tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Problem with cookie values in 8.5.14
Date Wed, 26 Apr 2017 19:28:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 4/26/17 3:18 PM, Mark Thomas wrote:
> On 26/04/17 20:13, Christopher Schultz wrote:
>> On 4/26/17 2:55 PM, Mark Thomas wrote:
> 
> <snip/>
> 
>>> RFC 2109 allows quoted string to be used. In this Tomcat can
>>> (and will) do what needs to be done to make the cookie value
>>> 'just work'.
>> So does 6265 just basically do-away with all attempts to quote
>> things and say "if you want weird stuff in there, use base64"?
> 
> Exactly.
> 
> <quote> To maximize compatibility with user agents, servers that
> wish to store arbitrary data in a cookie-value SHOULD encode that
> data, for example, using Base64 [RFC4648]. </quote>

Done. With backward-compatibility. ;)

Since everything I have is name=value[,name=value] I just decided to
look for anything that includes an equals sign anywhere other at the
end(s) of the input and consider that a non-base64-encoded cookie value.

Fortunately, I've got the cookie-value-generation in one single place
in the code and, similarly, the cookie-value-reading code is in
another one single place, it was easy to add this symmetrically.

I'll keep this in mind for future Cookie exploits... er, adventures.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZAPTjAAoJEBzwKT+lPKRYR8YQAIP2VZvX/cvDHGu+34Hvrqdo
MiNReQwd4EZos+vecH2X3rpy+4nFWach3HTqFJyatDzHRuEiw4DnYiQfakPErBW7
x9gy1PErkGbpm6B0Z2WgaqXcQy9ChUTzIrzRyqkhAeDA0ZAA+6N2GHexsFFWkhVS
2UPXQfQt71Bs3+cZDQzCiMzWFSuob4P4cqWV6rpXiZIu19gu5ibkRfs5jR/vQEpn
5nttICtSuNJQMVAXkI9uPzsXOgOq1Q9/WiWc39Dp2tTasCj0xBlVfd29HgRraNbv
YHREO0aVFocFfZRofQSTbr9xFzhnJ9u6oN5eIpQNXYIFw7arKqKujYak7hWj53Jr
3iybfRLeVY/uo8vHgAyOmtvBQxLeagTgtmgYIQyVF2l+vsmJl7C4y+j1BHuP5h81
jPf9rpj4JwXQVBxu6W6Bs4Xn++jZ+vA3eDFqUyz4E+FBxIwYDjd5tvX9/2+Z3QNn
QMYQZRNH3iV50+YJdhQUxjWJvrnowmn/zMylDJWWBxuh6ih2Dw89F1y1Uyqj8Uc4
unVaYsN8ttkKLh25+OpTg3JNiBDixL1xJVCkvIdV/xvuy5AGQxLk+esDS5kAZKg0
tdTsLonq0VLhrMZQTXsHC8wXKHMSlhg3DQQl/a8vCWLC8NTMOyHseZut3vJfehi0
j7XSmYIgqsUooSPIeebR
=mhKU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message