You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/12/22 22:47:12 UTC
[Bug 55921] New: Cookie values in JSON format are not skipped
correctly when parsing fails
https://issues.apache.org/bugzilla/show_bug.cgi?id=55921
Bug ID: 55921
Summary: Cookie values in JSON format are not skipped correctly
when parsing fails
Product: Tomcat 8
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: jboynes@apache.org
Some 3P websites appear to set cookie values using unencoded JSON data; as an
example, the fsr.s cookie set by a certain tracking site. This is invalid per
all cookie specifications due to the use of unescaped "," characters in the
data.
When parsing these values, Tomcat treats the data as a token, determines it is
invalid due to the presence of a "{" character, and attempts to skip to the
next token. However, it determines this boundary by the presence of the ","
character in the middle of the JSON blob and then proceeds to parse the next
cookie starting in the middle of this data. This may result in erroneous
cookies being added.
RFC6265 requires and Netscape suggests that cookie-pairs be separated by the
sequence ";" SP so rather than looking for a single separator character the
recovery mechanism could look for one followed by a SP. However, this would not
recover if the JSON data contained SP characters as JSON permits.
Alternatively, we could assume that a value starting with "{" was JSON encoded
data and parse the value as such. This would be gated by a configuration
option.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55921] Cookie values in JSON format are not skipped correctly
when parsing fails
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55921
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
The new RFC6265 cookie parser (that also includes a new RFC2109 parser)
correctly handles these values. I don't propose fixing the old parser.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55921] Cookie values in JSON format are not skipped correctly
when parsing fails
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55921
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
I'm pretty sure that an otherwise unencoded JSON value should be quoted when
used in an HTTP header value. Tomcat might handle these cases in a more elegant
way (e.g. not choking on the 'stray" comma), but I don't think Tomcat should go
out of its way to read these kinds of cookies.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org