tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55917] New: Cookie parsing fails hard with ISO-8859-1 values
Date Fri, 20 Dec 2013 20:22:13 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55917

            Bug ID: 55917
           Summary: Cookie parsing fails hard with ISO-8859-1 values
           Product: Tomcat 7
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: jboynes@apache.org

Some popular JavaScript libraries have started to set cookie values in the
browser directly and include ISO-8859-1 (Latin-1) characters in the range
0xA0-0xFF. When the Cookie header is parsed by Tomcat, the request fails with
an IllegalArgumentException[1] from the connector without giving the
application an opportunity to validate the cookie value received.

RFC2616 (HTTP/1.1) allows header field-values to contain ISO-8859-1 characters
which includes the range 0xA0-0xFF. RFC2109 (cookies) allows for
"quoted-string" values which can contain TEXT octets (which includes those
characters). This is different to cookie names which are defined as the more
restricted "token" which only allows USASCII values. The original Netscape spec
does not mention character encodings.

[1]
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?revision=1200183&view=markup#l190

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message