-
Enhancement
-
Resolution: Done
-
Major
-
7.2.1.GA
HTTP 1/1 spec says "the special characters MUST be in a quoted string to be used within a parameter value":
Many HTTP/1.1 header field values consist of words separated by LWS or special characters. These special characters MUST be in a quoted string to be used within a parameter value (as defined in section 3.6). token = 1*<any CHAR except CTLs or separators> separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
When the client sends a V0 Cookie containing such special characters in a cookie value without quoting, a request cookie parser behaves differently between on EAP 6 and EAP 7.
For example:
- example.jsp
<% Cookie[] cookies = request.getCookies(); if (cookies != null) { for (Cookie cookie: cookies) { out.println("cookie key = " + cookie.getName()); out.println("cookie val = " + cookie.getValue()); } } else { out.println("no request cookie"); } %>
- EAP 6/JBossWeb truncates the value after the special character:
$ curl -v http://127.0.0.1:8080/test/example.jsp -H "Cookie: aaa=bbb\"ccc"
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8080
> Accept: */*
> Cookie: aaa=bbb"ccc
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: JSP/2.2
< Set-Cookie: JSESSIONID=IfzqpdXPjIXTUc99PUM-ENqx; Path=/test
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 35
< Date: Fri, 24 May 2019 18:56:23 GMT
<
cookie key = aaa
cookie val = bbb
- EAP 7/Undertow accepts the value including special characters:
$ curl -v http://127.0.0.1:8080/test/example.jsp -H "Cookie: aaa=bbb\"ccc"
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8080
> Accept: */*
> Cookie: aaa=bbb"ccc
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< X-Powered-By: JSP/2.3
< Set-Cookie: JSESSIONID=NWNwv_7L0YjYcoNcn_kPGWLk8IDzq7oeiZlQp7QK.t420; path=/test
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 39
< Date: Fri, 24 May 2019 18:57:22 GMT
<
cookie key = aaa
cookie val = bbb"ccc
EAP 6 has "org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0" system property (false by default) to tune the behavior. When ALLOW_HTTP_SEPARATORS_IN_V0 is set to true, EAP 6 can accept the cookie value like EAP 7.
It would be good to make EAP 7/Undertow's request cookie parser behavior conform to io.undertow.legacy.cookie.ALLOW_HTTP_SEPARATORS_IN_V0 setting for more compatible behavior with EAP 6.
- is incorporated by
-
JBEAP-16775 [GSS](7.2.z) Upgrade Undertow from 2.0.20 to 2.0.22
- Closed
- is related to
-
UNDERTOW-1548 Make a request cookie parser behavior tunable with ALLOW_HTTP_SEPARATORS_IN_V0 setting
- Resolved