Ah, thanks! I see now that setting ALLOW_HTTP_SEPARATORS_IN_V0=true
bypasses that check in a few spots. Probably what Chuck was alluding
to in his reply...
The one spot it wouldn't bypass is line 292 in ServerCookie.java. You
guys could switch the order of the logical checks in there, i.e.:
- } else if (CookieSupport.isHttpToken(value) &&
- !CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0 ||
- CookieSupport.isV0Token(value) &&
- CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0) {
+ } else if (!CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0 &&
+ CookieSupport.isHttpToken(value) ||
+ CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0 &&
+ CookieSupport.isV0Token(value)) {
...and I think that would pretty much solve the issue for me. Or at
least allow me to process the request and figure out what nastiness is
getting passed in the Set-Cookie value (presumably unicode).
Dan
On Tue, May 24, 2011 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote:
> On 24/05/2011 21:25, Dan Checkoway wrote:
>> This is super low priority, since I assume somebody is passing junk in a
>> Set-Cookie header, but I'd love to get to the bottom of it (I'm of the "no
>> request left behind" mindset), and I'm still in the dark about what Tomcat
>> doesn't like about what it's being passed.
>>
>> Can you guys shed any light on what might evoke that "Control character in
>> cookie value or attribute" error in 7.0.14?
>
> One of the huge benefits of Tomcat is that it is open source so, if you
> know where to look, you can just check the source code to see why Tomcat
> behaves the way it does. You have a stack trace so you know the file and
> line number. Take a look at line 192 (and the couple of lines above it)
> in the following file:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?view=annotate
>
> That file is from svn trunk but it hasn't changed since 7.0.14.
>
>> I still can't get my head wrapped around which ServerCookie.* property(ies)
>> to tweak to try to figure this out.
>
> Those aren't going to help you. If a control character is detected in
> the cookie header then the whole request is toast.
>
> Mark
>
>>
>> Thanks,
>> Dan
>>
>> On Fri, May 20, 2011 at 4:56 PM, Dan Checkoway <dchecko...@gmail.com> wrote:
>>
>>> Ah, thanks! To be honest I'm not sure which of those properties would work
>>> around the "Control character in cookie value or attribute" exception.
>>>
>>> Maybe org.apache.tomcat.util.http. ServerCookie.FWD_SLASH_IS_SEPARATOR? I
>>> can't tell if "Control character" means a literal non-printable character
>>> (i.e. something between 0x00 and 0x1F), or something else like a \ getting
>>> in there, like foo\nbar.
>>>
>>> Don't suppose it could be unicode in a cookie value that's causing this?
>>> Which seems more plausible to you, 0x00 or unicode?
>>>
>>> And any specific suggestions for config tweaks would be much appreciated!
>>>
>>> Dan
>>>
>>>
>>>
>>> On Fri, May 20, 2011 at 3:56 PM, Caldarale, Charles R <
>>> chuck.caldar...@unisys.com> wrote:
>>>>
>>>>> From: Dan Checkoway [mailto:dchecko...@gmail.com]
>>>>> Subject: Control character in cookie value or attribute
>>>>
>>>>> I honestly have no idea if it's related to the tomcat version
>>>>> or some legitimately wacked out Set-Cookie header coming in.
>>>>
>>>> Both, actually. Tomcat 7 is bit more picky about what it accepts for
>>> cookies. You can control the behavior with the cookie-related properties
>>> listed here:
>>>>
>>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Specification
>>>>
>>>> - Chuck
>>>>
>>>>
>>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>>> MATERIAL and is thus for use only by the intended recipient. If you received
>>> this in error, please contact the sender and delete the e-mail and its
>>> attachments from all computers.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>
>>>
>>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
