Re: Cookies are broken in 6.0.16?

Sat, 09 Feb 2008 14:35:10 -0800

> response.addCookie(new Cookie("test_cookie3", "123===")) looks like something which should be working.
Honestly, this is not user driven - it's only server programmer driven. I would dare to say this is either absolutely horrible server side programming or a possible attempt at a hack/attack and drop the request altogether. If you really need an equals sign in your cookie data, then you must URL Encode it. If multiple equal signs appear unencodede, then it's malformed and should be rejected outright. 

- Jim



On Sat, 2008-02-09 at 13:03 +0000, Mark Thomas wrote:

  

Maik Jablonski wrote:

    

Hi,

I've just encountered that Cookies seem to be a little bit broken in
6.0.16. If you want to read a cookie which ends on one or more
equals-sign (=), the equals-signs are removed by Tomcat when the
cookie is read.

Is it a bug or a "undocumented" change?

      

It is neither. The changes are documented in the change log. As a result of
a couple of minor security issues (see
http://tomcat.apache.org/security-6.html) the cookie handling code has been
tightened up to make it spec compliant.

By default the servlet spec uses version 0 cookies. The name value pairs
are defined as:
<spec-quote>
NAME=VALUE
This string is a sequence of characters excluding semi-colon, comma and
white space. If there is a need to place such data in the name or value,
some encoding method such as URL style %XX encoding is recommended, though
no encoding is defined or required.
</spec-quote>

The difficulty here is that although '=' is the delimiter between NAME and
VALUE there is no need to encode it if it appears in the name or the value.
This causes some ambiguities when parsing a header of the form:
Set-Cookie: foo=bar=bartoo

Is the name 'foo' or 'foo=bar'? Is the value 'bar=bartoo' or 'bartoo'?

The changes to the cookie parsing mean the second '=' and any text beyond
it are now ignored.

If you set the cookie version to 1 then the quoting will be applied where
necessary and your example will work as you intend.

    


It seems to me like an annoying regression. response.addCookie(new
Cookie("test_cookie3", "123===")) looks like something which should be
working. Are you sure there's nothing that could be done about it ?
Maybe some additional encoding for '=' when not quoting ?

Rémy



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  
























					Reply via email to