From kde-commits  Sat Jan 19 16:22:24 2013
From: Dawit A <adawit () kde ! org>
Date: Sat, 19 Jan 2013 16:22:24 +0000
To: kde-commits
Subject: Re: [kdelibs] kioslave/http/kcookiejar: Initialise the mCrossDomain member variable in the cookies
Message-Id: <CALa28R6p=fMjcV7uq4BQ858YVD1ykuvKcd+YbyP=R3Grf3u8dQ () mail ! gmail ! com>
X-MARC-Message: https://marc.info/?l=kde-commits&m=135861259716977
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--bcaec5299a31840d9604d3a6a46d"

--bcaec5299a31840d9604d3a6a46d
Content-Type: text/plain; charset=UTF-8

On Fri, Jan 18, 2013 at 6:22 AM, Thiago Macieira
<thiago.macieira@intel.com>wrote:

> Git commit 794b14b8af5b610fc3eed6945f93f0c69dd49a9a by Thiago Macieira.
> Committed on 18/01/2013 at 12:12.
> Pushed by thiago into branch 'master'.
>
> Initialise the mCrossDomain member variable in the cookies
>
> For several months now, all my cookies would be forgotten after a kded
> restart. After debugging the problem, turns out that mCrossDomain was
> of value 127, which makes no sense for a boolean.
>

Good catch. This is something the extensive cookiejar test cases did not
account for because it requires saving cookies and restarting the
cookiejar. The test cases never anticipated that ; so I will have to add a
test case for this and backport the fix into the 4.10 branch.


> This variable has been present since 2002, which means that the
> "reject cross domain cookies" feature has been broken for 10 years and
> 8 months.
>

Actually that statement is not correct. The "reject cross domain" cookies
functionality is not affected by this bug at all. What is affected is far
worse and only happens if kded (and hence kcookiejar) is shutdown and
restarted. When the cookiejar restarts it reloads your saved cookies from a
file. Unfortunately it does not explicitly initialize the cross domain flag
to false. As a result, all of your saved cookies will be loaded with their
cross domain flag set arbitrarily. In your case it seems to be 127. That
means none of your saved cookies will work (they will be rejected as cross
domain) and you won't be automatically logged into the sites. Depending on
your cookie policy settings that is either the correct thing or a bug as is
the case here.

The problem is further compounded by the fact that not everyone sees this
issue. On my system (gcc 4.7.2), uninitialized boolean variable seems to
always be set to false even when compiled with the optimization on. Hence,
I have never been able to reproduce the regression this mistake causes (see
https://bugs.kde.org/show_bug.cgi?id=307832).

Anyhow, thanks for debugging and fixing this.

--bcaec5299a31840d9604d3a6a46d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Jan 18, 2013 at 6:22 AM, Thiago Macieira <span dir=3D"ltr">=
&lt;<a href=3D"mailto:thiago.macieira@intel.com" target=3D"_blank">thiago.m=
acieira@intel.com</a>&gt;</span> wrote:<br>


<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Git commit 794b14b8af5b610fc3eed6945f93f0c69dd49a9a by Thi=
ago Macieira.<br>


Committed on 18/01/2013 at 12:12.<br>
Pushed by thiago into branch &#39;master&#39;.<br>
<br>
Initialise the mCrossDomain member variable in the cookies<br>
<br>
For several months now, all my cookies would be forgotten after a kded<br>
restart. After debugging the problem, turns out that mCrossDomain was<br>
of value 127, which makes no sense for a boolean.<br></blockquote><div><br>=
</div><div>Good catch. This is something the extensive cookiejar test cases=
 did not account for because it requires saving cookies and restarting the =
cookiejar. The test cases never anticipated that ; so I will have to add a =
test case for this and backport the fix into the 4.10 branch.</div>


<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
This variable has been present since 2002, which means that the<br>
&quot;reject cross domain cookies&quot; feature has been broken for 10 year=
s and<br>
8 months.<br></blockquote><div><br></div><div>Actually that statement is no=
t correct. The &quot;reject cross domain&quot; cookies functionality is not=
 affected by this bug at all. What is affected is far worse and only happen=
s if kded (and hence kcookiejar) is shutdown and restarted. When the cookie=
jar restarts it reloads your saved cookies from a file. Unfortunately it do=
es not explicitly initialize the cross domain flag to false. As a result, a=
ll of your saved cookies will be loaded with their cross domain flag set ar=
bitrarily. In your case it seems to be 127. That means none of your saved c=
ookies will work (they will be rejected as cross domain) and you won&#39;t =
be automatically logged into the sites. Depending on your cookie policy set=
tings that is either the correct thing or a bug as is the case here.</div>


<div><br></div><div>The problem is further compounded by the fact that not =
everyone sees this issue. On my system (gcc 4.7.2), uninitialized boolean v=
ariable seems to always be set to false even when compiled with the optimiz=
ation on. Hence, I have never been able to reproduce the regression this mi=
stake causes (see=C2=A0<a href=3D"https://bugs.kde.org/show_bug.cgi?id=3D30=
7832">https://bugs.kde.org/show_bug.cgi?id=3D307832</a>).</div>

<div><br></div><div>Anyhow, thanks for debugging and fixing this.</div>
</div></div></div>

--bcaec5299a31840d9604d3a6a46d--