Hi Thomas,
Thank you very much for your help.
On 30/11/2014, at 10:19 AM, Thomas Lübking wrote:
> On Samstag, 29. November 2014 22:13:30 CEST, Ian Wadham wrote:
>> IOW, can I offer that as a workaround until we can release your fix? Or
>> does BKO leave stale cookies in the jar?
>
> Had a stale cookie there, might have been added by rekonq or konqueror (i
> usually used qupzilla lately)
> After kicking that (kcmshell4 cookies) the token login worked as well.
>
> DrKonqi added another cookie ("Bugzilla_login_request_cookie"), but that is
> no harm (did a third invalid bug report)
>
> Logging in with konqueror adds a second cookie ("Bugzilla_login") which
> expires 2038 and is among the ones I deleted before. I strongly believe that
> this will break it again, but won't risk to spam another bug for that purpose.
>
> Sum up:
> -------
> a) Password login works with 4.4.6 (at least bugs.kde.org version) and is
> robust against stale cookies in kcookiejar
> b) getting rid of bugs.kde.org cookies fixes token security, but
> c) web login via kio_http (or anything making use of kcookiejar) will (most
> likely) re-add a bad cookie
>
> => Since telling users to delete bugs.kde.org cookies on bugreporting is no
> viable solution, I'd propose to either go for passwod logins or unleash the
> cookie monster on all cookied from the bugzilla domain. (KCookieJar has a
> promising "eatCookie*" function set, but I'd have to look up how to access
> the global cookie jar.
I have posted a short bulletin about this on
https://bugs.kde.org/show_bug.cgi?id=337742#c54
I will polish up your fix and commit a patch to KDE 4 kde-runtime master.
Do I need to do a reviewboard on that? I hope not… :-(
I will also pass on the good word to Hrvoje, to amend his KF5 patch.
*************************************************************************************
Lastly, how and when is a new KDE 4 kde-runtime patch likely to be released?
Albert?
*************************************************************************************
>> You mean you added a spurious report to the live BKO DB? Tsk, tsk… :-)
> One? Three! - By now ;-)
> But I promised to do no more, so please don't make me a liar =)
You are supposed to use bugstest.kde.org, by changing 2 lines in
drkonqi/drkonqi_globals.h…
Cheers, Ian W.
