InfiniteLoop90 opened a new issue, #2054:
URL: https://github.com/apache/shiro/issues/2054

   ### Search before asking
   
   - [x] I had searched in the 
[issues](https://github.com/apache/shiro/issues?q=is%3Aissue) and found no 
similar issues.
   
   
   ### Environment
   
   Java version: 17
   
   ### Shiro version
   
   2.0.0
   
   ### What was the actual outcome?
   
   `SimpleCookie` doesn't do any encoding of Cookie values (or comments) when 
creating the `Set-Cookie` header. This causes browsers (or other web 
frameworks) to misinterpret or lose data.
   
   For example if the cookie has a name of `test` and a value of `ab;cd` the 
`Set-Cookie` header would that Shiro would build would start with 
`test=ab;cd;`. Browsers would then see the first semi-colon and interpret the 
value as `ab`. Other web frameworks would stop processing values at other 
characters too, like `@`.
   
   As per 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#attributes
 one approach is to percent-encode the cookie value:
   
   > Encoding: Many implementations perform 
[percent-encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding)
 on cookie values. However, this is not required by the RFC specification. The 
percent-encoding does help to satisfy the requirements of the characters 
allowed for `<cookie-value>`.
   
   I suspect that the `Comment` can/should also be encoded the same way.
   
   ### What was the expected outcome?
   
   Cookie values and comments should be URI-encoded so that browsers and other 
web frameworks don't misinterpret the values/comments.
   
   ### How to reproduce
   
   Use `SimpleCookie#buildHeaderValue` to create a `Set-Cookie` header value 
with a cookie name of `test`, a cookie value of `ab;cd`, and a cookie comment 
of `Some +=;@%comment`.
   
   The header string isn't URI-encoded the cookie value and comment:
   
   ```test=abc;d; Comment=Some +=;@%comment; Path=/; SameSite=lax```
   
   The expected output would be to have the cookie value and comment 
URI-encoded:
   
    ```test=abc%3Bd; Comment=Some%20%2B%3D%3B%40%25comment; Path=/; 
SameSite=lax```
   
   ### Debug logs
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@shiro.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@shiro.apache.org
For additional commands, e-mail: issues-h...@shiro.apache.org

Reply via email to