[jboss-jira] [JBoss JIRA] Commented: (JBAS-7372) Base 64 encoded cookie containing '=' is getting truncated

Darryl Miles (JIRA) jira-events at lists.jboss.org
Thu Oct 15 11:11:05 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-7372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12490044#action_12490044 ] 

Darryl Miles commented on JBAS-7372:
------------------------------------

Thanks for the examples.  Just to close the base64 slash character ("/") usage in the characer-set, the de-facto standard for cookie originated from the following documentation (originally from Netscape browser) :

http://web.archive.org/web/*/http://wp.netscape.com/newsref/std/cookie_spec.html
http://web.archive.org/web/20080411033246/http://wp.netscape.com/newsref/std/cookie_spec.html

The implied encoding for the VALUE part of the cookie is "URL encoding", therefore certain characters have reserved/special meaning in URLs.  ";" for attribute separator (per path element), "/" for path element separator, etc...  Therefore use an unescaped "/" character is considered illegal (by some) for historical backward compatibility reasons.  The escaping method cited in the specification was the %XX method, or ASP.NET could have just revised base64 to use "-" instead of "/".  However the point is moot since it is not the topic of this bug report.


The issue in the bug report is the removal of the "=" characters from the VALUE part of the cookie.  This is a bug in Tomcat/JBoss due to the way it tokenized the incoming cookie string.  The specification above specifically states that 
semi-colon, comma and white space may not be inside the value (since they have special meaning / special handling).  So there is no ambiguity that those character would need encoding if they are present in the VALUE part of the cookie.

So the use of the "=" character falls into the question of, "Does any HTTP Cookie specification update specifically prohibit the EQUALS ("=") character from appearing unencoded in the VALUE part of the cookie?" and to that question I shall try to find a reference to a specification update on the original Netscape de-facto specification (in the URL above) for an answer.  My hunch is that I shall no find any such prohibition.  This would be an opportunity for someone to cite such a claim here.

To bear in mind for maximum compatibility, "be strict in what you emit and liberal in what you parse" has been a long standing mantra.  I can't think of any argument for why "=" can not appear unencoded in the VALUE part of the cookie.


Are you able to test your application with the stock tomcat and confirm the same issue, so that a bug report for TC6 can be opened and looked (and discussed) by the respective parties.  This will eventually trickle down into JBAS.


The fix in the TC6 tree looks straightforward, simply have a different tokenizer for handling the VALUE part of the cookie that only includes "semi-colon, comma and white space" as token delimiters (still working on the assumption there has been no superseding RFC update on this point).  I guess the tokenizer in TC6 is broken and is returning empty strings a couple of times for the sequence "==" instead of allowing them to be included in the VALUE part of the cookie data.


> Base 64 encoded cookie containing '=' is getting truncated
> ----------------------------------------------------------
>
>                 Key: JBAS-7372
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7372
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: JBossAS-5.1.0.GA
>         Environment: WinXP + JBoss 5.1.0 GA
> Windows 2003 IIS 6.0 used to create cookie
>            Reporter: Sangeetha Radhakrishnan
>
> Hi,
> My application running in JBoss 5.1.0 GA has to do authentication using Base 64 encoded cookie which is created by another 3rd party application running on IIS. While reading the cookie from the request object, the '=' got truncated, as JBoss 5.1.0 GA considering it as invalid cookie character. I cann't change the  '=' to some other characters like '_' before adding the cookie, becuase the cookie was created by 3rd party appliation which is running on IIS. Even I have tried by setting the STRICT_SERVLET_COMPLIANCE=false, it is not switching the invalid cookie characters to valid cookie character if cookie is created by another application running on IIS.
> Steps to re-produce:
> 1. Write an application called 'dotNetApp1' to Create cookie called "AthuNCookie".
> 2. Deploy this application on IIS 6.0
> 3. Write a simple WebApplication called 'javaApp1' to read the "AthuNCookie" from the browser/request object.
> 4. Deploy this web application in JBoss 5.1.0 GA. 
> 5. Access "http://hostname/dotNetApp1" - this will create 'AuthNCookie" in the browser.
> 6. In the same browser, change the URL to "http://hostname:8080/javaApp1" to read the "AuthNCookie"
> Could you please let me know is JBoss patch available for this issue or any work-around also will be fine.
> In case if patch or work-around is not available, let me know Which JBoss version consider '=' as valid cookie character.
> Thank You!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list