Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16975

[GSS](7.2.z) UNDERTOW-1548 - Make EAP 7's request cookie parser behavior tunable like EAP 6

XMLWordPrintable

      HTTP 1/1 spec says "the special characters MUST be in a quoted string to be used within a parameter value":

         Many HTTP/1.1 header field values consist of words separated by LWS
   or special characters. These special characters MUST be in a quoted
   string to be used within a parameter value (as defined in section
   3.6).

       token          = 1*<any CHAR except CTLs or separators>
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

      When the client sends a V0 Cookie containing such special characters in a cookie value without quoting, a request cookie parser behaves differently between on EAP 6 and EAP 7.

      For example:

      • example.jsp
      <%
Cookie[] cookies = request.getCookies();
if (cookies != null) {
    for (Cookie cookie: cookies) {
        out.println("cookie key = " + cookie.getName());
        out.println("cookie val = " + cookie.getValue());
    }
} else {
    out.println("no request cookie");
}
%>
      • EAP 6/JBossWeb truncates the value after the special character:
      $ curl -v http://127.0.0.1:8080/test/example.jsp -H "Cookie: aaa=bbb\"ccc"
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8080
> Accept: */*
> Cookie: aaa=bbb"ccc
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: JSP/2.2
< Set-Cookie: JSESSIONID=IfzqpdXPjIXTUc99PUM-ENqx; Path=/test
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 35
< Date: Fri, 24 May 2019 18:56:23 GMT
< 
cookie key = aaa
cookie val = bbb
      • EAP 7/Undertow accepts the value including special characters:
      $ curl -v http://127.0.0.1:8080/test/example.jsp -H "Cookie: aaa=bbb\"ccc"
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8080
> Accept: */*
> Cookie: aaa=bbb"ccc
> 
< HTTP/1.1 200 OK
< Connection: keep-alive
< X-Powered-By: JSP/2.3
< Set-Cookie: JSESSIONID=NWNwv_7L0YjYcoNcn_kPGWLk8IDzq7oeiZlQp7QK.t420; path=/test
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 39
< Date: Fri, 24 May 2019 18:57:22 GMT
< 
cookie key = aaa
cookie val = bbb"ccc

      EAP 6 has "org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0" system property (false by default) to tune the behavior. When ALLOW_HTTP_SEPARATORS_IN_V0 is set to true, EAP 6 can accept the cookie value like EAP 7.

      It would be good to make EAP 7/Undertow's request cookie parser behavior conform to io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 setting for more compatible behavior with EAP 6.

              flaviarnn Flavia Rainone
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: