Bug 57896 - Option to preserve original cookie header when unquoting cookie value
Option to preserve original cookie header when unquoting cookie value
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
PC All
: P2 minor (vote)
: default
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2015-05-07 12:05 UTC by Konstantin Kolinko
Modified: 2015-10-25 16:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2015-05-07 12:05:03 UTC
This issue was originally fixed by introducing a new configuration option in Tomcat 8 in r1448679 (for 8.0.0), backported to Tomcat 7 in r1675821 (for 7.0.62). It has not been fixed in Tomcat 6 yet.

I am filing this into Bugzilla to better document the problem.

The problem is that method "unescapeDoubleQuotes" modifies bytes in the buffer that it is processing
(The method is LegacyCookieProcessor.unescapeDoubleQuotes() in current Tomcat 8, ServerCookie.unescapeDoubleQuotes() in current Tomcat 7 and 6).

As such, the value of original "cookie" HTTP header is corrupted. It can be noted by calling request.getHeader("cookie") or by logging the header value in AccessLogValve.

Steps to reproduce with current Tomcat 6 (6.0.43), Firefox 37.0.2:

1. Configure an AccessLogValve to log incoming "cookie" and outgoing "set-cookie" HTTP headers.

That is, uncomment AccessLogValve in Host element of server.xml and set the following value for pattern attribute:

    pattern="%h %l %u %t "%r" %s %b [Cookie received: %{cookie}i] [Set-Cookie sent: %{set-cookie}o]"

2. Start Tomcat and open Servlets Examples -> Cookies  page in examples web application,


3. Fill the form to create a cookie and submit it:
Name: foo
Value: bar "baz"

4. Re-visit the Cookies example page, so that browser sends you the cookie that was created.

5. Look into access log file.

The logs look like the following: - - [07/May/2015:15:25:37 +0400] "GET /examples/servlets/servlet/CookieExample HTTP/1.1" 200 637 [Cookie received: -] [Set-Cookie sent: -] - - [07/May/2015:15:28:24 +0400] "POST /examples/servlets/servlet/CookieExample HTTP/1.1" 200 809 [Cookie received: -] [Set-Cookie sent: foo="bar \"baz\""; Version=1] - - [07/May/2015:15:28:42 +0400] "GET /examples/servlets/servlet/CookieExample HTTP/1.1" 200 714 [Cookie received: foo="bar "baz"\""] [Set-Cookie sent: -]

Actual value:
[Cookie received: foo="bar "baz"\""]
Expected value:
[Cookie received: foo="bar \"baz\""]

1. This happens only with unquoting of '"' character. No other character are unquoted by unescapeDoubleQuotes() method.

2. Current specification of cookies (RFC6265) defines that cookie values cannot contain double quote and backslash characters. A well-behaving web application should not create cookies whose values contain such characters.

 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

3. The fix introduced new system property,

It defaults to 'false'. By default you have to opt-in for this fix by setting that property to 'true'.

When running in "strict servlet compliance" mode, that setting defaults to 'true' and the fix is enabled.

The new Rfc6265CookieProcessor implementation of CookieProcessor that is available as an opt-in feature in Tomcat 8 does not have this bug and is not affected by that configuration option.
Comment 1 Konstantin Kolinko 2015-05-07 13:12:55 UTC
Documentation updated in Tomcat 9/8/7 (r1678174 / r1678178 / r1678180) and will be in 7.0.62, 8.0.23.

Backport proposed for Tomcat 6.
Comment 2 Konstantin Kolinko 2015-10-25 16:05:17 UTC
Implemented in Tomcat 6 by r1710457 and will be in 6.0.45.