[wp-trac] [WordPress Trac] #2660: WordPress admin creates invalid ( netscape ) dbx-postmeta cookies on OSX + Safari, can cause apache segfault

WordPress Trac wp-trac at lists.automattic.com
Thu Apr 13 23:06:55 GMT 2006

#2660: WordPress admin creates invalid ( netscape ) dbx-postmeta cookies on OSX +
Safari, can cause apache segfault
       Id:  2660       |      Status:  new                     
Component:  General    |    Modified:  Thu Apr 13 23:06:55 2006
 Severity:  major      |   Milestone:                          
 Priority:  normal     |     Version:  2.1                     
    Owner:  anonymous  |    Reporter:  jvanasco                
 I came across this issue a while back, i thought it would be resolved as
 it was in the forums - but it wasn't, and theres no ticket either open or
 closed addressing it,  so here are my notes:

 I wrote a web services module to incorporate the TrackBack protocol into
 my mod_perl application

 I started testing it using WordPress - the php blog software

 It seems to have set a cookie (see details below) , that causes an
 automatic error in libapreq (accessed via the perl bindings), which can
 segfault apache ( libapreq isn't just used in perl, its the general Apache
 API for parsing cookies )

 The error in the logs is :"Expected token not present"

 The issue seems to be definitively caused by an issue in the way that
 wordpress encodes the cookie and safari sends it

 From the headers_in , it seems that WordPress includes raw-php code
 (instead of executing it), and either wordpress or safari doesn't escape
 the , in the cookies.

 re netscape cookie draft:
 ( common standard - http://wp.netscape.com/newsref/std/cookie_spec.html )
 This string is a sequence of characters excluding semi-colon, comma and
 white space. If there is a need to place such data in the name or value,
 some encoding method such as URL style %XX encoding is recommended, though
 no encoding is defined or required.
 This is the only required attribute on the Set-Cookie header."

 The RFCs regarding cookies don't have the restriction , but do use , and ;
 as a delimiter -- and most libraries code to the netscape standard.

 The fix would be to just encode/escape the , on reading/writing cookies.

 In production I see little opportunities this will affect me or any other
 user -- its not often that people use multiple languages & projects on the
 same domain.

 the segfault, natually, occurs whether or not the code is wrapped in an
 eval block.  an eval block didn't seem to catch the other  error either
 (sorry, but i can't discern what it is)

 I've enclosed a Data::Dumper representation of the the APR::Table
 headers_in atfer the cookie info.  I'll be happy to pull it into any other
 format if needed

 To recreate this, you can use:
  * wordpress 2.0 -> 2.1
  * mac osx 10.4.(5,6) + safari 2.0.3
  * libapreq 2.07
  * httpd 2.055

  * Created
   * 193189633
  * Domain
   * g5.local
  * Expires
   * 2007-02-14T23:47:13Z
  * Name
   * dbx-postmeta
  * Path
   * /
 * Value
   * grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1+,2-


 $headers_in = bless( {
  'Accept' => '*/*',
  'Accept-Language' => 'en',
  'Accept-Encoding' => 'gzip, deflate',
  'Cookie' => 'wordpressuser_c580712eb86cad2660b3601ac04202b2=admin;
 rs_session=59ae9b8b503e3af7d17b97e7f77f7ea5; dbx-
  'User-Agent' => 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
 AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8',
  'Connection' => 'keep-alive',
  'Host' => 'g5.local:8082'
  }, 'APR::Table' );

Ticket URL: <http://trac.wordpress.org/ticket/2660>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list