-
Bug
-
Resolution: Done
-
Major
-
2.1.0.Final
-
None
If HTTP request doesn't contain user-agent header, the new SameSiteCookieHandler throws NPE if mode is set to "None" and SameSiteNoneIncompatibleClientChecker hasn't been explicitly disabled.
This is because on SameSiteCookieHandler.java:78 passes exchange.getRequestHeaders().getFirst(Headers.USER_AGENT) directly to io.undertow.util.SameSiteNoneIncompatibleClientChecker, which will try to use the possible null value in regex match, which will throw.
I know user-agent is usually included, but it's not strictly required by standard and some non-browser clients might not send it.
Stacktrace:
java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null
at java.util.regex.Matcher.getTextLength(Matcher.java:1770) ~[?:?]
at java.util.regex.Matcher.reset(Matcher.java:416) ~[?:?]
at java.util.regex.Matcher.<init>(Matcher.java:253) ~[?:?]
at java.util.regex.Pattern.matcher(Pattern.java:1135) ~[?:?]
at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isIosVersion(SameSiteNoneIncompatibleClientChecker.java:90) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
at io.undertow.util.SameSiteNoneIncompatibleClientChecker.hasWebKitSameSiteBug(SameSiteNoneIncompatibleClientChecker.java:73) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
at io.undertow.util.SameSiteNoneIncompatibleClientChecker.isSameSiteNoneIncompatible(SameSiteNoneIncompatibleClientChecker.java:68) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
at io.undertow.util.SameSiteNoneIncompatibleClientChecker.shouldSendSameSiteNone(SameSiteNoneIncompatibleClientChecker.java:63) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
at io.undertow.server.handlers.SameSiteCookieHandler$1.beforeCommit(SameSiteCookieHandler.java:78) ~[undertow-core-2.1.0.Final.jar:2.1.0.Final]
- is cloned by
-
-
- Verified
-
- relates to
-
UNDERTOW-1600 Enhance SameSite Cookie support
-
- Resolved
-
