tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject Re: Cookies are broken in 6.0.16?
Date Sun, 10 Feb 2008 16:44:12 GMT
Filip - you are 100% correct on this thread. Are you basically the 
traffic cop guarding the core of Tomcat?

- Jim
> Mark Thomas wrote:
>> Remy Maucherat wrote:
>>> Filip Hanik - Dev Lists wrote:
>>>> Jim Manico wrote:
>>>>> > I guess we could throw a run time exception if the value 
>>>>> contained any of those. other than that, I'm not sure how to behave
>>>>>
>>>>> I think this is the best case scenario for v0 cookies. Perhaps, if 
>>>>> you really want to get fancy, you can add a flag to let legacy 
>>>>> solutions roll back to the old/non-standard cookie handling 
>>>>> methodology?
>>>> no, we wont do that. we fixed the cookie behavior in this release 
>>>> due to security issues filed against the old parsing.
>>>
>>> The security issue only exists because of a fundamentally broken 
>>> servlet in the examples, and assumes the user will click on a URL. 
>>> That's not what I call a security problem.
>>
>> The root cause of the issue wasn't the servlet in the examples. If it 
>> were, that servlet would have been fixed.
>>
>> The issue was a number of bugs/inconsistencies in the handling of 
>> cookie headers, particularly around quoting and unquoting which 
>> enabled XSS attacks in some instances. That said the issues were all 
>> hard to exploit and required the application to use user provided 
>> data directly as the cookie value. This was why these issues were 
>> rated as low severity.
>>
>> An enhancement request to log when Tomcat ignores/truncates a value 
>> or identifies some other issue when parsing cookies seems reasonable 
>> to me.
> the thing is, the javadoc as very very clear on this, to create a v0 
> cookie, and put == in the end, is obviously not good :)
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message