https://bz.apache.org/bugzilla/show_bug.cgi?id=57896
Bug ID: 57896
Summary: Option to preserve original cookie header when
unquoting cookie value
Product: Tomcat 6
Version: 6.0.43
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knst.koli...@gmail.com
This issue was originally fixed by introducing a new configuration option in
Tomcat 8 in r1448679 (for 8.0.0), backported to Tomcat 7 in r1675821 (for
7.0.62). It has not been fixed in Tomcat 6 yet.
I am filing this into Bugzilla to better document the problem.
The problem is that method "unescapeDoubleQuotes" modifies bytes in the buffer
that it is processing
(The method is LegacyCookieProcessor.unescapeDoubleQuotes() in current Tomcat
8, ServerCookie.unescapeDoubleQuotes() in current Tomcat 7 and 6).
As such, the value of original "cookie" HTTP header is corrupted. It can be
noted by calling request.getHeader("cookie") or by logging the header value in
AccessLogValve.
Steps to reproduce with current Tomcat 6 (6.0.43), Firefox 37.0.2:
1. Configure an AccessLogValve to log incoming "cookie" and outgoing
"set-cookie" HTTP headers.
That is, uncomment AccessLogValve in Host element of server.xml and set the
following value for pattern attribute:
pattern="%h %l %u %t "%r" %s %b [Cookie received: %{cookie}i]
[Set-Cookie sent: %{set-cookie}o]"
2. Start Tomcat and open Servlets Examples -> Cookies page in examples web
application,
http://localhost:8080/examples/servlets/servlet/CookieExample
3. Fill the form to create a cookie and submit it:
Name: foo
Value: bar "baz"
4. Re-visit the Cookies example page, so that browser sends you the cookie that
was created.
5. Look into access log file.
The logs look like the following:
127.0.0.1 - - [07/May/2015:15:25:37 +0400] "GET
/examples/servlets/servlet/CookieExample HTTP/1.1" 200 637 [Cookie received: -]
[Set-Cookie sent: -]
127.0.0.1 - - [07/May/2015:15:28:24 +0400] "POST
/examples/servlets/servlet/CookieExample HTTP/1.1" 200 809 [Cookie received: -]
[Set-Cookie sent: foo="bar \"baz\""; Version=1]
127.0.0.1 - - [07/May/2015:15:28:42 +0400] "GET
/examples/servlets/servlet/CookieExample HTTP/1.1" 200 714 [Cookie received:
foo="bar "baz"\""] [Set-Cookie sent: -]
Actual value:
[Cookie received: foo="bar "baz"\""]
Expected value:
[Cookie received: foo="bar \"baz\""]
Notes:
======
1. This happens only with unquoting of '"' character. No other character are
unquoted by unescapeDoubleQuotes() method.
2. Current specification of cookies (RFC6265) defines that cookie values cannot
contain double quote and backslash characters. A well-behaving web application
should not create cookies whose values contain such characters.
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash
3. The fix introduced new system property,
org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER
It defaults to 'false'. By default you have to opt-in for this fix by setting
that property to 'true'.
When running in "strict servlet compliance" mode, that setting defaults to
'true' and the fix is enabled.
The new Rfc6265CookieProcessor implementation of CookieProcessor that is
available as an opt-in feature in Tomcat 8 does not have this bug and is not
affected by that configuration option.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
