https://issues.apache.org/bugzilla/show_bug.cgi?id=55917
Bug ID: 55917
Summary: Cookie parsing fails hard with ISO-8859-1 values
Product: Tomcat 7
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Some popular JavaScript libraries have started to set cookie values in the
browser directly and include ISO-8859-1 (Latin-1) characters in the range
0xA0-0xFF. When the Cookie header is parsed by Tomcat, the request fails with
an IllegalArgumentException[1] from the connector without giving the
application an opportunity to validate the cookie value received.
RFC2616 (HTTP/1.1) allows header field-values to contain ISO-8859-1 characters
which includes the range 0xA0-0xFF. RFC2109 (cookies) allows for
"quoted-string" values which can contain TEXT octets (which includes those
characters). This is different to cookie names which are defined as the more
restricted "token" which only allows USASCII values. The original Netscape spec
does not mention character encodings.
[1]
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?revision=1200183&view=markup#l190
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
