Bug 55921 - Cookie values in JSON format are not skipped correctly when parsing fails
Summary: Cookie values in JSON format are not skipped correctly when parsing fails
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.0.x-trunk
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2013-12-22 21:47 UTC by Jeremy Boynes
Modified: 2014-09-02 15:40 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Boynes 2013-12-22 21:47:12 UTC
Some 3P websites appear to set cookie values using unencoded JSON data; as an example, the fsr.s cookie set by a certain tracking site. This is invalid per all cookie specifications due to the use of unescaped "," characters in the data.

When parsing these values, Tomcat treats the data as a token, determines it is invalid due to the presence of a "{" character, and attempts to skip to the next token. However, it determines this boundary by the presence of the "," character in the middle of the JSON blob and then proceeds to parse the next cookie starting in the middle of this data. This may result in erroneous cookies being added.

RFC6265 requires and Netscape suggests that cookie-pairs be separated by the sequence ";" SP so rather than looking for a single separator character the recovery mechanism could look for one followed by a SP. However, this would not recover if the JSON data contained SP characters as JSON permits.

Alternatively, we could assume that a value starting with "{" was JSON encoded data and parse the value as such. This would be gated by a configuration option.
Comment 1 Christopher Schultz 2013-12-23 13:46:43 UTC
I'm pretty sure that an otherwise unencoded JSON value should be quoted when used in an HTTP header value. Tomcat might handle these cases in a more elegant way (e.g. not choking on the 'stray" comma), but I don't think Tomcat should go out of its way to read these kinds of cookies.
Comment 2 Mark Thomas 2014-09-02 15:40:27 UTC
The new RFC6265 cookie parser (that also includes a new RFC2109 parser)
correctly handles these values. I don't propose fixing the old parser.