Page MenuHomePhabricator

Cookie problem when database name contains dot or plus
Closed, ResolvedPublic


Author: mquinton

In the site here, database name and username are fixed by my ISP ( So I
can't change them.
Wikimedia 1.5.1 could not work as is because I could not keep my login. Password
where OK
but was not setup correctly because cookies are prefixed with database name.

But cookies do not support names with dots so cookies are received in php with
that form :


Dots are converted to underline.

So I need make a patch to correct that. I've created a $wgCookiePrefix variable
that can have by default a value of $wgDBname. And then I need to change
all acces to cookies mainly in includes/SpecialUserlongin.php and

I can submit a patch.

Version: 1.10.x
Severity: normal
OS: Linux
Platform: PC



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 8:55 PM
bzimport set Reference to bz3826.
bzimport added a subscriber: Unknown Object (MLST).

andersk wrote:

This is also a problem when the database name contains a + sign (my database
host only lets me create databases named username+suffix), and possibly other

Can you post your patch?

andersk wrote:

I experimentally determined an exaustive list of bad characters:

=,; +."'\[

The first four are disallowed, the next two are silently converted into _, the
next three are silently escaped with a backslash, and the last is used for
cookie arrays. I've updated my patch to replace all these characters with _:


andersk wrote:

Huh. It seems that all of my patch got applied in 1.5.7 except the one important
line, which now needs to be:

$wgCookiePrefix = strtr($wgCookiePrefix, "=,; +.\"\'\\[", "__________");

mquinton wrote:

this probleme is still present with MediaWiki 1.1.7. You can edit
includes/Setup.php, line 119, just add :

$wgCookiePrefix = str_replace('.', '_', $wgCookiePrefix);

Created attachment 3453
Remove bad characters from the cookie name

It might fix Bug 3535 too.

attachment armored_cookie_name.patch ignored as obsolete

Uh, that str_replace in the patch doesn't sound like it'll do the job.

andersk wrote:

What exactly is wrong with my patch (see comment #3 and comment #4)? I’ve had
this carefully designed, well tested, working patch sitting around for over a
year, deployed on several production wikis—and for some unfathomable reason,
everyone is trying to (incorrectly!) rewrite the one critical line of it that
wasn't already integrated in 1.5.7…

$wgCookiePrefix = strtr($wgCookiePrefix, "=,; +.\"\'\\[", "__________");

andersk wrote:

The remaining one line of my patch.

attachment mediawiki-fix-cookieprefix.patch ignored as obsolete

ayg wrote:

Note that it should probably be

"=,; +.\"'\\["

i.e., minus the extra \ before the '. That will be printed literally,
otherwise, making it 11 characters -> 10 characters. It could even be

"=,; +.\"'\["

With that modification the patch should work as intended (rather than almost as
intended, with [ not getting converted: "the extra characters in the longer of
the two are ignored"). Sorry for the delay, we can take a while on these things
if we get to them at all . . .

andersk wrote:

The remaining one line of my patch, revised

Thanks, that’s more helpful. Here’s a revised patch.