Bug 55918 - CTL characters may appear in quoted values for RFC2109 V1 cookies
CTL characters may appear in quoted values for RFC2109 V1 cookies
Status: RESOLVED FIXED
Product: Tomcat 8
Classification: Unclassified
Component: Connectors
trunk
All All
: P2 normal (vote)
: ----
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-12-21 21:11 UTC by Jeremy Boynes
Modified: 2014-09-02 15:25 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Boynes 2013-12-21 21:11:46 UTC
If a V1 cookie contains a CTL character in a quoted value, no error is logged or raised. This differs from CTLs in unquoted values that result in an IllegalArgumentException and a 500 response.

Example:
Cookie: $Version=1; foo="b_BS_r"
where _BS_ is a BS character (0x08)

RFC2109 allows the value to be "quoted-string" which from RFC2616 may contain TEXT which must not contain CTLs.
Comment 1 Mark Thomas 2014-09-02 15:25:51 UTC
The new RFC6265 cookie parser (that also includes a new RFC2109 parser)
correctly handles these values. I don't propose fixing the old parser.