Bug 64471 - Rfc6265CookieProcessor doesn't consider IPv6
Summary: Rfc6265CookieProcessor doesn't consider IPv6
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.35
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-27 02:41 UTC by quaff
Modified: 2020-05-28 13:37 UTC (History)
0 users


Attachments
Chrome DevTools (91.85 KB, image/jpeg)
2020-05-28 00:19 UTC, quaff 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description quaff 2020-05-27 02:41:35 UTC 
Cookie cookie = new Cookie(cookieName, cookieValue);
cookie.setDomain("[::1]");
response.addCookie(cookie);


java.lang.IllegalArgumentException: An invalid domain [[::1]] was specified for this cookie
	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:213) ~[tomcat-coyote.jar:9.0.35]
	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:153) ~[tomcat-coyote.jar:9.0.35]
	at org.apache.catalina.connector.Response.generateCookieString(Response.java:974) ~[catalina.jar:9.0.35]
	at org.apache.catalina.connector.Response.addCookie(Response.java:926) ~[catalina.jar:9.0.35]
	at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:385) ~[catalina.jar:9.0.35]
Comment 1 quaff 2020-05-27 03:51:33 UTC 
https://tools.ietf.org/html/rfc2732 defines 

host          = hostname | IPv4address | IPv6reference
ipv6reference = "[" IPv6address "]"
Comment 2 Mark Thomas 2020-05-27 07:56:50 UTC 
Please see RFC 6265 for allowed values of the domain attribute.
Comment 3 Christopher Schultz 2020-05-27 14:08:46 UTC 
(In reply to Mark Thomas from comment #2)
> Please see RFC 6265 for allowed values of the domain attribute.

There is a path to requesting IPv6, here:

https://tools.ietf.org/html/rfc6265#section-4.1.1 ("Syntax"):

"
 domain-value      = <subdomain>
                       ; defined in [RFC1034], Section 3.5, as
                       ; enhanced by [RFC1123], Section 2.1
"

https://tools.ietf.org/html/rfc1123#section-2.1 ("Host Names and Numbers"):

"
      Whenever a user inputs the identity of an Internet host, it SHOULD
      be possible to enter either (1) a host domain name or (2) an IP
      address in dotted-decimal ("#.#.#.#") form.  The host SHOULD check
      the string syntactically for a dotted-decimal number before
      looking it up in the Domain Name System.

"

This section does specify "user" as the source of the hostname, but since the user gets to choose the name they type into the browser, and therefore the "name of the host" they are contacting, an IP address seems like it should be legal.

Entering localhost or 127.0.0.1 as the hostname should work (and Tomcat seems to handle this, because the IP address matches [a-zA-z0-9]+(\.[a-zA-z0-9]+)*. So I think maybe IPv6 should be allowed as well, no?
Comment 4 quaff 2020-05-28 00:19:00 UTC 
Created attachment 37270 [details]
Chrome DevTools

Chrome supports [::1] as cookie domain.
Comment 5 Mark Thomas 2020-05-28 09:43:52 UTC 
See section 5.1.3 of RFC 6265. It explicitly states that an IP address can not match a domain string.
Comment 6 Julian Reschke 2020-05-28 13:13:45 UTC 
FWIW, if there's something unclear abour RFC 6265, or if it doesn't describe browser behavior correctly, this should be raised at https://github.com/httpwg/http-extensions/labels/6265bis
Comment 7 Christopher Schultz 2020-05-28 13:37:05 UTC 
(In reply to Mark Thomas from comment #5)
> See section 5.1.3 of RFC 6265. It explicitly states that an IP address can
> not match a domain string.

+1

Thanks for the specific reference.