Jetty
  1. Jetty
  2. JETTY-1055

Wrong cookie parsing with double qoutes

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 6.1.18
    • Fix Version/s: 6.1.19
    • Component/s: HTTP
    • Labels:
      None
    • Environment:
      windows xp
    • Number of attachments :
      0

      Description

      I have some cookie value, for example: {"webwidgetssite":{"starsexample":["200809280310"],"handsexample":["200809280300"]}}"
      Then jetty escapse double qoutes and cookie value becomes: {\"webwidgetssite\":{\"starsexample\":[\"200809280310\"],\"handsexample\":[\"200809280300\"]}} and store it normally.

      But then request with this value comes to jetty on server side i getting only this value: {\"

        Activity

        Hide
        Greg Wilkins added a comment -

        The issue here is that the specification is not very clear about how to handle quotes.
        In RFC2109 it says:

        4.1 Syntax: General

        The two state management headers, Set-Cookie and Cookie, have common
        syntactic properties involving attribute-value pairs. The following
        grammar uses the notation, and tokens DIGIT (decimal digits) and
        token (informally, a sequence of non-special, non-white space
        characters) from the HTTP/1.1 specification [RFC 2068] to describe
        their syntax.

        av-pairs = av-pair *(";" av-pair)
        av-pair = attr ["=" value] ; optional value
        attr = token
        value = word
        word = token | quoted-string

        But then later is says:
        10.1.3 Punctuation

        In Netscape's original proposal, the values in attribute-value pairs
        did not accept "-quoted strings. Origin servers should be cautious
        about sending values that require quotes unless they know the
        receiving user agent understands them (i.e., "new" cookies). A
        ("new") user agent should only use quotes around values in Cookie
        headers when the cookie's version(s) is (are) all compliant with this
        specification or later.

        So using quotes is problematic.

        But in this case, it does look to me that Jetty is not correctly unquoting the value. So I think this is a bug

        Show
        Greg Wilkins added a comment - The issue here is that the specification is not very clear about how to handle quotes. In RFC2109 it says: 4.1 Syntax: General The two state management headers, Set-Cookie and Cookie, have common syntactic properties involving attribute-value pairs. The following grammar uses the notation, and tokens DIGIT (decimal digits) and token (informally, a sequence of non-special, non-white space characters) from the HTTP/1.1 specification [RFC 2068] to describe their syntax. av-pairs = av-pair *(";" av-pair) av-pair = attr ["=" value] ; optional value attr = token value = word word = token | quoted-string But then later is says: 10.1.3 Punctuation In Netscape's original proposal, the values in attribute-value pairs did not accept "-quoted strings. Origin servers should be cautious about sending values that require quotes unless they know the receiving user agent understands them (i.e., "new" cookies). A ("new") user agent should only use quotes around values in Cookie headers when the cookie's version(s) is (are) all compliant with this specification or later. So using quotes is problematic. But in this case, it does look to me that Jetty is not correctly unquoting the value. So I think this is a bug
        Hide
        Greg Wilkins added a comment -

        I've committed a new cookie parser that handles the quotes better.
        It would be good if you could check it before the next release

        Show
        Greg Wilkins added a comment - I've committed a new cookie parser that handles the quotes better. It would be good if you could check it before the next release

          People

          • Assignee:
            Greg Wilkins
            Reporter:
            Nikita Koksharov
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: