Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login not working if random cookie with size greater than 1975 is set #2625

Closed
eloo opened this issue Jan 19, 2024 · 6 comments
Closed

Login not working if random cookie with size greater than 1975 is set #2625

eloo opened this issue Jan 19, 2024 · 6 comments
Labels
🐛 bug-report Something isn't working 🏷️ ReGaHss This refs the ReGaHss component 👍 important This is an important issue/ticket with high priority

Comments

@eloo
Copy link

eloo commented Jan 19, 2024

Describe the issue you are experiencing

Hi,
i have found that the Login is not working if a random cookie with a size greater than 1975 (not sure if this is the correct number) is set.

I have encountered this because my SSO setup (oauth-proxy & authelia) is setting such a big cookie (around 2400).

I thought first its related to the cookie name or something but it seems that its only the cookie size.
So a random cookie for your site would "work" here.

Maybe its related to some max-request-size config of lighttpd or something in raspberrymatic itself.

Bildschirmfoto vom 2024-01-19 21-12-47

Describe the behavior you expected

I would expect that a random issue does not produce login issues.

Steps to reproduce the issue

  1. Open the Raspberry Matic Login Page
  2. Open Developer tools in your browser
  3. Go to Application
  4. Go to Cookies
  5. Add a Cookie with a size around 2000 (check example from screenshot) (maybe you need greater cookies)
  6. Try to login
  7. Get redirect to login page instead of being logged in
  8. Go again into the cookies tab
  9. Reduce the size of the cookie
  10. Try again
  11. Get logged in

What is the version this bug report is based on?

3.73.9.20231130

Which base platform are you running?

oci (Open Container Infrastructure)

Which HomeMatic/homematicIP radio module are you using?

n/a

Anything in the logs that might be useful for us?

no

Additional information

No response

@eloo eloo added the 🐛 bug-report Something isn't working label Jan 19, 2024
@jens-maus jens-maus added the 🏷️ WebUI This refs the WebUI component label Jan 19, 2024
@jens-maus jens-maus added this to the future release milestone Jan 19, 2024
@jens-maus
Copy link
Owner

Thanks for this interesting observation. I could perfectly reproduce that issue. However, didn't find any quick solution/fix for it. Perhaps someone else (@jp112sdl ?) might have an idea where exactly such long cookies are currently blocking the WebUI logins...

@jp112sdl
Copy link
Contributor

Maybe lighttpd-error.log helps:

2024-01-20 22:16:49: (../src/http-header-glue.c.1341) read() 140 63: Connection reset by peer
2024-01-20 22:16:49: (../src/gw_backend.c.2396) response already sent out, but backend returned error on socket: tcp:127.0.0.1:8183 for /pages/index.htm?NoAutoLogin=true, terminating connection

I don't have other suggestions or ideas

@eloo
Copy link
Author

eloo commented Jan 26, 2024

@jens-maus i'm glad that you could reproduce it 👍
at least now it known :D

but yes thats a really weird issue.
my best guess so far is that "some component" here has issues handling such big headers..
as i have not found anything in the lighttpd config here (and i guess such a known http-server can handle such cookies or would throw a proper error) i guess it related to the "upstream" component...

but i really don't have any idea what component that is.. something in OCCU maybe which is serving the APIs and WebUI.

but thats just guessing as im not familiar with the whole components here

@jens-maus jens-maus added 🏷️ ReGaHss This refs the ReGaHss component and removed 🏷️ WebUI This refs the WebUI component labels Jan 28, 2024
@jens-maus jens-maus added the 👍 important This is an important issue/ticket with high priority label Jan 28, 2024
@jens-maus
Copy link
Owner

Ok, after some further investigation it seems this is a bug/issue in the internal web server of the ReGaHss logic engine component in the CCU/OCCU. It seems some internal buffer size is exceeded in case a large HTTP header is submitted to the web server, making it unable to parse the login part accordingly. Thus, this needs some further investigation and fix.

@jens-maus jens-maus moved this to In progress in ReGaHss improvements/fixes Jan 28, 2024
@jens-maus jens-maus moved this from In progress to Done in ReGaHss improvements/fixes Feb 15, 2024
@jens-maus
Copy link
Owner

@eloo Please note that with the next nightly snapshot RaspberryMatic will come with ReGaHss R1.00.0388.0237 which should fix this issue. So if you can please re-test then and see if everything is working as expected.

@eloo
Copy link
Author

eloo commented Mar 17, 2024

@jens-maus just tested the latest version and it looks like the fix is working as expected
i can login while having a 2500 bytes cookie..

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🐛 bug-report Something isn't working 🏷️ ReGaHss This refs the ReGaHss component 👍 important This is an important issue/ticket with high priority
Projects
Development

No branches or pull requests

3 participants