cookies regardless of the PATH
stored inside cookies. For instance, if a cookie were to be sent for all URLs
below /directory/, Konqueror would also submit the cookie for URLs above that path.


Version-Release number of selected component (if applicable):
3.0.0-9

How reproducible:
Always

Steps to Reproduce:
An example of a page that suffers from this:

  http://rhcontrib.bero.org

Log-in page is:

  http://rhcontrib.bero.org/bugzilla/query.cgi?GoAheadAndLogIn=1

Log-in cookie is set with path /bugzilla/, but with Konqueror pages above
/bugzilla also see the cookie, e.g:

  http://rhcontrib.bero.org/upload.php

This is not the case with Mozilla or Netscape Navigator.


Actual Results:  Konqueror has managed to access /upload.php.


Expected Results:  Konqueror should have failed to access /upload.php (like
Mozilla or Netscape Navigator).


Additional info:

Apart from a malfunction, this is a security problem.
Comment 1 Bernhard Rosenkraenzer 2002-08-05 06:42:32 EDT
Fixed in the current version
Comment 2 Michael Schwendt 2002-08-06 04:40:53 EDT
Confirmed with kdebase-3.0.2-7.

Note You need to log in before you can comment on or make changes to this bug.