Details
-
Bug
-
Resolution: Done
-
Major
-
1.1.0.Final
-
None
-
None
Description
An incoming request with a cookie which starts with doublequote+semicolon like so
setHeader("Cookie", "\";")
causes the following exception in WildFly 8.2
java.lang.NullPointerException at io.undertow.util.Cookies.createCookie(Cookies.java:295) at io.undertow.util.Cookies.parseCookie(Cookies.java:230) at io.undertow.util.Cookies.parseRequestCookies(Cookies.java:199) at io.undertow.server.HttpServerExchange.getRequestCookies(HttpServerExchange.java:1035) at io.undertow.server.session.SessionCookieConfig.findSessionId(SessionCookieConfig.java:83) at io.undertow.servlet.spec.SessionCookieConfigImpl.findSessionId(SessionCookieConfigImpl.java:58) at org.wildfly.extension.undertow.session.CodecSessionConfig.findSessionId(CodecSessionConfig.java:56) at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:144) at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:688) at io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:718) at io.undertow.servlet.spec.ServletContextImpl.updateSessionAccessTime(ServletContextImpl.java:722) at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:578) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:308) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
It should just have skipped the createCookie when name was null (please don't rethrow another exception as this otherwise pollutes server log in case of hacker probes)
