On 27/08/2014 10:58, Mark Thomas wrote: > On 27/08/2014 10:38, Konstantin Kolinko wrote: >> 2014-08-27 13:29 GMT+04:00 Mark Thomas <ma...@apache.org>: >>>> >>> >>> Bad news: The issue is that if there is a chance of UTF-8 in the header >>> then you can't simply split the header into individual cookies based on >>> the separator byte since you can't tell (without decoding to characters) >>> if a byte represents the separator or is part of a sequence of several >>> bytes representing some other character. >>> >> >> You can. All separator bytes are 7-bit US-ASCII. >> >> BTW, There is also a feature in UTF-8 that you can split it into >> characters without actually decoding them. >> >> I mean "Character boundaries are easily found from anywhere in an >> octet stream." as said in "1. Introduction" of >> http://tools.ietf.org/html/rfc3629 > > Doh. Thanks for the correction. That gives us rather more options (if we > want/need them). > > I had in the back of my mind an old UTF-8 related security issue where > multi-byte characters were being incorrectly processed and the remaining > bytes were incorrectly being treated single byte characters in the range > 0-127. I need to re-read through that issue to remind myself exactly > what was going on as with UTF-8 that simply should not be possible.
For the record it was CVE-2008-2938 and what was happening was that a character that should have been encoded in 1 byte was encoded in multiple bytes (so the checks for that character didn't see it) and the UTF-8 decoder at the time failed to reject it as it was required it do by the spec. Mark > On a related topic... Since ISO-8859-1 is valid for use in a cookie > value (BZ 55917) we are going to have to provide an option somewhere to > select the encoding to use to decode cookie values. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
