tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 55917] New: Cookie parsing fails hard with ISO-8859-1 values
Date Fri, 20 Dec 2013 20:22:13 GMT

            Bug ID: 55917
           Summary: Cookie parsing fails hard with ISO-8859-1 values
           Product: Tomcat 7
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors

Some popular JavaScript libraries have started to set cookie values in the
browser directly and include ISO-8859-1 (Latin-1) characters in the range
0xA0-0xFF. When the Cookie header is parsed by Tomcat, the request fails with
an IllegalArgumentException[1] from the connector without giving the
application an opportunity to validate the cookie value received.

RFC2616 (HTTP/1.1) allows header field-values to contain ISO-8859-1 characters
which includes the range 0xA0-0xFF. RFC2109 (cookies) allows for
"quoted-string" values which can contain TEXT octets (which includes those
characters). This is different to cookie names which are defined as the more
restricted "token" which only allows USASCII values. The original Netscape spec
does not mention character encodings.


You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message