Bug#797171: xombrero does not handle httponly cookies

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#797171: xombrero does not handle httponly cookies
From: Enrico Zini <enrico@debian.org>
Date: Fri, 28 Aug 2015 11:02:05 +0200
Message-id: <[🔎] 20150828090205.20730.99723.reportbug@viaza.enricozini.org>
Reply-to: Enrico Zini <enrico@debian.org>, 797171@bugs.debian.org

Package: xombrero
Version: 2:1.6.4-3
Severity: normal

Hello,

thank you for maintaining xombrero.

It looks like xombrero does not store and retransmit httponly cookies.
If I point it at the attached web server, I can see that a new cookie is
generated at each request. With chromium instead, the cookie is
preserved.

See here for documentation about httponly cookies:
https://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

This is currently breaking access to https://sso.debian.org/spkac/enroll_manually
which relies on httponly cookies for session management, and relies on
session management for remembering the challenge string previously sent
to the client. If you visit that page with xombrero, you will see the
challenge string in the "openssl spkac" command line change all the
time. If you visit it with firefox or chromium, you will see that the
challenge stays the same.


Enrico

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xombrero depends on:
ii  libbsd0                     0.7.0-2
ii  libc6                       2.19-19
ii  libgdk-pixbuf2.0-0          2.31.5-1
ii  libglib2.0-0                2.44.1-1.1
ii  libgnutls-deb0-28           3.3.17-1
ii  libgtk-3-0                  3.16.6-1
ii  libjavascriptcoregtk-3.0-0  2.4.9-2
ii  libpango-1.0-0              1.36.8-3
ii  libsoup2.4-1                2.50.0-2
ii  libwebkitgtk-3.0-0          2.4.9-2

xombrero recommends no packages.

xombrero suggests no packages.

-- no debconf information

#!/usr/bin/python3

import http.server
import http.cookies
import socketserver

PORT = 8000

class CookieTest(http.server.BaseHTTPRequestHandler):
    sequence = 0

    def do_GET(self):
        cookiestring = "\n".join(self.headers.get_all('Cookie', failobj=[]))
        c = http.cookies.SimpleCookie()
        c.load(cookiestring)

        existing_session_id = c.get("sessionid", None)
        if existing_session_id is None:
            new_session_id = str(self.sequence)
            self.sequence += 1
        else:
            new_session_id = existing_session_id

        self.send_response(200)
        self.send_header("Content-type", "text/plain")
        self.send_header("Set-Cookie", "sessionid={}; expires=Fri, 11-Sep-2017 08:34:46 GMT; httponly; Max-Age=1209600; Path=/".format(new_session_id))
        self.end_headers()
        self.wfile.write("existing cookie: {}\n".format(existing_session_id).encode("utf-8"))
        for k, v in self.headers.items():
            self.wfile.write("{}: {}\n".format(k, v).encode("utf-8"))

def main():
    httpd = socketserver.TCPServer(("", PORT), CookieTest)

    print("serving at port", PORT)
    httpd.serve_forever()

if __name__ == "__main__":
    main()

Reply to:

Prev by Date: Bug#797165: CVE-2015-0852: integer overflow in PluginPCX.cpp
Next by Date: perfect solutions
Previous by thread: Bug#797165: CVE-2015-0852: integer overflow in PluginPCX.cpp
Next by thread: perfect solutions
Index(es):
- Date
- Thread