Project

General

Profile

Bug #2706

Size of cookies stored by TVHeadend breaks access to other servers (specifically Apache) running on the same machine.

Added by Kev S over 9 years ago. Updated over 9 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
User Interface
Target version:
-
Start date:
2015-03-09
Due date:
% Done:

0%

Estimated time:
Found in version:
3.9.2509~ga50f74c
Affected Versions:

Description

When you've changed a few options in TVHeadend (e.g. Filters, shown and hidden columns) and then try to access a page on an Apache server running on the same IP address Apache reports the following error message:-

Bad Request

Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Cookie
/n
Apache/2.2.22 (Ubuntu) Server at 127.0.1.1 Port 80

If you look in Chrome's developer tools you can see that the Cookies are using 8841bytes - however the [[http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize|default Apache limit is 8190]] which means anyone else running Apache and TVHeadend on the same machine is likely to hit the same issue

It's getting rather old having to zap my cookies constantly

I have been able to work round this by setting the Apache option:-
LimitRequestFieldSize 32768
but that didn't work in the shared file!


Cookies                    8841            
scrollPosition        N/A    N/A    N/A    17            
ys-api/bouquet    o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A0%25255Ewidth%25253Dn%2525253A41%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A41%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A299%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A83%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A166%5Esort%3Do%253Afield%253Ds%25253Asource%255Edirection%253Ds%25253AASC%5Efilters%3Do%253Aname%253Ds%25253ACentral%252520E    N/A    N/A    N/A    991            
ys-api/channel    o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A0%25255Ewidth%25253Dn%2525253A31%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A37%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A189%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A50%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A189%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A189%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A37%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A189%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A50%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A50%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A311%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A189%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A189%5Esort%3Do%253Afield%253Ds%25253Aservices%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A    N/A    N/A    N/A    1058            
ys-api/channeltag    o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A0%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A73%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A281%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A281%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A281%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A281%5Esort%3Do%253Afield%253Ds%25253Aname%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A    N/A    N/A    N/A    700            
ys-api/dvr/entry/grid_finished    o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Adetails%25255Ewidth%25253Dn%2525253A46%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A25%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A157%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A157%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A72%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A41%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A41%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A157%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A157%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A157%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A157%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A157%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A13%25255Ewidth%25253Dn%2525253A41%255Eo%25253Aid%25253Dn%2525253A14%25255Ewidth%25253Dn%2525253A41%255Eo%25253Aid%25253Dn%2525253A15%25255Ewidth%25253Dn%2525253A157%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A16%25255Ewidth%25253Dn%2525253A157%5Esort%3Do%253Afield%253Ds%25253Astart_real%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A    N/A    N/A    N/A    1345            
ys-api/dvr/entry/grid_upcoming    o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Adetails%25255Ewidth%25253Dn%2525253A46%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A182%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A89%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A49%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A49%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A200%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A200%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A200%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A13%25255Ewidth%25253Dn%2525253A49%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A14%25255Ewidth%25253Dn%2525253A49%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A15%25255Ewidth%25253Dn%2525253A200%25255Ehidden%25253Db%2525253A1%5Esort%3Do%253Afield%253Ds%25253Astart_real%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A    N/A    N/A    N/A    1373            
ys-api/mpegts/mux    o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A0%25255Ewidth%25253Dn%2525253A30%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A37%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A191%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A191%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A191%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A49%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A49%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A191%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A191%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A191%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A191%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A49%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A49%255Eo%25253Aid%25253Dn%2525253A13%25255Ewidth%25253Dn%2525253A191%5Esort%3Do%253Afield%253Ds%25253Atsid%255Edirection%253Ds%25253AASC%5Efilters%3Do%253Anetwork%253Ds%25253A28.2%255Eonid%253Do%25253Aeq%25253Dn%2525253A2    N/A    N/A    N/A    1158            
ys-api/mpegts/service    o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A0

Files

tvh.png (73.3 KB) tvh.png Kev S, 2015-03-09 15:06

History

#1

Updated by Jaroslav Kysela over 9 years ago

Is this a bug? I don't think so.. Anyway, move tvh to another hostname to not share settings with your apache.

#2

Updated by Kev S over 9 years ago

Something which breaks another application, in it's default configuration, is a bug - and with something as widely used as Apache I'm unlikely to be the only one with this combination (in my case Apache is serving up channel icons and a few other sundries - e.g. my energy monitors reporting page and not a publicly facing site)

The "hostname" for Apache is simply the IP address (192.168.6.61), TVHeadend is accessed via 192.168.6.61:9981 - not all of us have internal DNS servers or the ability to setup hostfiles on every machine (and even if I had a mac Bonjour doesn't work via a VPN).

#3

Updated by Jaroslav Kysela over 9 years ago

  • Priority changed from Normal to Low

Think the way that your setup is misconfigured. Apache just does not know how to handle specific tvh cookies because you cannot distinguish the accesses from your browser to one IP address to different services.

The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965.

"""
8.5. Weak Confidentiality

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security sensitive information.
"""

Also available in: Atom PDF