tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48559] New: Security fix for CVE-2007-5333 causing interoperability problems
Date Sun, 17 Jan 2010 18:05:09 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48559

           Summary: Security fix for CVE-2007-5333 causing
                    interoperability problems
           Product: Tomcat 6
           Version: 6.0.16
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: luis.aguilera@ca.com


The fix implemented for CVE-2007-5333  and the related issues is breaking the
interoperability with other third party products.

The fix for this issue, as I understand, has Tomcat encapsulate cookie date
between double-quotes (") such that a cookie, which prior to 6.0.12 would have
read like this:

cookiename = cookiedata

now reads like this:

cookiename = "cookiedata"

The presence of the double-quotes in the begining and end of the cookie data is
causing problems to several third-party applications which assume that the
double-quote is in fact part of the cookie data.

Our appplication, for instance, encrypts the cookie data and then encodes using
Base64. Hence, it has difficulty processing the double-quotes that precede and
end the cookie data.

Changing our application could be considered if the number of cookies was
small. However, given the design of our application, users can create all sorts
of different cookies, hence having an arbitrary rule that ignores or strips the
double-quotes of any cookies it receives is not feasible. 

It should be noted that while our application runs in Tomcat, the problem
affects components of our application that do NOT run on Tomcat. 

I would like to request that the Tomcat team reconsider it's approach towards
resolving this security vulnerabilty such that it does not break
interoperability with other third party applications.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message