tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: RFC6265, cookie parsing and UTF-8
Date Wed, 27 Aug 2014 11:19:19 GMT
On 27/08/2014 10:58, Mark Thomas wrote:
> On 27/08/2014 10:38, Konstantin Kolinko wrote:
>> 2014-08-27 13:29 GMT+04:00 Mark Thomas <>:
>>> Bad news: The issue is that if there is a chance of UTF-8 in the header
>>> then you can't simply split the header into individual cookies based on
>>> the separator byte since you can't tell (without decoding to characters)
>>> if a byte represents the separator or is part of a sequence of several
>>> bytes representing some other character.
>> You can. All separator bytes are 7-bit US-ASCII.
>> BTW, There is also a feature in UTF-8 that you can split it into
>> characters without actually decoding them.
>> I mean "Character boundaries are easily found from anywhere in an
>> octet stream." as said in "1. Introduction" of
> Doh. Thanks for the correction. That gives us rather more options (if we
> want/need them).
> I had in the back of my mind an old UTF-8 related security issue where
> multi-byte characters were being incorrectly processed and the remaining
> bytes were incorrectly being treated single byte characters in the range
> 0-127. I need to re-read through that issue to remind myself exactly
> what was going on as with UTF-8 that simply should not be possible.

For the record it was CVE-2008-2938 and what was happening was that a
character that should have been encoded in 1 byte was encoded in
multiple bytes (so the checks for that character didn't see it) and the
UTF-8 decoder at the time failed to reject it as it was required it do
by the spec.


> On a related topic... Since ISO-8859-1 is valid for use in a cookie
> value (BZ 55917) we are going to have to provide an option somewhere to
> select the encoding to use to decode cookie values.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message