Bug 1376379

Summary: [GSS](6.4.z) cookie with control character throws exception but page (empty) returns 200 OK
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: WebAssignee: Peter Palaga <ppalaga>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hatlapatka <rhatlapa>
Severity: high Docs Contact:
Priority: high    
Version: 6.4.10CC: bmaxwell, jbilek, jgr.talk, mcada, msochure, ppalaga, rmaucher, rstancel
Target Milestone: CR1   
Target Release: EAP 6.4.13   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-03 16:43:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1304337, 1386335    

Description Tom Fonteyne 2016-09-15 09:27:30 UTC 
Description of problem:

Use an out of the box EAP installation and run:

(the cookie value contains a 'control' character)

curl -i 'http://<my_server>/some-url' -H 'Cookie:=�'
HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 09:08:03 GMT
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: close
Content-Type: text/plain

The stack trace :
2016-09-05 18:37:15,659 ERROR [http-executor-threads - 24] (o.a.c.connector) JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.IllegalArgumentException: JBWEB002039: Control character in cookie value or attribute
        at org.apache.tomcat.util.http.CookieSupport.isHttpSeparator(CookieSupport.java:188) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.tomcat.util.http.Cookies.getTokenEndPosition(Cookies.java:454) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.tomcat.util.http.Cookies.processCookieHeader(Cookies.java:277) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:158) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:96) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:641) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:583) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:333) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:511) [jbossweb.jar:7.3.1.Final-redhat-1]
        at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33) [jboss-threads.jar:2.1.1.Final-redhat-1]
        at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808) [jboss-threads.jar:2.1.1.Final-redhat-1]
        at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45) [jboss-threads.jar:2.1.1.Final-redhat-1]
        at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:849) [jboss-threads.jar:2.1.1.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
        at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads.jar:2.1.1.Final-redhat-1]


This is itself is not the issue, as control characters (other then TAB) are illegal in cookies.

However, the response to the browser sends and empty page and an http code: http 200 OK.
This is clearly wrong.

Two possible proposals:

org/apache/tomcat/util/http/CookieSupport.java

185     public static final boolean isHttpSeparator(final char c) {
186         if (c < 0x20 || c >= 0x7f) {
187             if (c != 0x09) {
188                 throw MESSAGES.invalidControlCharacter();
189             }
190         }
191 
192         return HTTP_SEPARATOR_FLAGS[c];
193     }

could be made to check STRICT_SERVLET_COMPLIANCE flag, and allow the control characters it this flag is false. (alternatively an extra/new flag could be introduced)

However, whether the proposal above is implemented or not, the issue remains that if the MESSAGES.invalidControlCharacter(); exception is thrown, then the response should send a http 500 status!
Comment 1 Tom Fonteyne 2016-09-16 12:04:17 UTC 
I tested if a Valve could be used as a workaround, but the exception happens before the Valve is hit.

Side note: EAP 7 handles a control character without an issue (undertow)
Comment 2 Peter Palaga 2016-09-29 14:05:55 UTC 
Note that the cookie value used above is \uFFEF
Comment 4 Michael Cada 2017-01-04 08:58:05 UTC 
Verified with EAP 6.4.13.CP.CR1
Comment 5 Petr Penicka 2017-02-03 16:43:30 UTC 
Released with EAP 6.4.13 on Feb 02 2017.