[jboss-jira] [JBoss JIRA] (WFLY-9233) [GSS](7.1.0) Add optional support for RFC6265 compliant cookie validation

Stuart Douglas (JIRA) issues at jboss.org
Thu Aug 17 00:48:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFLY-9233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas moved JBEAP-12758 to WFLY-9233:
----------------------------------------------

              Project: WildFly  (was: JBoss Enterprise Application Platform)
                  Key: WFLY-9233  (was: JBEAP-12758)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Web (Undertow)
                           (was: Web (Undertow))
    Affects Version/s:     (was: 7.0.5.GA)


> [GSS](7.1.0) Add optional support for RFC6265 compliant cookie validation
> -------------------------------------------------------------------------
>
>                 Key: WFLY-9233
>                 URL: https://issues.jboss.org/browse/WFLY-9233
>             Project: WildFly
>          Issue Type: Enhancement
>          Components: Web (Undertow)
>            Reporter: Stuart Douglas
>            Assignee: Stuart Douglas
>            Priority: Blocker
>              Labels: downstream_dependency
>
> Undertow does not conform to Set-Cookie syntax defined in the cookie specification.
> [RFC6265 (Section 4.1 Set-Cookie)|http://httpwg.org/specs/rfc6265.html#rfc.section.4.1] states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash. 
> However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:
> {code}
> <%
>     Cookie c = new Cookie("example","example cookie");
>     response.addCookie(c);
> %>
> {code}
> undertow responds with the following Set-Cookie format but this is not correct {{Set-Cookie}} header in RFC6265:
> {code}
> Set-Cookie: example=example cookie
> {code}
> Note: The previous cookie specifications ([RFC2109|https://tools.ietf.org/html/rfc2109#section-4.1] and [RFC2965|https://tools.ietf.org/html/rfc2965#section-3.1]) allow some characters in cookie value when the cookie value are quoted. (i.e. {{Set-Cookie: example="example cookie"}} was allowed in the old specifications.)  EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted. 



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list