Hi Mark,
Am 10.01.22 um 22:50 schrieb Mark Thomas:
On 07/01/2022 15:02, Christopher Schultz wrote:
Our only official feedback on your publication is that we do not
consider it a security vulnerability that warrants a CVE, coordinated
disclosure, etc. We would be happy to have you raise this issue on
the development mailing list where we can openly discuss options for
hardening Tomcat installations.
I was looking at options for hardening this and it was fairly simple
to limit the log message to just the invalid cookie so I'll be
committing a change to that effect shortly.
Happy to have further discussions on alternative approaches on the
dev@ list of there is interest in that.
Mark
I reviewed that commit & approach and that is fine for me as mitigation.
But there is maybe another approach, during my research I encountered
most time one of two cases:
timestamp; key1=value1; key2=value2;... OR key1=value1;
key2=value2;...;timestamp
I didn't take a deeper look, why browsers add the timestamp to the
cookie header, so ignoring the timestamp and log it once seems fine for
me. But in case of multiple broken cookies, maybe all malformed content
of the header should be logged on INFO and not just once? I usually
don't like approaches, which distinguish between expected malformed
content and unexpected malformed content, but on the other hand, if
malformed content appears way too often it might be worth to have that
information.
Regarding my reported possible CVE, that behavior wouldn't have any
impact, since the key-value pair of the cookies was always valid. The
most common and probably only issue was a stand-alone timestamp in the
cookie header, lead the parser to print the entire header.
Joscha
--
neuland - Büro für Informatik GmbH
Konsul-Smidt-Str. 8g, 28217 Bremen
Telefon (0421) 380107 845
Fax (0421) 380107 99
https://www.neuland-bfi.de
https://twitter.com/neuland
https://facebook.com/neulandbfi
https://xing.com/company/neulandbfi
Geschäftsführer: Thomas Gebauer, Jan Zander
Registergericht: Amtsgericht Bremen, HRB 23395 HB
USt-ID. DE 246585501
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
