Edgewall Software
Modify

Opened 17 years ago

Closed 14 years ago

#5443 closed defect (duplicate)

Cookie path parameter not set if Trac is installed in web root

Reported by: christian.seiler@… Owned by: osimons
Priority: normal Milestone:
Component: general Version: 0.10.4
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

If Trac is directly installed inside the web root (no subdirectory, http://example.com/ is the Trac front page), the path parameter of the cookie isn't set at all because req.base_path and req.href() are empty and therefore the python Cookie lib ignores the empty path and does not set it. This causes browsers to use the last "directory" of the current URI (i.e. if the URI is /foo/bar/baz they assume /foo/bar, if the URI is /foo/bar/baz/ they assume /foo/bar/baz, have a look at RFC 2109, Section 4.3.1).

Now, if I access a page on /foo/bar and that page sets a cookie, it won't include the Path component, causing the cookie only to be valid beneath /foo. Currently, the following header is returned:

Set-Cookie: name=value;

Correct would be:

Set-Cookie: name=value; Path=/;

As for possible fixes, the _send_cookie_headers function in web/api.py already does some escaping:

            if path:
                path = path.replace(' ', '%20') \
                           .replace(';', '%3B') \
                           .replace(',', '%3C')

The simplest solution would probably to add an else clause:

            if path:
                path = path.replace(' ', '%20') \
                           .replace(';', '%3B') \
                           .replace(',', '%3C')
            else:
                # If trac is installed in the web root, path will be empty,
                # but should be '/'
                path = '/'

Of course, a Trac plugin could not rely on the fact that supplying an empty path would restrict the cookie to a subpath anymore, but those plugins could simply explicitly set path to a subpath in order to restrict the cookie.

This applies to 0.10 and 0.11.

Attachments (0)

Change History (3)

comment:1 by osimons, 16 years ago

Owner: changed from Jonas Borgström to osimons

13 months without feedback… Oouch - and sorry!

Your write-up does make sense. There have been various issues with installations at webserver root, and perhaps this could help explain/improve that.

I'll put it on my to-do.

comment:2 by Remy Blank, 15 years ago

Milestone: 0.13

Feel free to schedule for an earlier milestone.

comment:3 by Remy Blank, 14 years ago

Milestone: next-major-0.1X
Resolution: duplicate
Status: newclosed

This seems to have been fixed in [7386] for #5637.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain osimons.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from osimons to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.