Bug#553169: iceweasel sends malformed Cookie: headers (e.g. for google-analytics)

Mike Hommey mh at glandium.org
Wed Dec 23 15:38:57 UTC 2009


Sorry for the late answer.

On Thu, Oct 29, 2009 at 12:12:25PM +0100, Marc Lehmann wrote:
> Package: iceweasel
> Version: 3.0.6-3
> Severity: normal
> Iceweasel sends malformed Cookie:-headers. A common example are cookies from
> google-analytics, leading to this Cookie:-header:
> Cookie: __utma=73875437.8485834585.4574587886.4535834548.4574587458.1; __utmz=83474878.9498399889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=77383838.Lead
> The problem here is the __utmz cookie, which contains seperator characters
> (neither "=", "(", nor ")" are allowed unquoted).
> I tested three server backend implementations and all stop parsing at the first "=".
> This is often not an issue as those cookies come last, but when an
> application-specific cookie comes after those, many implementations fail
> to see it because of the mangled cookie value.
> (the definition of an unquoted value can be found e.g. in rfc2616).
> The solution is to properly quote the value (as quoted-string).

The fact is, even the servers are not quoting the = signs in the
Set-Cookie headers... RFC 2616 doesn't talk about cookies, but RFC 2109
does, and i do agree the property should be quoted. OTOH, as it
apparently works with the current way, I wonder...


More information about the pkg-mozilla-maintainers mailing list