Bug#587033: wget: Quotes get striped in cookie values
Hello Nirgal, Am Donnerstag, den 24.06.2010, 17:39 +0200 schrieb Nirgal Vourgère: When server sends header: Set-Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw==; Version=1; Path=/ wget sends afterward: Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw== while it should be sending: Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw== Curl and Iceweasel works fine with that kind of cookies. you reported and discussed the problem last year in the Debian bugtracking system: http://bugs.debian.org/587033 Maybe best would be when you discuss the problem on the upstream mailinglist so the developers of wget might help you. Forwarding such discussions from the Debian bug tracking system to the mailinglist doesn't make much sense IMHO. You can reach them at bug-w...@gnu.org -- Noël Köthe noel debian.org Debian GNU/Linux, www.debian.org signature.asc Description: This is a digitally signed message part
Bug#587033: wget: Quotes get striped in cookie values
On Saturday 24 July 2010 22:24:22 Michelle Konzack wrote: COOKIES are stored as they are... and there are no quotes. I have to disagree. Here's a partial dump using a logging proxy and iceweasel(firefox): DEBUG DEBUG POST https://www.coopanet.com/banque/sso/co/connexionsec.do HTTP/1.1 DEBUG 'Host': 'www.coopanet.com' DEBUG 'User-Agent': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010062510 Iceweasel/3.0.6 (Debian-3.0.6-3)' DEBUG 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' DEBUG 'Accept-Language': 'en-us,en;q=0.5' DEBUG 'Accept-Encoding': 'gzip,deflate' DEBUG 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7' DEBUG 'Referer': 'https://www.coopanet.com/banque/sso/co/connexionsec.do' DEBUG 'Cookie': 'ARPTCN=YQIOZISdelvaux_CNCKUOU; JSESSIONID=684B885F51D15BA24A4A1504C9317AE8; ccsite=C; TS5acdf8=8ecf174b2eb515fe9db543f3eff5b1a442a2d6393b4cbcd53b3de5759590052beddc7d83bf1fc4e84ba20a40' DEBUG 'Content-Type': 'application/x-www-form-urlencoded' DEBUG 'Content-Length': '66' DEBUG 'Connection': 'close' DEBUG data: (66 bytes) 'codeUtil=motPasse=***identType=MDPpbValider=Valider' DEBUG DEBUG RESPONSE RAW --- DEBUG HTTP/1.1 302 Déplacé Temporairement DEBUG 'Date': 'Tue, 27 Jul 2010 15:10:55 GMT' DEBUG 'X-Powered-By': 'Servlet 2.4; JBoss-4.3.0.GA_CP06 (build: SVNTag=JBPAPP_4_3_0_GA_CP06 date=200907141202)/JBossWeb-2.0' DEBUG 'Location': 'https://www.coopanet.com/banque/cpt/incoopanetj2ee.do?ssomode=ok' DEBUG 'Content-Type': 'text/html; charset=UTF-8' DEBUG 'Set-Cookie': 'ccsite=C; Path=/' DEBUG 'Set-Cookie': 'SECURECOOKIECC=false; Path=/' DEBUG 'Set-Cookie': 'SSOCOOKIECC=3JsEKHUimbXmMZRI+hhVPXC/K/WXigBSfTBqyhGvODObmLOC9r+DLljFxQsWsyvHYVZlOwcOjRky07ybAftSLw==; Version=1; Path=/' DEBUG 'Set-Cookie': 'CCSIGN=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/' DEBUG 'Cache-Control': 'max-age=0' DEBUG 'Expires': 'Tue, 27 Jul 2010 15:10:55 GMT' DEBUG 'Vary': 'Accept-Encoding,User-Agent' DEBUG 'Content-Encoding': 'gzip' DEBUG 'Duration': 'D=52368 microseconds' DEBUG 'Content-Length': '20' DEBUG 'Connection': 'close' DEBUG 'Set-Cookie': 'TS5acdf8=b8d9eaaf4g92147958018ebd9e3489391e7402d5dce4bcc85b5ce4257592052decce9f1ede92c4e47194a91ff85bb5cf403aaef129489d2e52fcae56d73c92d1fc0d0c61; Max-Age=900; Path=/' DEBUG data: (20 bytes) '\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00' DEBUG DEBUG GET /banque/cpt/incoopanetj2ee.do?ssomode=ok HTTP/1.1 DEBUG 'Host': 'www.coopanet.com' DEBUG 'User-Agent': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010062510 Iceweasel/3.0.6 (Debian-3.0.6-3)' DEBUG 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' DEBUG 'Accept-Language': 'en-us,en;q=0.5' DEBUG 'Accept-Encoding': 'gzip,deflate' DEBUG 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7' DEBUG 'Keep-Alive': '300' DEBUG 'Connection': 'keep-alive' DEBUG 'Referer': 'https://www.coopanet.com/banque/sso/co/connexionsec.do' DEBUG 'Cookie': 'ARPTCN=YQIOZISdelvaux_CNCKUOU; JSESSIONID=684B885F51D15BA24A4A1504C9317AE8; ccsite=C; TS5acdf8=b8d9eaaf4g92147958018ebd9e3489391e7402d5dce4bcc85b5ce4257592052decce9f1ede92c4e47194a91ff85bb5cf403aaef129489d2e52fcae56d73c92d1fc0d0c61; SECURECOOKIECC=false; SSOCOOKIECC=3JsEKHUimbXmMZRI+hhVPXC/K/WXigBSfTBqyhGvODObmLOC9r+DLljFxQsWsyvHYVZlOwcOjRky07ybAftSLw==' As you can see on that very last line, the cookie named SSOCOOKIECC starts with a quote, while JSESSIONID for example does not. wget strips these quotes resulting in a failure to log in on that web site, for example. curl and iceweasel works fine. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#587033: wget: Quotes get striped in cookie values
On Friday 23 July 2010 19:21:16 Michelle Konzack wrote: ..but it MUST not be quoted, otherwise it is a misinterpretation of the server reading the cookies. The first equal-sign (=) is the seperator. There is nothing in the specification which require QUOTES. I had a quick look at rfc 2109, and I couldn't find a place where it says it MUST not be quoted. Where did you get that information? It does say in section 4.1 that cookies value syntax is: token | quoted-string But in the example section 5.1, the quotes are not stripped! My problem is when the value is a quoted-string. Question: Which ERRORS do you have and which server and other software are you using on the server side? I encoutered that problem with my bank website. https://www.coopanet.com/banque/sso/co/connexion.do I have no idea what software they are using, and obvisouly I'll not post my login/password here. The error is that I cannot login. Maybe the way they analyze the cookie value, and their quotes, is not in the best practices, but I will not contact them about that, while other http clients work fine. I spent a full day pinpointing the error to the missing quotes. Believe me, this is what causes the problem. Sending a bugreport du to missing quotes is worthless, if you can not provide any error messages du to the missing quotes. Allow me to disagree with you. I tried curl and iceweasel, and both works ok with that website. And they do not remove the quotes when there are some. It would have save me some time if I had known about that earlier. If, as you suggest, there is nothing in the specification which require quotes, why not store it as the first character of the value? I guess that's what other http clients do. Peace -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#587033: wget: Quotes get striped in cookie values
Am 2010-07-24 11:13:50, schrieb Nirgal Vourgère: I had a quick look at rfc 2109, and I couldn't find a place where it says it MUST not be quoted. Where did you get that information? AFAIK from the Apache website (or maybe PHP). There was something about Socket programming and direct interfacing. My problem is when the value is a quoted-string. But quotes should be normaly ignored if NOT escaped. I encoutered that problem with my bank website. https://www.coopanet.com/banque/sso/co/connexion.do I have checked the Bank but Firefox/Iceweasel does not save the QUOTES because there are no quotes. [ command 'curl -i https://www.coopanet.com/banque/sso/co/connexion.do']-- HTTP/1.1 200 OK Date: Sat, 24 Jul 2010 20:54:52 GMT X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP06 (build: SVNTag=JBPAPP_4_3_0_GA_CP06 date=200907141202)/JBossWeb-2.0 Content-Type: text/html;charset=ISO-8859-1 Set-Cookie: ARPTCN=YQIOZISensor_CNCKQMU; path=/ Set-Cookie: JSESSIONID=3D92743654D368BFAA2BB115F7B8EFE6; Path=/ Set-Cookie: ccsite=C; Path=/ Cache-Control: max-age=0 Expires: Sat, 24 Jul 2010 20:54:52 GMT Vary: Accept-Encoding,User-Agent Duration: D=16597 microseconds Set-Cookie: TS5acdf8=2055ce8fe8a61f1cfceb6b38d8dc79cbcf1338b9380bdff34c4b53148481163c0b6f0b5ecd83b3d73a91194f; Max-Age=900; Path=/ Transfer-Encoding: chunked [ command 'wget -S -O /dev/null https://www.coopanet.com/banque/sso/co/connexion.do']-- HTTP/1.1 200 OK Date: Sat, 24 Jul 2010 20:47:25 GMT X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP06 (build: SVNTag=JBPAPP_4_3_0_GA_CP06 date=200907141202)/JBossWeb-2.0 Content-Type: text/html;charset=ISO-8859-1 Set-Cookie: ARPTCN=YQIOZISensor_CNCKQMU; path=/ Set-Cookie: JSESSIONID=02017D8114FA53CEF6EF2953DCEB1B2F; Path=/ Set-Cookie: ccsite=C; Path=/ Cache-Control: max-age=0 Expires: Sat, 24 Jul 2010 20:47:25 GMT Vary: Accept-Encoding,User-Agent Duration: D=17062 microseconds Connection: close Set-Cookie: TS5acdf8=24f6e1c282513aa2411dbdb34ed57d7adf58a6fd2325e35b4c4b51558481163c0b6f0b5ecd83b3d73a91194f; Max-Age=900; Path=/ I can even connect with telnet-ssl and there are NO quotes arround the COOKIES. However, the Server is the last crap! Is it on a Dial-Up? I have no idea what software they are using, and obvisouly I'll not post my login/password here. The error is that I cannot login. Ehm, you are using WGET on a bank account to login? You are suspect! If I was the owner/sysadmin of the bank, I would call this as a hack attempt or somethinglike thi because it is definitively not normal to use WGET to connenct to a bank site and log into. On some of my websites, unknown USER_AGENT strings would immediatly trigger an alarm. Maybe the way they analyze the cookie value, and their quotes, is not in the best practices, but I will not contact them about that, while other http clients work fine. I spent a full day pinpointing the error to the missing quotes. Believe me, this is what causes the problem. :-D Allow me to disagree with you. I tried curl and iceweasel, and both works ok with that website. And they do not remove the quotes when there are some. It would have save me some time if I had known about that earlier. How, how do you access the site? I was accessing the site using wget and it works (I used the /demo/ directory) and it accepted my cookies I send back... If, as you suggest, there is nothing in the specification which require quotes, why not store it as the first character of the value? I guess that's what other http clients do. COOKIES are stored as they are... and there are no quotes. Peace Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Bug#587033: wget: Quotes get striped in cookie values
Am 2010-06-24 17:39:03, schrieb Nirgal Vourgère: Package: wget Version: 1.11.4-2+lenny1 Severity: normal *** Please type your report below this line *** When server sends header: Set-Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw==; Version=1; Path=/ wget sends afterward: Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw== while it should be sending: Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw== Curl and Iceweasel works fine with that kind of cookies. ..but it MUST not be quoted, otherwise it is a misinterpretation of the server reading the cookies. The first equal-sign (=) is the seperator. There is nothing in the specification which require QUOTES. Question: Which ERRORS do you have and which server and other software are you using on the server side? Sending a bugreport du to missing quotes is worthless, if you can not provide any error messages du to the missing quotes. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Bug#587033: wget: Quotes get striped in cookie values
Package: wget Version: 1.11.4-2+lenny1 Severity: normal *** Please type your report below this line *** When server sends header: Set-Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw==; Version=1; Path=/ wget sends afterward: Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw== while it should be sending: Cookie: SSOCOOKIECC=L2ZS6azH5Mc4dwO/601i9QgGInPjnaaCeQWLTQbV3JD+RbT1Ryw/6ahTJS+boW94I86y3k62U1iIOOXv3cqPxw== Curl and Iceweasel works fine with that kind of cookies. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages wget depends on: ii libc6 2.7-18lenny4 GNU C Library: Shared libraries ii libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries wget recommends no packages. wget suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org