Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-366

NullPointerException at io.undertow.util.Cookies.createCookie when cookie starts with ";

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.1.2.Final, 1.2.0.Beta7
    • 1.1.0.Final
    • None
    • None

      An incoming request with a cookie which starts with doublequote+semicolon like so 

      setHeader("Cookie", "\";")

      causes the following exception in WildFly 8.2

      java.lang.NullPointerException
	at io.undertow.util.Cookies.createCookie(Cookies.java:295)
	at io.undertow.util.Cookies.parseCookie(Cookies.java:230)
	at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:199)
	at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1035)
	at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83)
	at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58)
	at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56)
	at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:144)
	at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:688)
	at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:718)
	at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:722)
	at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:578)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:308)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

      It should just have skipped the createCookie when name was null (please don't rethrow another exception as this otherwise pollutes server log in case of hacker probes)

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              balusc@gmail.com Bauke Scholtz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: