Dr Konqi still misbehaving - advice needed

Ian Wadham iandw.au at gmail.com
Mon Dec 29 06:31:25 GMT 2014 

Hi Thomas and others,

On 30/11/2014, at 10:19 AM, Thomas Lübking wrote:
> On Samstag, 29. November 2014 22:13:30 CEST, Ian Wadham wrote:
>> IOW, can I offer that as a workaround until we can release your fix?  Or does BKO leave stale cookies in the jar?
> 
> Had a stale cookie there, might have been added by rekonq or konqueror (i usually used qupzilla lately)
> After kicking that (kcmshell4 cookies) the token login worked as well.
> 
> DrKonqi added another cookie ("Bugzilla_login_request_cookie"), but that is no harm (did a third invalid bug report)
> 
> Logging in with konqueror adds a second cookie ("Bugzilla_login") which expires 2038 and is among the ones I deleted before. I strongly believe that this will break it again, but won't risk to spam another bug for that purpose.
> 
> Sum up:
> -------
> a) Password login works with 4.4.6 (at least bugs.kde.org version) and is robust against stale cookies in kcookiejar
> b) getting rid of bugs.kde.org cookies fixes token security, but
> c) web login via kio_http (or anything making use of kcookiejar) will (most likely) re-add a bad cookie
> 
> => Since telling users to delete bugs.kde.org cookies on bugreporting is no viable solution, I'd propose to either go for passwod logins or unleash the cookie monster on all cookied from the bugzilla domain. (KCookieJar has a promising "eatCookie*" function set, but I'd have to look up how to access the global cookie jar.

I have committed a fix to kde-runtime/drkonqi on the master branch, based on
Thomas' idea of going straight to passwords-only security. See attachment [1].
This should fix https://bugs.kde.org/show_bug.cgi?id=337742

I tested it as much as I could on Apple OS X and it can certainly send bug
reports and attachments to bugstest.kde.org, whether there are cookies for
that site in KCookieJar or not.

However, all of that is true if I go back to token-based security in Dr K on Apple OS X.
This may be because the various KDE background processes, such as kdeinit4, kded4
and friends, do not work as intended on Apple OS X --- or I have set them up wrong.

So could someone please do before-and-after tests of patch [1] on KDE 4
and Linux, using the bugstest.kde.org database? i.e.

  a) No patch [1], no cookies for bugs test.kde.org --- Dr K should succeed.
  b) No patch [1], cookies added --- Dr K should fail.
  c) Patch [1] added, cookies still present --- Dr K should succeed.

See attachment [2]  for a patch to set up Dr K to use the test database (cloned
about 3 months ago).  It should contain most of the accounts and data of the
live bugs.kde.org database, but will send no embarrassing emails…

Thanks in advance, Ian W.

[1] 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DrKonqiSecurity_5.patch
Type: application/octet-stream
Size: 942 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20141229/387f5c3b/attachment.obj>
-------------- next part --------------


[2] 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DrK_bugstest.patch
Type: application/octet-stream
Size: 856 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20141229/387f5c3b/attachment-0001.obj>
-------------- next part --------------

More information about the kde-core-devel mailing list