Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-19638

(7.3.z) UNDERTOW-1702 - SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header

    XMLWordPrintable

Details

    • +
    • Hide

      Configure SameSiteCookieHandler with mode="None" and do a request without user-agent, for example by 

      curl -H 'user-agent:' http://someurl
      Show
      Configure SameSiteCookieHandler with mode="None" and do a request without user-agent, for example by curl -H 'user-agent:' http: //someurl

    Description

      If HTTP request doesn't contain user-agent header, the new SameSiteCookieHandler throws NPE if mode is set to "None" and SameSiteNoneIncompatibleClientChecker hasn't been explicitly disabled.

      This is because on SameSiteCookieHandler.java:78 passes exchange.getRequestHeaders().getFirst(Headers.USER_AGENT) directly to io.undertow.util.SameSiteNoneIncompatibleClientChecker, which will try to use the possible null value in regex match, which will throw.

      I know user-agent is usually included, but it's not strictly required by standard and some non-browser clients might not send it.

      Stacktrace:

      java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null
        at java.util.regex.Matcher.getTextLength(Matcher.java:1770) ~[?:?]
        at java.util.regex.Matcher.reset(Matcher.java:416) ~[?:?]
        at java.util.regex.Matcher.<init>(Matcher.java:253) ~[?:?]
        at java.util.regex.Pattern.matcher(Pattern.java:1135) ~[?:?]
        at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isIosVersion(SameSiteNoneIncompatibleClientChecker.java:90) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
        at io.undertow.util.SameSiteNoneIncompatibleClientChecker.hasWebKitSameSiteBug(SameSiteNoneIncompatibleClientChecker.java:73) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
        at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isSameSiteNoneIncompatible(SameSiteNoneIncompatibleClientChecker.java:68) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
        at io.undertow.util.SameSiteNoneIncompatibleClientChecker.shouldSendSameSiteNone(SameSiteNoneIncompatibleClientChecker.java:63) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
        at io.undertow.server.handlers.SameSiteCookieHandler.beforeCommit(SameSiteCookieHandler.java:78) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1702 SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-19639 (7.2.z) UNDERTOW-1702 - SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBEAP-19579 (7.3.z) [RH-SSO] Provide support for SameSite cookie None

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: