Summary: | Quotes should not be removed from quoted cookie values | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Jeremy Boynes <jboynes> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | P2 | ||
Version: | 8.0.x-trunk | ||
Target Milestone: | ---- | ||
Hardware: | All | ||
OS: | All |
Description
Jeremy Boynes
2013-12-22 21:19:21 UTC
As an example, a cookie with value «"value"» (I'm using angled quotes in this comment for clarity) that is set using: Cookie cookie = new Cookie("test", "\"value\""); response.addCookie(cookie); will correctly set a cookie in the browser with the value «"value"» that will then be returned to the server. However, when the value is retrieved using getCookies() and getValue() the string returned is just «value» However, if the value supplied is «a"b» then the value set in the browser becomes «"a\"b"» which does not match the value set. This will be returned to servers using the header: Cookie:test="x\"y" Tomcat removes the leading and trailing quotes resulting a self-consistent round trip but other servers that treat this correctly as a V0 header will include those quotes in the value resulting in inconsistency. Fixed if using the Rfc6265CookieProcessor. I do not propose changing the LegacyCookieProcessor due to the risk of triggering regression issues for applications that rely on Tomcat's current behaviour. |