On 17/09/2024 13:46, manjosh ramesh wrote:
Hi Mark,
What is strange is that we are obtaining the cookie by triggering an HTTP
request to a spring-boot application running on Tomcat. The same tomcat server
adds '^M$' at the end of each line in the response.
If we redirect this response to a file and use a cookie, Tomcat rejects it.
HTTP headers use CRLF as a line terminator.
If you write that "as-is" to a file you will end with with CRLF line
terminators in that file.
If you then read the file assuming the line terminator is LF then you
will, effectively, insert the CR (^M) characters at the end of every line.
You need to ensure that you read and write the file using the same line
terminator.
Mark
Regards,
Manjosh Ramesh
On Tuesday, September 17, 2024 at 02:51:28 PM GMT+5:30, Mark Thomas
<ma...@apache.org> wrote:
On 17/09/2024 04:44, manjosh ramesh wrote:
Hi,ok, so this was a bug in older tomcat release and has been fixed in newer
version, is it?
Yes.
Could you please share the bug id for this change?
No. Not every fix is associated with a bug ID since not every issue is
raised via the issue tracker. This is such an issue.
You haven't been specific about which version worked and which one
didn't although you do mention the issue appearing when you upgraded to
8.5.99.
If I had to guess then I'd guess the change the uncovered the issue in
your cookie header was the one that meant CRCRLF was rejected as a line
terminator. That was in 8.5.82.
I'll note that Tomcat 8.5.x reached end of life on 31 March 2024 and is
no longer supported by the ASF.
Extended support is available from various commercial entities for older
versions of Tomcat. I would strongly recommend that anyone considering
one of those options looks carefully at the provider's claims of Tomcat
expertise. Or just upgrade to an ASF supported version.
Because the older tomcat allows this type of request.
Quite possibly. There has been a general tightening up of HTTP request
parsing over time. Partly in response to reported security
vulnerabilities, partly as a preventative measure against the
possibility of future vulnerabilities.
Also Our cookie is complient. We are not able to find what is not complient in
our cookie.
No, it isn't. CR (^M) is not a permitted character in an HTTP request
header so your cookie header is not valid.
It only works when we remove '^M' or '^M$' from the end of line in our cookie.
As expected. Once you make the HTTP request specification complaint,
Tomcat will accept it.
Mark
Regards,Manjosh Ramesh
On Monday, September 16, 2024 at 09:37:22 AM GMT+5:30,
<bugzi...@apache.org> wrote:
https://bz.apache.org/bugzilla/show_bug.cgi?id=69325
Chuck Caldarale <n82...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #3 from Chuck Caldarale <n82...@gmail.com> ---
As previously stated, any further discussion must be on the Tomcat users'
mailing list. Do not reopen this bugzilla entry.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
