You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Hendrik Helwich <h....@tarent.de> on 2008/07/25 12:29:03 UTC

Possibly found a bug in Tomcat

Hello tomcat developers,

i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
liferay (http://www.liferay.com), which is a web-application which is
recommended to run in Tomcat 5.5.
It does not work and i found out, that it is a cookie problem.

In the request a cookie is send:
iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;

But in the corresponding instance of javax.servlet.http.Cookie the value is:
AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0

The end of the value is missing and it seems there is a bug in
Cookie-Parser.

I tried to figure it out by myself and followed the instructions on
http://tomcat.apache.org/tomcat-6.0-doc/building.html
to build tomcat, but i got an error while executing "ant download"  (log
is appended).
My Java version is 1.6.0_01-b06.

Can you help or give me a hint?

Thanks
Hendrik

Re: Possibly found a bug in Tomcat

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

I believe you should be able to quote the value to put in invalid chars 
in there

Filip

Hendrik Helwich wrote:
> Hello Filip,
>
> i think you are right, OpenSSO does create an invalid cookie.
> I first read the following:
>
> "This string is a sequence of characters excluding semi-colon, comma and
> white space. If there is a need to place such data in the name or value,
> some encoding method such as URL style %XX encoding is recommended,
> though no encoding is defined or required."
>
> on
> http://209.85.135.104/search?q=cache:W6VJIqv-__MJ:wp.netscape.com/newsref/std/cookie_spec.html
>
> but now i found the actual specification
> http://www.w3.org/Protocols/rfc2109/rfc2109
> and
> http://www.w3.org/Protocols/rfc2068/rfc2068
> which does not allow the following characters in the cookies value:
>
>           tspecials      = "(" | ")" | "<" | ">" | "@"
>                          | "," | ";" | ":" | "\" | <">
>                          | "/" | "[" | "]" | "?" | "="
>                          | "{" | "}" | SP | HT
>
>
> Thanks,
>
> Hendrik
>
>
>
> Filip Hanik - Dev Lists schrieb:
>   
>> that looks like an invalid cookie to me, = is a delimiter, so a proper
>> parser would end when it hits the 2nd =
>>
>> Filip
>>
>> Hendrik Helwich wrote:
>>     
>>> Hello tomcat developers,
>>>
>>> i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
>>> liferay (http://www.liferay.com), which is a web-application which is
>>> recommended to run in Tomcat 5.5.
>>> It does not work and i found out, that it is a cookie problem.
>>>
>>> In the request a cookie is send:
>>> iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
>>>
>>>
>>> But in the corresponding instance of javax.servlet.http.Cookie the
>>> value is:
>>> AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
>>>
>>> The end of the value is missing and it seems there is a bug in
>>> Cookie-Parser.
>>>
>>> I tried to figure it out by myself and followed the instructions on
>>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>>> to build tomcat, but i got an error while executing "ant download"  (log
>>> is appended).
>>> My Java version is 1.6.0_01-b06.
>>>
>>> Can you help or give me a hint?
>>>
>>> Thanks
>>> Hendrik
>>>
>>>  
>>> ------------------------------------------------------------------------
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>     
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Possibly found a bug in Tomcat

Posted by Hendrik Helwich <h....@tarent.de>.

Hello Filip,

i think you are right, OpenSSO does create an invalid cookie.
I first read the following:

"This string is a sequence of characters excluding semi-colon, comma and
white space. If there is a need to place such data in the name or value,
some encoding method such as URL style %XX encoding is recommended,
though no encoding is defined or required."

on
http://209.85.135.104/search?q=cache:W6VJIqv-__MJ:wp.netscape.com/newsref/std/cookie_spec.html

but now i found the actual specification
http://www.w3.org/Protocols/rfc2109/rfc2109
and
http://www.w3.org/Protocols/rfc2068/rfc2068
which does not allow the following characters in the cookies value:

          tspecials      = "(" | ")" | "<" | ">" | "@"
                         | "," | ";" | ":" | "\" | <">
                         | "/" | "[" | "]" | "?" | "="
                         | "{" | "}" | SP | HT


Thanks,

Hendrik



Filip Hanik - Dev Lists schrieb:
> that looks like an invalid cookie to me, = is a delimiter, so a proper
> parser would end when it hits the 2nd =
>
> Filip
>
> Hendrik Helwich wrote:
>> Hello tomcat developers,
>>
>> i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
>> liferay (http://www.liferay.com), which is a web-application which is
>> recommended to run in Tomcat 5.5.
>> It does not work and i found out, that it is a cookie problem.
>>
>> In the request a cookie is send:
>> iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
>>
>>
>> But in the corresponding instance of javax.servlet.http.Cookie the
>> value is:
>> AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
>>
>> The end of the value is missing and it seems there is a bug in
>> Cookie-Parser.
>>
>> I tried to figure it out by myself and followed the instructions on
>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>> to build tomcat, but i got an error while executing "ant download"  (log
>> is appended).
>> My Java version is 1.6.0_01-b06.
>>
>> Can you help or give me a hint?
>>
>> Thanks
>> Hendrik
>>
>>  
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Possibly found a bug in Tomcat

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

that looks like an invalid cookie to me, = is a delimiter, so a proper 
parser would end when it hits the 2nd =

Filip

Hendrik Helwich wrote:
> Hello tomcat developers,
>
> i tried to integrate OpenSSO (https://opensso.dev.java.net/) with
> liferay (http://www.liferay.com), which is a web-application which is
> recommended to run in Tomcat 5.5.
> It does not work and i found out, that it is a cookie problem.
>
> In the request a cookie is send:
> iPlanetDirectoryPro=AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0=@AAJTSQACMDE=#;
>
> But in the corresponding instance of javax.servlet.http.Cookie the value is:
> AQIC5wM2LY4SfcyGIL7gS99bMIQ5i2cP7jYw2bFMCztKUw0
>
> The end of the value is missing and it seems there is a bug in
> Cookie-Parser.
>
> I tried to figure it out by myself and followed the instructions on
> http://tomcat.apache.org/tomcat-6.0-doc/building.html
> to build tomcat, but i got an error while executing "ant download"  (log
> is appended).
> My Java version is 1.6.0_01-b06.
>
> Can you help or give me a hint?
>
> Thanks
> Hendrik
>
>   
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org