Tomcat 7.0.39: Blank pages - cookies containing umplaut causing the request processing beeing stopped

Sat, 13 Apr 2013 04:50:24 -0700 

Hi,

we are facing problems with cookies containing umplaut (or other special 
characters), causing the request processing beeing stopped and returning a 
blank page.
I know that umlaut characters are forbidden within cookies, except when they 
are urlencoded, but the problem arises from third-parties createing cookies 
with the correct domain but containing invalid characters. Due to the request 
processing abort, we are unable to mark such cookies as invalid and beeing 
dropped next time by the client. 

Apr 13, 2013 9:19:41 AM org.apache.coyote.http11.AbstractHttp11Processor process
SEVERE: Error processing request
java.lang.IllegalArgumentException: Control character in cookie value or 
attribute.
       at 
org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:193)
       at 
org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:502)
       at 
org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:349)
       at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:168)
       at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:106)
       at 
org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:931)
       at 
org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:688)
       at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:402)
       at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
       at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
       at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
       at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
       at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
       at java.lang.Thread.run(Thread.java:722)

Is there a possibility to ignore such cookies? Setting 
CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0=true does not help because in 
org.apache.tomcat.util.http.Cookies.processCookieHeader first 
org.apache.tomcat.util.http.CookieSupport.isHttpSeparator is called and only 
than ALLOW_HTTP_SEPARATORS_IN_V0 examined:
// Skip whitespace and non-token characters (separators)
            while (pos < end &&
                   (CookieSupport.isHttpSeparator((char) bytes[pos]) &&
                           !CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0 ||
                    CookieSupport.isV0Separator((char) bytes[pos]) ||
                    isWhiteSpace(bytes[pos])))
                {pos++; }

Maybe changing the evaluation order within the while condition could solve the 
problem.

Why is it better throwing an exception, causing the request processing beeing 
aborted and returning a blank page, than ignoring the invalid cookie? In my 
opinion this is a serious possibility to prevent site accessing by the client 
through third-parties.


Pls help us/me out.

Thanks.

Laszlo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to