Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2082

HTTP/2 doesn't reassemble cookie headers violating rfc7540 8.1.2.5

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 2.3.0.Final
    • None
    • Core
    • None

    Description

      https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.5 states

      To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.

      When an HTTP/2 request which multiple cookie headers is send to Undertow, the following happens:

      • The HTTPServertExchange has all cookies
      • The HTTPServletRequest has all cookies
      • The multiple cookie headers are NOT combined into a single cookie header again per the spec

      This breaks applications who do their own parsing of the cookie header and only grab the first (or last) cookie header as they will only "see" one cookie.  It is forbidden to have more than one cookie header in HTTP/1.

      Undertow needs to correctly reassemble multiple cookie headers from HTTP/2 requests into a single header so app can properly parse the header manually.

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-2194 Cookie parsing/assembling does not work 100% correctly.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Pull Request Sent

          Activity

            People

              rhn-cservice-bbaranow Bartosz Baranowski
              bdw429s Brad Wood
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: