Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-19639

(7.2.z) UNDERTOW-1702 - SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      Configure SameSiteCookieHandler with mode="None" and do a request without user-agent, for example by

      curl -H 'user-agent:' http://someurl
      
      Show
      Configure SameSiteCookieHandler with mode="None" and do a request without user-agent, for example by curl -H 'user-agent:' http: //someurl
    • QE Test Coverage:
      +

      Description

      If HTTP request doesn't contain user-agent header, the new SameSiteCookieHandler throws NPE if mode is set to "None" and SameSiteNoneIncompatibleClientChecker hasn't been explicitly disabled.

      This is because on SameSiteCookieHandler.java:78 passes exchange.getRequestHeaders().getFirst(Headers.USER_AGENT) directly to io.undertow.util.SameSiteNoneIncompatibleClientChecker, which will try to use the possible null value in regex match, which will throw.

      I know user-agent is usually included, but it's not strictly required by standard and some non-browser clients might not send it.

      Stacktrace:

      java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null
              at java.util.regex.Matcher.getTextLength(Matcher.java:1770) ~[?:?]
              at java.util.regex.Matcher.reset(Matcher.java:416) ~[?:?]
              at java.util.regex.Matcher.<init>(Matcher.java:253) ~[?:?]
              at java.util.regex.Pattern.matcher(Pattern.java:1135) ~[?:?]
              at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isIosVersion(SameSiteNoneIncompatibleClientChecker.java:90) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
              at io.undertow.util.SameSiteNoneIncompatibleClientChecker.hasWebKitSameSiteBug(SameSiteNoneIncompatibleClientChecker.java:73) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
              at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isSameSiteNoneIncompatible(SameSiteNoneIncompatibleClientChecker.java:68) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
              at io.undertow.util.SameSiteNoneIncompatibleClientChecker.shouldSendSameSiteNone(SameSiteNoneIncompatibleClientChecker.java:63) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
              at io.undertow.server.handlers.SameSiteCookieHandler.beforeCommit(SameSiteCookieHandler.java:78) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ivassile Ilia Vassilev
                  Reporter:
                  ivassile Ilia Vassilev
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: