[Webkit-unassigned] [Bug 16122] When posting to these boards, all Safari users have "webkitformboundary-gibberish" appended to their name and message

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 26 01:36:12 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=16122





------- Comment #16 from billmonk2 at gmail.com  2009-03-26 01:36 PDT -------
To test, running an unpatched WebKit go to any of 

http://www.comicscommunity.com/boards/brereton/

http://wwwboard.modelcarkits.com/

http://www.misterguitar.us/cgi-bin/chetboard.pl


Click any existing post

Fill in these fields:

Name: any text
Anti-Spam (if field is present):5
Email: leave blank or any text
Subject: any text
Message: any text

At bottom of page, click "Preview Message" repeatedly.

Without the patch, "------WebKitFormBoundary<random chars>+<random chars>" etc
will eventually appear in multiple fields.

Continue clicking. More occurrences will appear at random, if the boundary text
contains a '+'.
Note the text in, say, the Subject field, and delete it. Retype first character
of the original subject. Popup menu appears with many choices containing
"------WebKitFormBoundary" variants.


Now switch to patched WebKit. 
In Safari->Preferences->AutoFill->other forms, remove any entries for the site
being tested.
Clear and reenter all fields
Repeatedly click Preview Message. 
Confirm that "------WebKitFormBoundary..." does not appear even after many
attempts.

To test on the server side, it is necessary to set up a WebBBS board using the
scripts at http://awsd.com/download/webbbs/webbbs_files.zip
This is rather a hassle to set up but runs fine on any Mac under Apache in OS
X.
In the file webbbs_post.pl, in Parse_Post, set up some logging to confirm that
'+' characters are no longer appearing in form boundaries sent by WebKit.
The location of the specific WebBBS bug is in earlier comments above - boundary
text is used as a regex, without escaping metacharacters, causing
the script to incorrectly indentify boundaries as user text when a + appears in
a boundary.

While individual admins may be amenable to patching their installs of WebBBS,
the base distribution has not been updated since 2002 so it seems likely this
bug will continue to propagate for as long as the perl source remains
available.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list