Cookie Processing of JSON Cookie destroys Cookie Header ------------------------------------------------------- Key: JBWEB-266 URL: https://issues.jboss.org/browse/JBWEB-266 Project: JBoss Web Issue Type: Bug Security Level: Public(Everyone can see) Components: Tomcat Affects Versions: JBossWeb-7.0.1.GA Environment: Windows 7 x64 and RHEL/CentOS 5.x, Java 1.7.0_11, JBoss AS 7.0.2 Final Reporter: Manuel Coenen Assignee: Remy Maucherat When sending a cookie with JSON content to JBoss the automatic cookie processing (triggered by looking for a session cookie) modifies the {{byte[]}} buffer which is also used for the HTTP headers. This is due to multiple objects depending on the same {{byte[]}} buffer instance. The following hierarchy should demonstrate this dependency: {noformat} Http11Processor.request (Request) └> cookies (Cookies) | └> scookies[] (ServerCookie) | └> scookies[x] (where x is the index referencing the JSON cookie) | └> value (MessageByte) | └>byteC (ByteChunk) | \ | |-> buff (byte[]) | / | ┌> byteC (ByteChunk) | ┌> valueB (MessageByte) | ┌> headers[y] (where y is the index referencing the JSON cookie header) | ┌> headers[] (MimeHeaderField) └> headers (MimeHeader) {noformat} The method {{Cookies.unescapeDoubleQuotes(ByteChunk)}} modifies this buffer by overwriting its contents when removing the escaped double-quotes. This in return destroys the reference for the header as it will still maintain the {{start}} and {{end}} reference inside this buffer. If the value for this header is read later it will be the unescaped content trailed by the surplus escaped region (see reproduction instructions for a more detailed example). In my opinion the method {{Cookies.unescapeDoubleQuotes(ByteChunk)}} should copy the {{byte[]}} first to avoid side effects to other parts referencing this {{byte[]}} as it could be (and is in our case) that the headers (including cookie) need to be forwarded unmodified to another server.