-
Bug
-
Resolution: Done
-
Major
-
1.0.15.Final
-
None
-
None
An incoming request with a cookie without name like so
setHeader("Cookie", "=foo")
causes the following exception in WildFly 8.1
Exception level 0: java.lang.StringIndexOutOfBoundsException: String index out of range: 0 at java.lang.String.charAt(String.java:646) at io.undertow.util.Cookies.createCookie(Cookies.java:277) at io.undertow.util.Cookies.parseCookie(Cookies.java:254) at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:181) at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1003) at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56) at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:142) at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:677) at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:707) at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:711) at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:522) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:287) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
It should just have skipped the cookie (please don't throw exception as this otherwise pollutes server log in case of hacker probes)