55918 – CTL characters may appear in quoted values for RFC2109 V1 cookies

Bug 55918 - CTL characters may appear in quoted values for RFC2109 V1 cookies

Summary: CTL characters may appear in quoted values for RFC2109 V1 cookies

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	8.0.x-trunk
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-12-21 21:11 UTC by Jeremy Boynes
Modified:	2014-09-02 15:25 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Boynes 2013-12-21 21:11:46 UTC

If a V1 cookie contains a CTL character in a quoted value, no error is logged or raised. This differs from CTLs in unquoted values that result in an IllegalArgumentException and a 500 response.

Example:
Cookie: $Version=1; foo="b_BS_r"
where _BS_ is a BS character (0x08)

RFC2109 allows the value to be "quoted-string" which from RFC2616 may contain TEXT which must not contain CTLs.

Comment 1 Mark Thomas 2014-09-02 15:25:51 UTC

The new RFC6265 cookie parser (that also includes a new RFC2109 parser)
correctly handles these values. I don't propose fixing the old parser.