https://issues.apache.org/bugzilla/show_bug.cgi?id=55917
Bug ID: 55917 Summary: Cookie parsing fails hard with ISO-8859-1 values Product: Tomcat 7 Version: trunk Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: jboy...@apache.org Some popular JavaScript libraries have started to set cookie values in the browser directly and include ISO-8859-1 (Latin-1) characters in the range 0xA0-0xFF. When the Cookie header is parsed by Tomcat, the request fails with an IllegalArgumentException[1] from the connector without giving the application an opportunity to validate the cookie value received. RFC2616 (HTTP/1.1) allows header field-values to contain ISO-8859-1 characters which includes the range 0xA0-0xFF. RFC2109 (cookies) allows for "quoted-string" values which can contain TEXT octets (which includes those characters). This is different to cookie names which are defined as the more restricted "token" which only allows USASCII values. The original Netscape spec does not mention character encodings. [1] http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?revision=1200183&view=markup#l190 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org