Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11442

[GSS](7.0.z) RFC6265 compliant cookie validation


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.8.CR1, 7.0.8.GA
    • 7.0.5.GA
    • Undertow
    • None
    • EAP 7.0.8

      Undertow does not conform to Set-Cookie syntax defined in the cookie specification.

      RFC6265 (Section 4.1 Set-Cookie) states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash.

      However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:

          Cookie c = new Cookie("example","example cookie");

      undertow responds with the following Set-Cookie format but this is not correct Set-Cookie header in RFC6265:

      Set-Cookie: example=example cookie

      Note: The previous cookie specifications (RFC2109 and RFC2965) allow some characters in cookie value when the cookie value are quoted. (i.e. Set-Cookie: example="example cookie" was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.

            sdouglas1@redhat.com Stuart Douglas
            rhn-support-mmiura Masafumi Miura
            Michael Cada Michael Cada
            Michael Cada Michael Cada
            0 Vote for this issue
            10 Start watching this issue