Bug 55918

Summary: CTL characters may appear in quoted values for RFC2109 V1 cookies
Product: Tomcat 8 Reporter: Jeremy Boynes <jboynes>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.0.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Jeremy Boynes 2013-12-21 21:11:46 UTC 
If a V1 cookie contains a CTL character in a quoted value, no error is logged or raised. This differs from CTLs in unquoted values that result in an IllegalArgumentException and a 500 response.

Example:
Cookie: $Version=1; foo="b_BS_r"
where _BS_ is a BS character (0x08)

RFC2109 allows the value to be "quoted-string" which from RFC2616 may contain TEXT which must not contain CTLs.
Comment 1 Mark Thomas 2014-09-02 15:25:51 UTC 
The new RFC6265 cookie parser (that also includes a new RFC2109 parser)
correctly handles these values. I don't propose fixing the old parser.