Jetty

Wrong cookie parsing with double qoutes

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: 6.1.18
  • Fix Version/s: 6.1.19
  • Component/s: HTTP
  • Labels:
    None
  • Environment:
    windows xp
  • Number of attachments :
    0

Description

I have some cookie value, for example: {"webwidgetssite":{"starsexample":["200809280310"],"handsexample":["200809280300"]}}"
Then jetty escapse double qoutes and cookie value becomes: {\"webwidgetssite\":{\"starsexample\":[\"200809280310\"],\"handsexample\":[\"200809280300\"]}} and store it normally.

But then request with this value comes to jetty on server side i getting only this value: {\"

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Greg Wilkins added a comment -

The issue here is that the specification is not very clear about how to handle quotes.
In RFC2109 it says:

4.1 Syntax: General

The two state management headers, Set-Cookie and Cookie, have common
syntactic properties involving attribute-value pairs. The following
grammar uses the notation, and tokens DIGIT (decimal digits) and
token (informally, a sequence of non-special, non-white space
characters) from the HTTP/1.1 specification [RFC 2068] to describe
their syntax.

av-pairs = av-pair *(";" av-pair)
av-pair = attr ["=" value] ; optional value
attr = token
value = word
word = token | quoted-string

But then later is says:
10.1.3 Punctuation

In Netscape's original proposal, the values in attribute-value pairs
did not accept "-quoted strings. Origin servers should be cautious
about sending values that require quotes unless they know the
receiving user agent understands them (i.e., "new" cookies). A
("new") user agent should only use quotes around values in Cookie
headers when the cookie's version(s) is (are) all compliant with this
specification or later.

So using quotes is problematic.

But in this case, it does look to me that Jetty is not correctly unquoting the value. So I think this is a bug

Show
Greg Wilkins added a comment - The issue here is that the specification is not very clear about how to handle quotes. In RFC2109 it says: 4.1 Syntax: General The two state management headers, Set-Cookie and Cookie, have common syntactic properties involving attribute-value pairs. The following grammar uses the notation, and tokens DIGIT (decimal digits) and token (informally, a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax. av-pairs = av-pair *(";" av-pair) av-pair = attr ["=" value] ; optional value attr = token value = word word = token | quoted-string But then later is says: 10.1.3 Punctuation In Netscape's original proposal, the values in attribute-value pairs did not accept "-quoted strings. Origin servers should be cautious about sending values that require quotes unless they know the receiving user agent understands them (i.e., "new" cookies). A ("new") user agent should only use quotes around values in Cookie headers when the cookie's version(s) is (are) all compliant with this specification or later. So using quotes is problematic. But in this case, it does look to me that Jetty is not correctly unquoting the value. So I think this is a bug
Hide
Permalink
Greg Wilkins added a comment -

I've committed a new cookie parser that handles the quotes better.
It would be good if you could check it before the next release

Show
Greg Wilkins added a comment - I've committed a new cookie parser that handles the quotes better. It would be good if you could check it before the next release

People

  • Assignee:
    Greg Wilkins
    Reporter:
    Nikita Koksharov
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: