2013/4/13 Keszthelyi Laszlo <laszlo.keszthe...@diepresse.com>:
> Hi,
>
> we are facing problems with cookies containing umplaut (or other special
> characters), causing the request processing beeing stopped and returning a
> blank page.
> I know that umlaut characters are forbidden within cookies, except when they
> are urlencoded, but the problem arises from third-parties createing cookies
> with the correct domain but containing invalid characters. Due to the request
> processing abort, we are unable to mark such cookies as invalid and beeing
> dropped next time by the client.
>
> Apr 13, 2013 9:19:41 AM org.apache.coyote.http11.AbstractHttp11Processor
> process
> SEVERE: Error processing request
> java.lang.IllegalArgumentException: Control character in cookie value or
> attribute.
> at
> org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:193)
> at
> org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:502)
> at
> org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:349)
> at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:168)
> at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:106)
> at
> org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:931)
> at
> org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:688)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:402)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> at java.lang.Thread.run(Thread.java:722)
>
> Is there a possibility to ignore such cookies? Setting
> CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0=true does not help because in
> org.apache.tomcat.util.http.Cookies.processCookieHeader first
> org.apache.tomcat.util.http.CookieSupport.isHttpSeparator is called and only
> than ALLOW_HTTP_SEPARATORS_IN_V0 examined:
> // Skip whitespace and non-token characters (separators)
> while (pos < end &&
> (CookieSupport.isHttpSeparator((char) bytes[pos]) &&
> !CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0 ||
> CookieSupport.isV0Separator((char) bytes[pos]) ||
> isWhiteSpace(bytes[pos])))
> {pos++; }
>
> Maybe changing the evaluation order within the while condition could solve
> the problem.
>
> Why is it better throwing an exception, causing the request processing beeing
> aborted and returning a blank page, than ignoring the invalid cookie? In my
> opinion this is a serious possibility to prevent site accessing by the client
> through third-parties.
>
>
In short:
1. Cookies are usually sent by a single multi-valued "Cookie" header.
If the header has incorrect value, then the client is sending an
incorrect request which has to be rejected as invalid (400).
In the past broken headers were used as a tool to break security of
some web applications. E.g. to steal sessionid value.
See CVE-2007-3385, CVE-2007-5333
http://tomcat.apache.org/security-6.html
So I would like to be strict here.
What is sending that value? Some web browser?
2. If you are going to skip one cookie... that is not possible. At
best you have to skip all of them (the header as a whole), and your
web application will likely to misbehave anyway.
When Tomcat deciphers the Cookie header, the header contents in memory
is being changed. So if Tomcat were changed to skip broken header,
then you will not be able to process it in your application anyway.
In Tomcat 8 it is possible to preserve the header, but it is turned
off by default (PRESERVE_COOKIE_HEADER system property).
3. What bother me is why this error is logged at severe level.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
