tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Control character in cookie value
Date Mon, 07 Dec 2009 11:57:14 GMT
itay sahar wrote:
> Pid,
> I'm not using B as the cookie value.  A & B go to encode and finally you
> have *one *value(C). this value
> is sent to addCookie.
> 
> C is somthing like:
> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0

Ok, let's take this at face value.

So yet, you are still getting an exception, which says that there is a 
"control character" in the value of the cookie which you are trying to add.

Let's assume for now that the addCookie method itself has no bug, and 
that what it says in the exception is the truth.

It also does not look (in these email communications), as if your value 
C above has a "control character" in it.

(But note : there still could be one, that we do not see here in these 
emails.  For example, if the value C above was in reality ending in a 
CR/LF pair.  Apart from the string C itself above, you should maybe also 
log its length in bytes, so that we can really make sure that this is 
not the case).

Then, if I remember well the code which really adds the cookie (and 
which is not the one shown below), independently of the "value", there 
is also in these cookies an expiration date, and a path, which you add 
to the cookie string one by one.
So really, when you do the addCookie, what you do is creating a cookie 
header which looks like :
Set-Cookie: cookie-name=cookie-value(C);expires=somedate;path=somepath

Any one of "somedate" or "somepath" could (potentially) contain a 
control character, and the exception would only show up when you 
actually do the addCookie() of the whole value (including expiration 
date and path) at once.




> 
> On Mon, Dec 7, 2009 at 12:16 PM, Pid <pid@pidster.com> wrote:
> 
>> On 06/12/2009 21:51, itay sahar wrote:
>>
>>> Hi Andre,
>>>
>>> please see below input and output of:
>>> protected String encodeToken(String username, String value)
>>>    {
>>>       StringBuilder sb = new StringBuilder();
>>>       sb.append(username);
>>>       sb.append(":");
>>>       sb.append(value);
>>>       return Base64.encodeBytes(sb.toString().getBytes());
>>> }
>>>
>>> Input is:
>>>
>>> username= itay.sahar@gmial.com
>>> value=    6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>
>>> Output is (this is what actually addCookie get as parameter):
>>>
>>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>
>>> Can you suggest solution ?
>>>
>> Yep.
>>
>> You are claiming that you are supplying A & B to the encodeToken function,
>> but then you are using B as the cookie value.
>>
>> Try using the value returned from the encodeToken function instead.
>> Hint, if it contains a ":" character, it's not Base64 encoded.
>>
>>
>>
>> p
>>
>>
>>  On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<itay.sahar@gmail.com>  wrote:
>>>  Hi Andre,
>>>> please see below input and output of:
>>>> protected String encodeToken(String username, String value)
>>>>    {
>>>>       StringBuilder sb = new StringBuilder();
>>>>       sb.append(username);
>>>>       sb.append(":");
>>>>       sb.append(value);
>>>>       return Base64.encodeBytes(sb.toString().getBytes());
>>>> }
>>>>
>>>> Input is:
>>>>
>>>> username= itay.sahar@gmial.com
>>>>
>>>> value=    6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>
>>>>
>>>> Output is:
>>>>
>>>>
>>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>>
>>>>
>>>>
>>>> Can you suggest solution ?
>>>>
>>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw@ice-sa.com>  wrote:
>>>>
>>>>  Mark Thomas wrote:
>>>>>  itay sahar wrote:
>>>>>>  Caused by: java.lang.IllegalArgumentException: Control character
in
>>>>>>> cookie
>>>>>>> value, consider BASE64 encoding your value
>>>>>>>        at
>>>>>>>
>>>>>>>
>>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>>>>
>>>>>>>
>>>>>> To cause this, there must be a character in the value with an ASCII
>>>>>> code
>>>>>>  of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>>>
>>>>>> You need to fix that first.
>>>>>>
>>>>>> Then you'll need to worry about Base64 using '=' in cookie values.
The
>>>>>> value needs to be quoted for this to work. Tomcat will do this
>>>>>> automatically if necessary.
>>>>>>
>>>>>>
>>>>>>  Mark above is talking about the output value of the Base64 encoder
>>>>> which
>>>>> you are using, and which you then feed to the response.addCookie(cookie)
>>>>> method.
>>>>>
>>>>> It is not clear (to me) where the used Base64.encodeBytes() method comes
>>>>> from.  But wherever it comes from, it should encode any input series
of
>>>>> bytes according to
>>>>> http://tools.ietf.org/html/rfc3548#section-3
>>>>> which cannot produce "control characters".
>>>>> Except that some Base64 encoders, in some cases, will "wrap" the output
>>>>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>>>>> characters".  (Note that the output string of Base64 is longer than the
>>>>> input string, since it encodes 3 consecutive input bytes into 4 output
>>>>> bytes.)
>>>>> My guess is that this is what happens here, and that could trigger the
>>>>> exception above.
>>>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>>>> would tell it to not wrap the output value ?
>>>>>
>>>>> Note also that with the code you were showing, the control character(s)
>>>>> could presumably be also in "cookiePath".
>>>>>
>>>>> Why do you not log the cookie value, just before you call
>>>>> setCookieValueIfEnabled(String value) ?
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message