You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/02/28 16:52:43 UTC
[Bug 60788] New: Cookies value contains quotes when the Cookie
header contains $Version=1 and the header's value is enclosed by quotes
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
Bug ID: 60788
Summary: Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed
by quotes
Product: Tomcat 8
Version: 8.5.11
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: markus@malkusch.de
Target Milestone: ----
Under some rare circumstances it looks like Tomcat-8 is keeping quotes around
Cookie values where it shouldn't. It seems to be associated to the presence of
a $Version=1 token in the request's Cookie header. I noticed this behaviour in
a real world application's log with the following request:
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; A2 Build/LMY47I)
Cookie: $Version="1"; userId="foo";$Path="/";$Domain="www.example.org"
My application would read "foo" (including quotes) were it it actually should
be foo without quotes.
Skimming through RFCs 2109, 2965 and 6265 a value may be enclosed with quotes.
But I'm no expert on this, I just skimmed through the RFCs by looking at the
production rules and searching for the term "quote" to see if there are any
exeptions. For me, this request looks valid and the parsed Cookie value should
not contain quotes.
I created this SSCCE where the tests demonstrate the issue:
https://github.com/spring-projects/spring-boot-issues/pull/63/files
In the tests you can see that it only keeps quotes if the request contains a
$Version=1 token. Without that token, quotes are removed.
As you can see it's a Spring Boot application, but digging through the code, I
couldn't find any Cookie parsing code in Spring. They use the servlet API,
which is effectivly provided by an embedded Tomcat-8.5.11.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #4 from Markus Malkusch <ma...@malkusch.de> ---
Actually I also don't think Spring is messing around with Cookie parsing, but
something is. The test cases are fine. I double checked by comparing Tomcat's
log on the receiver side. Tomcat receives the Cookie header as sent by the test
cases. I'll start the debugger and come back when I found the cause.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
Markus Malkusch <ma...@malkusch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |---
--- Comment #5 from Markus Malkusch <ma...@malkusch.de> ---
So I debugged the request:
I enter org.apache.catalina.connector.Request.parseCookies()
which goes into
org.apache.tomcat.util.http.Rfc6265CookieProcessor.parseCookieHeader(MimeHeaders,
ServerCookies)
MimeHeaders.toString() shows the cookie from the test case:
=== MimeHeaders ===
cookie = $Version="1"; foo="bar";$Path="/";$Domain="www.example.org"
When Request.parseCookies() is finished I see that
Request.coyoteRequest.serverCookies contains one Cookie with the value "bar"
(including quotes). No Spring involved so far. However I can't exculde if
Spring is configuring something to create this behaviour.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #10 from Mark Thomas <ma...@apache.org> ---
Progress. The quotes are retained and the unit test is removing them before
comparing the actual and expected values. That also looks very deliberate. I
need to remind myself why that is the case.
The handling of cookies has a long history. A summary of a good chunk of it can
be found at https://wiki.apache.org/tomcat/Cookies
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #7 from Markus Malkusch <ma...@malkusch.de> ---
I looked also a bit deeper. Parsing that header enters
org.apache.tomcat.util.http.parser.Cookie.readQuotedString(ByteBuffer), which
if I understand correctly will always return the value including the quotes
(start contains the position with the first quote). And from there on I didn't
find anything which would remove the quotes. It looks almost as this was
intentionally.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #9 from Mark Thomas <ma...@apache.org> ---
Definitely not a Spring issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
Markus Malkusch <ma...@malkusch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |https://github.com/spring-p
| |rojects/spring-boot/issues/
| |8430
--- Comment #2 from Markus Malkusch <ma...@malkusch.de> ---
Thanks for your effort. I'll then will reopen the ticket on Spring's side as
it's more likely an issue there. In your testcase, did you also use
Tomcat-8.5.11?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #13 from Markus Malkusch <ma...@malkusch.de> ---
Then let me add more details to the described case: The intended symetric round
trip behaviour was not given. The Cookie was initially created with the Servlet
API (containing only alphanumeric characters), which sends a Set-Cookie header
without quotes (Set-Cookie: userId=foo;Max-Age=15552000;path=/).
It was the user agent (Dalvik/2.1.0 (Linux; U; Android 5.1; A2 Build/LMY47I))
which then continued to send it back with quotes. I couldn't find anything in
the related RFCs which forbids this, so I assume it's a possible and valid
behaviour.
I think it's wrong in this case to expose those quotes to the application
programmer. It is unexpected and leads to errors in application.
However it is currently a rare case. I observe it once every 5k requests.
Application programmers can easily mitigate the issue themselves, if they only
knew.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #11 from Markus Malkusch <ma...@malkusch.de> ---
Yes, I saw that wiki page already and it feels like some hair got lost on
implementing that.
Let me know when you remember the reason and also if you plan to keep it like
that. For me it's not a big deal to remove the quotes in my application. It
happens very rarely, but still I was very surprised when I saw that and I think
it would be better for future developers (or those who didn't notice that yet)
if Tomcat would remove those quotes.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I've converted the provided cookie header into a Tomcat test case and the value
is returned unquoted with both the Rfc6265CookieProcessor and the
LegacyCookieProcessor.
There is variation for the path and the domain. They are returned unquoted with
the Legacy processor but quoted with the RFC6265 processor.
It looks like there is something odd going on with your SSCCE.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|REOPENED |RESOLVED
--- Comment #12 from Mark Thomas <ma...@apache.org> ---
This particular behaviour relates to exactly what should be presented to, and
returned from, the Servlet API. The Servlet spec is silent on this issue.
What the Tomcat developers opted for was the general aim of symmetric,
consistent round-trip behaviour. For any valid value it should be possible to
create a Cookie with a given value, add it to the response and then retrieve
the same value from the next request.
For RFC 2109 cookies (anything with an explicit version of 1 or 0)
- unquoted values that require quoting to be valid are automatically quoted and
escaped to make them valid
- any quotes and escaping in received values is retained.
Because of the various edge cases around quoting RFC2109 cookies, keeping the
values as quoted made handling simpler and less likely to do the wrong thing.
The quotes are always removed from received RFC 6265 cookies (anything without
an explicit version of 1 or 0). Tomcat also strips quotes before generating the
Cookie header for RFC 6265 cookies.
Because there is no escaping in RFC 6265 and because quotes are not allowed in
values, removing them was much simpler (and generally is what applications
expect).
There are a lot of edge cases in all of this and no single solution that works
perfectly for everyone. The current behaviour has evolved over a long period of
time to a solution that works for most users, most of the time and
configuration options to cover the majority of edge cases. As such, changes are
unlikely but not impossible (e.b. bug 60627). Ultimately, the last major
refactoring added the CookieProcessor interface which enables any user to
essentially completely customise the cookie handling on a per application
basis.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #6 from Mark Thomas <ma...@apache.org> ---
Let me take a closer look.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
I tested 9.0.x trunk and 8.5.x trunk. Both worked as expected.
Personally, I'd start with your test case and look at exactly what header
values are being sent. I'd be surprised if Spring Boot is playing a role in
Cookie handling.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60788] Cookies value contains quotes when the Cookie header
contains $Version=1 and the header's value is enclosed by quotes
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788
--- Comment #8 from Markus Malkusch <ma...@malkusch.de> ---
Also please let me know if you agree that I can finally close the issue on
Spring's side.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org