You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/04/30 23:58:59 UTC
DO NOT REPLY [Bug 51138] New: Cookies with colons in the cookie
value are read incorrectly
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
Bug #: 51138
Summary: Cookies with colons in the cookie value are read
incorrectly
Product: Tomcat 7
Version: 7.0.12
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: jelmer@jteam.nl
Classification: Unclassified
In my browser I have a cookie with the following name and value
name : _mkto_trk
value : id:096-SLE-656&token:_mch-localhost-1304194663326-22461
When i try the read this cookie via (HttpServletRequest.getCookies() i will
find the cookie but it's value will be id instead of
id:096-SLE-656&token:_mch-localhost-1304194663326-22461
this is incorrect
This issue seems to have been previously raised on the tomcat-user mailing list
http://old.nabble.com/Issue-reading-a-cookie-having-a-colon-in-the-value-.-Is-this-a-bug-in-Tomcat-6.0.32---td30876300.html
Where tomcat committer Christopher Schultz blamed the issue on broken user
agents citing portions of the rfc2965 spec. While that is in fact true, no
major browser besides opera ever implemented RFC 2965 (see also the discussion
at https://bugzilla.mozilla.org/show_bug.cgi?id=610218#c11)
The following draft most accurately descibes the current status quo
http://tools.ietf.org/html/draft-ietf-httpstate-cookie-23
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
--- Comment #7 from Jelmer Kuperus <je...@jteam.nl> 2011-05-02 21:32:56 UTC ---
Mark, maybe you should read up on the spec, It was actually written to bring
the standard in-line with actual practices. So in that sense it has 100%
adoption.
As far as I can tell the servlet spec does not specify how to interpret cookies
sent by the client. it only specifies in which format the cookies can be sent
to the client. And in fact it is not based on rfc2109, it recommends using the
netscape spec because "RFC 2109 is still somewhat new, consider version 1 as
experimental; do not use it yet on production sites."
So I dont see how resolving this bug would break compatibility with the servlet
spec.
So yes it breaks compatibility with rfc2616, but since you are already not
compatible with it for good reasons. I do not see why this is a big deal.
Disallowing = in the Authentication header would break basic authentication in
most if not all browsers
Disallowing colons, pipes etc in cookie values breaks cookie handeling for
lots of cookies in most of not all browsers
To me its the exact same thing
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
--- Comment #6 from Mark Thomas <ma...@apache.org> 2011-05-02 16:10:51 UTC ---
That is a fair point. A similar argument can be made around the use of ":" etc.
in date headers although those are single value headers so parsing them is
simpler and separators won't cause complications like they can in cookie
headers.
rfc6265 is still a draft, but then again so is rfc2616. What really matters
with these specifications - and particularly the cookie specs given the minimal
adoption of rfc2965 and the selective implementation of rfc2109 - is adoption.
The Servlet 3 spec doesn't even mention rfc2965 (not necessarily a bad thing).
If you want the Servlet spec to support rfc6265 then you'll need to lobby the
Servlet Expert Group.
I wouldn't be against supporting rfc6265 but there are several issues of
concern:
- I would want to look hard at the various security issues that lead to Tomcat
tightening up compliance with the cookie specifications to assure myself that
implementing rfc6265 was secure
- browser (specifically IE) interoperability with rfc6265
- backwards compatibility with applications that expect rfc2109 compliant
cookie headers
Regardless of all of the above, the Tomcat 7 implementation based on rfc2109 as
per the Servlet 3.0 specification is not going to change.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-05-01 09:39:54 UTC ---
Colon's in cookie values are invalid as per rfc2109, rfc2068, rfc2965, rfc2616
and the Servlet specification.
A superficial reading of the v0 cookie specification suggests colons would be
allowed, however colons are not permitted since that would be a breach of
rfc2068 / rfc2616.
If http://tools.ietf.org/html/draft-ietf-httpstate-cookie-23 was approved and
referenced by a future version of the Servlet specification the colon character
would still be invalid in unquoted cookie values.
*** This bug has been marked as a duplicate of bug 48409 ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
--- Comment #4 from Mark Thomas <ma...@apache.org> 2011-05-01 18:08:02 UTC ---
The valid forms for HTTP headers are described in rfc2616. Unquoted colons are
not permitted. Regardless of what rfc6265 may say, it is still defining HTTP
headers and therefore must conform to the HTTP spec.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
--- Comment #2 from Jelmer Kuperus <je...@jteam.nl> 2011-05-01 10:10:26 UTC ---
Created attachment 26946
--> https://issues.apache.org/bugzilla/attachment.cgi?id=26946
testcase
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
--- Comment #3 from Jelmer Kuperus <je...@jteam.nl> 2011-05-01 10:58:58 UTC ---
Mark, Actually the document I referenced is no longer a draft. It's now an RFC
http://www.rfc-editor.org/rfc/rfc6265.txt
and obsoletes RFC2965 which obsoletes RFC2109 which obsoletes "version 0"
You mention that if this spec was approved it would still be invalid to use a
colon in an unquoted value. Could you point out the section in that spec that
explains this?
I've been going over it but cannot seem to find it
In rfc2965 a reference is made to the token field from the http spec but in
which delimiter fields are explicitly disallowed by rfc6265 uses a cookie-octet
field
Do you believe that supporting rfc6265 means not conforming to the servlet
specification ? I've been looking into it and it seems to only mention RFC2109
and "version 0" as two possible ways to format cookies send to the client.
I don't believe it mentions how cookies sent by the client should be
interpreted
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51138] Cookies with colons in the cookie value are
read incorrectly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51138
--- Comment #5 from Jelmer Kuperus <je...@jteam.nl> 2011-05-02 14:58:12 UTC ---
Fine but then why is an Authorization header with a base64 encoded username and
password allowed in tomcat.
Base64 strings end with ==, and = is also a separator character per rfc2616
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org