You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2020/06/09 20:26:23 UTC

[Bug 64509] New: Rfc6265CookieProcessor mishandles commas in $Version=1 cookie header

https://bz.apache.org/bugzilla/show_bug.cgi?id=64509

            Bug ID: 64509
           Summary: Rfc6265CookieProcessor mishandles commas in $Version=1
                    cookie header
           Product: Tomcat 9
           Version: 9.0.33
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: bill-apache@carpenter.org
  Target Milestone: -----

Created attachment 37299
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37299&action=edit
test code

(Tested in both 9.0.33 and 9.0.36, but 9.0.36 wasn't available in the drop-down
when I opened this bug report.)

Rfc6265CookieProcessor tries to accept a comma as a cookie pair separator for
$Version=1 cookie headers, but it gets it wrong. It also behave differently
from the legacy parser. For this Cookie: header value

 $Version=1;first=1,second=2;third=3;case=justCOMMA

the new parser loses cookies "first" and "second" (logs an invalid cookie
warning). The legacy parser does not.

Here is a small test program (also attached) that parses headers with both
processors. The test values include both "$Version=1" cookie headers and the
same with no version attribute. I believe the RFC-6265 parsing is not trying to
honor the comma, which is fair enough.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

package aside;

import org.apache.tomcat.util.http.LegacyCookieProcessor;
import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
import org.apache.tomcat.util.http.ServerCookie;
import org.apache.tomcat.util.http.ServerCookies;

public class TC9CookieParsingTest {
  private static final String[] cookieHeaderValues = {
      "$Version=1;first=1;second=2;third=3;case=justSEMI",
      "first=1;second=2;third=3;case=justSEMI",
      "$Version=1;first=1,second=2;third=3;case=justCOMMA",
      "first=1,second=2;third=3;case=justCOMMA",
      "$Version=1;first=1,;second=2;third=3;case=COMMAthenSEMI",
      "first=1,;second=2;third=3;case=COMMAthenSEMI",
      "$Version=1;first=1;,second=2;third=3;case=SEMIthenCOMMA",
      "first=1;,second=2;third=3;case=SEMIthenCOMMA",
  };
  public static void main(String[] args) {
    for (final String cookieHeaderValue:
TC9CookieParsingTest.cookieHeaderValues) {
      TC9CookieParsingTest.parseWithRfc6265Parser(cookieHeaderValue);
      TC9CookieParsingTest.parseWithLegacyParser(cookieHeaderValue);
    }
  }

  private static void parseWithRfc6265Parser(final String cookieHeaderValue) {
    final MimeHeaders headers = new MimeHeaders();
    headers.addValue("Cookie").setString(cookieHeaderValue);
    final ServerCookies serverCookies = new ServerCookies(10);
    final Rfc6265CookieProcessor processor = new Rfc6265CookieProcessor();
    processor.parseCookieHeader(headers, serverCookies);
    final int howMany = serverCookies.getCookieCount();
    System.out.println("\n====================\nRfc6265CookieProcessor 'Cookie:
" + cookieHeaderValue + "'");
    for (int ii=0; ii<howMany; ++ii) {
      final ServerCookie sc = serverCookies.getCookie(ii);
      System.out.println(ii + " cookie: '" + sc.getName() + "' = '" +
sc.getValue() + "'");
    }
  }

  private static void parseWithLegacyParser(final String cookieHeaderValue) {
    final MimeHeaders headers = new MimeHeaders();
    headers.addValue("Cookie").setString(cookieHeaderValue);
    final ServerCookies serverCookies = new ServerCookies(10);
    final LegacyCookieProcessor processor = new LegacyCookieProcessor();
    processor.parseCookieHeader(headers, serverCookies);
    final int howMany = serverCookies.getCookieCount();
    System.out.println("--------------------\nLegacyCookieProcessor 'Cookie: "
+ cookieHeaderValue + "'");
    for (int ii=0; ii<howMany; ++ii) {
      final ServerCookie sc = serverCookies.getCookie(ii);
      System.out.println(ii + " cookie: '" + sc.getName() + "' = '" +
sc.getValue() + "'");
    }
  }
}

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Here is the output from a run of the test program:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

====================
Rfc6265CookieProcessor 'Cookie:
$Version=1;first=1;second=2;third=3;case=justSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'justSEMI'
--------------------
LegacyCookieProcessor 'Cookie:
$Version=1;first=1;second=2;third=3;case=justSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'justSEMI'

====================
Rfc6265CookieProcessor 'Cookie: first=1;second=2;third=3;case=justSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'justSEMI'
--------------------
LegacyCookieProcessor 'Cookie: first=1;second=2;third=3;case=justSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'justSEMI'

====================
Rfc6265CookieProcessor 'Cookie:
$Version=1;first=1,second=2;third=3;case=justCOMMA'
0 cookie: 'third' = '3'
1 cookie: 'case' = 'justCOMMA'
--------------------
LegacyCookieProcessor 'Cookie:
$Version=1;first=1,second=2;third=3;case=justCOMMA'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'justCOMMA'

====================
Rfc6265CookieProcessor 'Cookie: first=1,second=2;third=3;case=justCOMMA'
0 cookie: 'third' = '3'
1 cookie: 'case' = 'justCOMMA'
--------------------
LegacyCookieProcessor 'Cookie: first=1,second=2;third=3;case=justCOMMA'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'justCOMMA'

====================
Rfc6265CookieProcessor 'Cookie:
$Version=1;first=1,;second=2;third=3;case=COMMAthenSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'COMMAthenSEMI'
--------------------
LegacyCookieProcessor 'Cookie:
$Version=1;first=1,;second=2;third=3;case=COMMAthenSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'COMMAthenSEMI'

====================
Rfc6265CookieProcessor 'Cookie: first=1,;second=2;third=3;case=COMMAthenSEMI'
0 cookie: 'second' = '2'
1 cookie: 'third' = '3'
2 cookie: 'case' = 'COMMAthenSEMI'
--------------------
LegacyCookieProcessor 'Cookie: first=1,;second=2;third=3;case=COMMAthenSEMI'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'COMMAthenSEMI'

====================
Rfc6265CookieProcessor 'Cookie:
$Version=1;first=1;,second=2;third=3;case=SEMIthenCOMMA'
0 cookie: 'first' = '1'
1 cookie: 'third' = '3'
2 cookie: 'case' = 'SEMIthenCOMMA'
--------------------
LegacyCookieProcessor 'Cookie:
$Version=1;first=1;,second=2;third=3;case=SEMIthenCOMMA'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'SEMIthenCOMMA'

====================
Rfc6265CookieProcessor 'Cookie: first=1;,second=2;third=3;case=SEMIthenCOMMA'
0 cookie: 'first' = '1'
1 cookie: 'third' = '3'
2 cookie: 'case' = 'SEMIthenCOMMA'
--------------------
LegacyCookieProcessor 'Cookie: first=1;,second=2;third=3;case=SEMIthenCOMMA'
0 cookie: 'first' = '1'
1 cookie: 'second' = '2'
2 cookie: 'third' = '3'
3 cookie: 'case' = 'SEMIthenCOMMA'

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I've had a quick look at the parser code. I suspect the problem lines in
org.apache.tomcat.util.http.parser.Cookie, near line 274:

            skipResult = skipByte(bb, COMMA_BYTE);
            if (skipResult == SkipResult.FOUND) {
                parseAttributes = false;
            }
            skipResult = skipByte(bb, SEMICOLON_BYTE);
            if (skipResult == SkipResult.EOF) {
                parseAttributes = false;
                moreToProcess = false;
            } else if (skipResult == SkipResult.NOT_FOUND) {
                skipInvalidCookie(bb);
                continue;
            }

Even though we've just found the COMMA_BYTE, it's still a failure if we don't
then fint the SEMICOLON_BYTE. I suspect that wanted to be an "else if", but
since the parser is kind of complicated I hesitate to claim that's a definitive
fix. It might break some other edge case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64509] Rfc6265CookieProcessor mishandles commas in $Version=1 cookie header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64509

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|9.0.33                      |9.0.36

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the reminder. I've added 9.0.36 to the list of versions and updated
the version for this issue. I'll look at the detail of the report next.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64509] Rfc6265CookieProcessor mishandles commas in $Version=1 cookie header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64509

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- master for 10.0.0-M7 onwards
- 9.0.x for 9.0.37 onwards
- 8.5.x for 8.5.57 onwards

7.0.x is not affected.

Thanks for the report. You were right about the location of the bug. There were
a couple of other places the same bug was present. I've fixed them an added a
parameterised test case that should test all combinations.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64509] Rfc6265CookieProcessor mishandles commas in $Version=1 cookie header

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64509

--- Comment #3 from WJCarpenter <bi...@carpenter.org> ---
Thanks for the quick action on this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org