Events calendar mystery solved

On Mar 4, 2013, at 11:17 AM, Wendy Verrrei-Berenback <wverreib@uvm.edu> wrote:

Disallowed Key Characters: pspw1-8520-PORTAL-PSJSESSIONID
using Firefox 19

The Events Calendar code utilizes a “software framework” (viz.http://en.wikipedia.org/wiki/Software_framework ) called CodeIgnitor. When processing any sort of input (URL, form input via GET or POST, or cookies), CodeIgnitor tries to “sanitize” the input to remove or exclude any data that may be malicious in nature.

In particular, CodeIgnitor goes through every cookie set by ANY application in the uvm.edu domain. Why? Because it can, and cookies are only identified by hostname (catalyst.uvm.edu) or domain name (uvm.edu), not by the application that deposited them. This is a bit of overkill, as we have a lot of applications.  CodeIgnitor took exception to any cookie whose name was NOT constructed solely of the characters a through z, A to Z, 0 to 9, “:”, “_”. and “/” .

Any UVM application using WebAuth — like the mediamanager, was producing a key named

webauth_ct_krb5_krbtgt/uvm.edu@uvm.edu

Sorry, “@”, and “.” disallowed, outside the above set.

PeopleSoft?

pspw1-8520-PORTAL-PSJSESSIONID
pspw2-8520-PORTAL-PSJSESSIONID

“-” disallowed.

I locally extended the CodeIgnitor core Input class to accept “@”, “-“, and “.” when examining cookies (But not when sanitizing URLs or form input). This error should trouble us no more.

About Wesley Wright

Born on a mountain top near New York City, Craziest state in the land of the pretty. Raised in the woods so's he knew every tree, Killed him a bear when he was only three.
This entry was posted in Wes and tagged , , . Bookmark the permalink.