-
Bug
-
Resolution: Done
-
Major
-
None
If HTTP request doesn't contain user-agent header, the new SameSiteCookieHandler throws NPE if mode is set to "None" and SameSiteNoneIncompatibleClientChecker hasn't been explicitly disabled.
This is because on SameSiteCookieHandler.java:78 passes exchange.getRequestHeaders().getFirst(Headers.USER_AGENT) directly to io.undertow.util.SameSiteNoneIncompatibleClientChecker, which will try to use the possible null value in regex match, which will throw.
I know user-agent is usually included, but it's not strictly required by standard and some non-browser clients might not send it.
Stacktrace:
java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null at java.util.regex.Matcher.getTextLength(Matcher.java:1770) ~[?:?] at java.util.regex.Matcher.reset(Matcher.java:416) ~[?:?] at java.util.regex.Matcher.<init>(Matcher.java:253) ~[?:?] at java.util.regex.Pattern.matcher(Pattern.java:1135) ~[?:?] at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isIosVersion(SameSiteNoneIncompatibleClientChecker.java:90) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final] at io.undertow.util.SameSiteNoneIncompatibleClientChecker.hasWebKitSameSiteBug(SameSiteNoneIncompatibleClientChecker.java:73) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final] at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isSameSiteNoneIncompatible(SameSiteNoneIncompatibleClientChecker.java:68) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final] at io.undertow.util.SameSiteNoneIncompatibleClientChecker.shouldSendSameSiteNone(SameSiteNoneIncompatibleClientChecker.java:63) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final] at io.undertow.server.handlers.SameSiteCookieHandler.beforeCommit(SameSiteCookieHandler.java:78) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
- clones
-
JBEAP-19638 (7.3.z) UNDERTOW-1702 - SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header
- Closed
- is incorporated by
-
JBEAP-19058 [GSS] (7.2.z) Upgrade Undertow from 2.0.30.SP2-redhat-00001 to 2.0.30.SP4-redhat-00001
- Closed
- is related to
-
JBEAP-19580 (7.2.z) [RH-SSO] UNDERTOW-1600 - Provide support for SameSite cookie None
- Closed