You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Hendrik Helwich <h....@tarent.de> on 2008/07/25 12:29:03 UTC
Possibly found a bug in Tomcat
Hello tomcat developers,
i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
liferay (http://www.liferay.com), which is a web-application which is
recommended to run in Tomcat 5.5.
It does not work and i found out, that it is a cookie problem.
In the request a cookie is send:
iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
But in the corresponding instance of javax.servlet.http.Cookie the value is:
AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
The end of the value is missing and it seems there is a bug in
Cookie-Parser.
I tried to figure it out by myself and followed the instructions on
http://tomcat.apache.org/tomcat-6.0-doc/building.html
to build tomcat, but i got an error while executing "ant download" (log
is appended).
My Java version is 1.6.0_01-b06.
Can you help or give me a hint?
Thanks
Hendrik
Re: Possibly found a bug in Tomcat
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
I believe you should be able to quote the value to put in invalid chars
in there
Filip
Hendrik Helwich wrote:
> Hello Filip,
>
> i think you are right, OpenSSO does create an invalid cookie.
> I first read the following:
>
> "This string is a sequence of characters excluding semi-colon, comma and
> white space. If there is a need to place such data in the name or value,
> some encoding method such as URL style %XX encoding is recommended,
> though no encoding is defined or required."
>
> on
> http://209.85.135.104/search?q=cache:W6VJIqv-__MJ:wp.netscape.com/newsref/std/cookie_spec.html
>
> but now i found the actual specification
> http://www.w3.org/Protocols/rfc2109/rfc2109
> and
> http://www.w3.org/Protocols/rfc2068/rfc2068
> which does not allow the following characters in the cookies value:
>
> tspecials = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
>
>
> Thanks,
>
> Hendrik
>
>
>
> Filip Hanik - Dev Lists schrieb:
>
>> that looks like an invalid cookie to me, = is a delimiter, so a proper
>> parser would end when it hits the 2nd =
>>
>> Filip
>>
>> Hendrik Helwich wrote:
>>
>>> Hello tomcat developers,
>>>
>>> i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
>>> liferay (http://www.liferay.com), which is a web-application which is
>>> recommended to run in Tomcat 5.5.
>>> It does not work and i found out, that it is a cookie problem.
>>>
>>> In the request a cookie is send:
>>> iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
>>>
>>>
>>> But in the corresponding instance of javax.servlet.http.Cookie the
>>> value is:
>>> AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
>>>
>>> The end of the value is missing and it seems there is a bug in
>>> Cookie-Parser.
>>>
>>> I tried to figure it out by myself and followed the instructions on
>>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>>> to build tomcat, but i got an error while executing "ant download" (log
>>> is appended).
>>> My Java version is 1.6.0_01-b06.
>>>
>>> Can you help or give me a hint?
>>>
>>> Thanks
>>> Hendrik
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibly found a bug in Tomcat
Posted by Hendrik Helwich <h....@tarent.de>.
Hello Filip,
i think you are right, OpenSSO does create an invalid cookie.
I first read the following:
"This string is a sequence of characters excluding semi-colon, comma and
white space. If there is a need to place such data in the name or value,
some encoding method such as URL style %XX encoding is recommended,
though no encoding is defined or required."
on
http://209.85.135.104/search?q=cache:W6VJIqv-__MJ:wp.netscape.com/newsref/std/cookie_spec.html
but now i found the actual specification
http://www.w3.org/Protocols/rfc2109/rfc2109
and
http://www.w3.org/Protocols/rfc2068/rfc2068
which does not allow the following characters in the cookies value:
tspecials = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
Thanks,
Hendrik
Filip Hanik - Dev Lists schrieb:
> that looks like an invalid cookie to me, = is a delimiter, so a proper
> parser would end when it hits the 2nd =
>
> Filip
>
> Hendrik Helwich wrote:
>> Hello tomcat developers,
>>
>> i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
>> liferay (http://www.liferay.com), which is a web-application which is
>> recommended to run in Tomcat 5.5.
>> It does not work and i found out, that it is a cookie problem.
>>
>> In the request a cookie is send:
>> iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
>>
>>
>> But in the corresponding instance of javax.servlet.http.Cookie the
>> value is:
>> AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
>>
>> The end of the value is missing and it seems there is a bug in
>> Cookie-Parser.
>>
>> I tried to figure it out by myself and followed the instructions on
>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>> to build tomcat, but i got an error while executing "ant download" (log
>> is appended).
>> My Java version is 1.6.0_01-b06.
>>
>> Can you help or give me a hint?
>>
>> Thanks
>> Hendrik
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Possibly found a bug in Tomcat
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
that looks like an invalid cookie to me, = is a delimiter, so a proper
parser would end when it hits the 2nd =
Filip
Hendrik Helwich wrote:
> Hello tomcat developers,
>
> i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
> liferay (http://www.liferay.com), which is a web-application which is
> recommended to run in Tomcat 5.5.
> It does not work and i found out, that it is a cookie problem.
>
> In the request a cookie is send:
> iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
>
> But in the corresponding instance of javax.servlet.http.Cookie the value is:
> AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
>
> The end of the value is missing and it seems there is a bug in
> Cookie-Parser.
>
> I tried to figure it out by myself and followed the instructions on
> http://tomcat.apache.org/tomcat-6.0-doc/building.html
> to build tomcat, but i got an error while executing "ant download" (log
> is appended).
> My Java version is 1.6.0_01-b06.
>
> Can you help or give me a hint?
>
> Thanks
> Hendrik
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org