Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12765

[7.1] Migration (GSS) Add optional support for RFC6265 compliant cookie validation

    XMLWordPrintable

Description

    Undertow does not conform to Set-Cookie syntax defined in the cookie specification.

    RFC6265 (Section 4.1 Set-Cookie) states that Servers SHOULD NOT send Set-Cookie headers that fail to conform the defined grammer. For example, cookie value should be US-ASCII characters excluding CTLs, whitespace, double quote, comma, semicolon, and backslash.

    However, undertow does not restrict the invalid characters. For example, when accessing the following JSP which add one of invalid characters (whitespace) to cookie value:

    <%
    Cookie c = new Cookie("example","example cookie");
    response.addCookie(c);
%>

    undertow responds with the following Set-Cookie format but this is not correct Set-Cookie header in RFC6265:

    Set-Cookie: example=example cookie

    Note: The previous cookie specifications (RFC2109 and RFC2965) allow some characters in cookie value when the cookie value are quoted. (i.e. Set-Cookie: example="example cookie" was allowed in the old specifications.) EAP 6/JBossWeb (and Tomcat 6.0/7.0/8.0) conform to this old specification and it will automatically quotes a cookie value (also path and domain) when the value contains any seprarator characters which should be quoted.

    Attachments

      Issue Links

        clones

        Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBEAP-11443 [GSS](7.1.0) Add optional support for RFC6265 compliant cookie validation

        • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
        • Verified
        is incorporated by

        Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11706 Undertow 1.4.17.Final

        • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
        • Verified
        relates to

        Bug - A problem that impairs or prevents the functions of the product. JBEAP-11444 [GSS](7.1.0) Add correct quoting to the cookie for a backward compatible behavior to EAP 6 (JBossWeb)

        • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
        • Verified

        Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1096 Add correct quoting to the cookie for a backward compatible behavior to EAP 6 (JBossWeb)

        • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
        • Resolved

        Task - Represents a small unit of work that is not end-user facing. JBEAP-11897 (7.0.z) Add testcase in EAT for support of RFC6265 compliant cookie validation

        • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
        • Verified

        Activity

          People

            sgilda_jira Sande Gilda (Inactive)
            sgilda_jira Sande Gilda (Inactive)
            Radim Hatlapatka Radim Hatlapatka (Inactive)
            Radim Hatlapatka Radim Hatlapatka (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: