Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16975

[GSS](7.2.z) UNDERTOW-1548 - Make EAP 7's request cookie parser behavior tunable like EAP 6

XMLWordPrintable

      HTTP 1/1 spec says "the special characters MUST be in a quoted string to be used within a parameter value":

         Many HTTP/1.1 header field values consist of words separated by LWS
         or special characters. These special characters MUST be in a quoted
         string to be used within a parameter value (as defined in section
         3.6).
      
             token          = 1*<any CHAR except CTLs or separators>
             separators     = "(" | ")" | "<" | ">" | "@"
                            | "," | ";" | ":" | "\" | <">
                            | "/" | "[" | "]" | "?" | "="
                            | "{" | "}" | SP | HT
      

      When the client sends a V0 Cookie containing such special characters in a cookie value without quoting, a request cookie parser behaves differently between on EAP 6 and EAP 7.

      For example:

      • example.jsp
      <%
      Cookie[] cookies = request.getCookies();
      if (cookies != null) {
          for (Cookie cookie: cookies) {
              out.println("cookie key = " + cookie.getName());
              out.println("cookie val = " + cookie.getValue());
          }
      } else {
          out.println("no request cookie");
      }
      %>
      
      • EAP 6/JBossWeb truncates the value after the special character:
      $ curl -v http://127.0.0.1:8080/test/example.jsp -H "Cookie: aaa=bbb\"ccc"
      ...
      > GET /test/example.jsp HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: 127.0.0.1:8080
      > Accept: */*
      > Cookie: aaa=bbb"ccc
      > 
      < HTTP/1.1 200 OK
      < Server: Apache-Coyote/1.1
      < X-Powered-By: JSP/2.2
      < Set-Cookie: JSESSIONID=IfzqpdXPjIXTUc99PUM-ENqx; Path=/test
      < Content-Type: text/html;charset=ISO-8859-1
      < Content-Length: 35
      < Date: Fri, 24 May 2019 18:56:23 GMT
      < 
      cookie key = aaa
      cookie val = bbb
      
      • EAP 7/Undertow accepts the value including special characters:
      $ curl -v http://127.0.0.1:8080/test/example.jsp -H "Cookie: aaa=bbb\"ccc"
      ...
      > GET /test/example.jsp HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: 127.0.0.1:8080
      > Accept: */*
      > Cookie: aaa=bbb"ccc
      > 
      < HTTP/1.1 200 OK
      < Connection: keep-alive
      < X-Powered-By: JSP/2.3
      < Set-Cookie: JSESSIONID=NWNwv_7L0YjYcoNcn_kPGWLk8IDzq7oeiZlQp7QK.t420; path=/test
      < Content-Type: text/html;charset=ISO-8859-1
      < Content-Length: 39
      < Date: Fri, 24 May 2019 18:57:22 GMT
      < 
      cookie key = aaa
      cookie val = bbb"ccc
      

      EAP 6 has "org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0" system property (false by default) to tune the behavior. When ALLOW_HTTP_SEPARATORS_IN_V0 is set to true, EAP 6 can accept the cookie value like EAP 7.

      It would be good to make EAP 7/Undertow's request cookie parser behavior conform to io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 setting for more compatible behavior with EAP 6.

              flaviarnn Flavia Rainone
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: