Bug 55975 - Inconsistent escaping applied to V0 cookie values
Inconsistent escaping applied to V0 cookie values
Product: Tomcat 8
Classification: Unclassified
Component: Catalina
PC Mac OS X 10.4
: P2 normal (vote)
: ----
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2014-01-08 04:18 UTC by Jeremy Boynes
Modified: 2014-06-06 19:33 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Boynes 2014-01-08 04:18:10 UTC
If a V0 value contains a backslash or a dquote then it will be converted to a V1 cookie and transformed into a quoted-string. During that transformation checks are made for backslash and dquote characters but they are not escaped consistently.

If the value contains a dquote, then it will be escaped. For example, the value «a"b» results in
  Set-Cookie: foo="a\"b"; Version=1

If the value contains a backslash then it will not be escaped. For example, the value «a\b» results in
  Set-Cookie: foo="a\b"; Version=1
which means the backslash is then incorrectly escaping the "b" character.

If the value contains a dquote and a backslash, then the dquote will be escaped and the backslash will not so «a"b\c» results in
  Set-Cookie: foo="a\"b\c"; Version=1
Comment 1 Mark Thomas 2014-05-23 08:15:01 UTC
Fixed in 8.0.8 for 8.0.9 onwards.
Comment 2 Konstantin Kolinko 2014-06-06 15:54:09 UTC
In org.apache.tomcat.util.http.TestSetCookieSupportSeparatorsAllowed there are 3 tests that are marked with  @Ignore("bug 55975")

If I remove the @Ignore on them, 1 test passes, 2 tests fail.

One that passes:

Testcase: v1ValueContainsNonV0Separator took 0 sec

Two that fail:

Testcase: v1ValueContainsBackslashAndQuote took 0,008 sec
expected:<foo=["a\"b\\c"]; Version=1> but was:<foo=[a"b\c]; Version=1>

Testcase: v1ValueContainsBackslash took 0 sec
expected:<foo=["a\\b"]; Version=1> but was:<foo=[a\b]; Version=1>
Comment 3 Mark Thomas 2014-06-06 19:33:50 UTC
This is fixed. Those bug references were wrong.