[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #13 from Markus Malkusch  ---
Then let me add more details to the described case: The intended symetric round
trip behaviour was not given. The Cookie was initially created with the Servlet
API (containing only alphanumeric characters), which sends a Set-Cookie header
without quotes (Set-Cookie: userId=foo;Max-Age=15552000;path=/).

It was the user agent (Dalvik/2.1.0 (Linux; U; Android 5.1; A2 Build/LMY47I))
which then continued to send it back with quotes. I couldn't find anything in
the related RFCs which forbids this, so I assume it's a possible and valid
behaviour.

I think it's wrong in this case to expose those quotes to the application
programmer. It is unexpected and leads to errors in application.

However it is currently a rare case. I observe it once every 5k requests.
Application programmers can easily mitigate the issue themselves, if they only
knew.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

Mark Thomas  changed:

   What|Removed |Added

 Resolution|--- |WONTFIX
 Status|REOPENED|RESOLVED

--- Comment #12 from Mark Thomas  ---
This particular behaviour relates to exactly what should be presented to, and
returned from, the Servlet API. The Servlet spec is silent on this issue.

What the Tomcat developers opted for was the general aim of symmetric,
consistent round-trip behaviour. For any valid value it should be possible to
create a Cookie with a given value, add it to the response and then retrieve
the same value from the next request.

For RFC 2109 cookies (anything with an explicit version of 1 or 0)
- unquoted values that require quoting to be valid are automatically quoted and
escaped to make them valid
- any quotes and escaping in received values is retained.

Because of the various edge cases around quoting RFC2109 cookies, keeping the
values as quoted made handling simpler and less likely to do the wrong thing.

The quotes are always removed from received RFC 6265 cookies (anything without
an explicit version of 1 or 0). Tomcat also strips quotes before generating the
Cookie header for RFC 6265 cookies.

Because there is no escaping in RFC 6265 and because quotes are not allowed in
values, removing them was much simpler (and generally is what applications
expect).

There are a lot of edge cases in all of this and no single solution that works
perfectly for everyone. The current behaviour has evolved over a long period of
time to a solution that works for most users, most of the time and
configuration options to cover the majority of edge cases. As such, changes are
unlikely but not impossible (e.b. bug 60627). Ultimately, the last major
refactoring added the CookieProcessor interface which enables any user to
essentially completely customise the cookie handling on a per application
basis.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #11 from Markus Malkusch  ---
Yes, I saw that wiki page already and it feels like some hair got lost on
implementing that.

Let me know when you remember the reason and also if you plan to keep it like
that. For me it's not a big deal to remove the quotes in my application. It
happens very rarely, but still I was very surprised when I saw that and I think
it would be better for future developers (or those who didn't notice that yet)
if Tomcat would remove those quotes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #10 from Mark Thomas  ---
Progress. The quotes are retained and the unit test is removing them before
comparing the actual and expected values. That also looks very deliberate. I
need to remind myself why that is the case.

The handling of cookies has a long history. A summary of a good chunk of it can
be found at https://wiki.apache.org/tomcat/Cookies

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #9 from Mark Thomas  ---
Definitely not a Spring issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #8 from Markus Malkusch  ---
Also please let me know if you agree that I can finally close the issue on
Spring's side.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #7 from Markus Malkusch  ---
I looked also a bit deeper. Parsing that header enters
org.apache.tomcat.util.http.parser.Cookie.readQuotedString(ByteBuffer), which
if I understand correctly will always return the value including the quotes
(start contains the position with the first quote). And from there on I didn't
find anything which would remove the quotes. It looks almost as this was
intentionally.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #6 from Mark Thomas  ---
Let me take a closer look.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

Markus Malkusch  changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|WORKSFORME  |---

--- Comment #5 from Markus Malkusch  ---
So I debugged the request:
I enter org.apache.catalina.connector.Request.parseCookies()
which goes into
org.apache.tomcat.util.http.Rfc6265CookieProcessor.parseCookieHeader(MimeHeaders,
ServerCookies)
MimeHeaders.toString() shows the cookie from the test case:
=== MimeHeaders ===
cookie = $Version="1"; foo="bar";$Path="/";$Domain="www.example.org"

When Request.parseCookies() is finished I see that
Request.coyoteRequest.serverCookies contains one Cookie with the value "bar"
(including quotes). No Spring involved so far. However I can't exculde if
Spring is configuring something to create this behaviour.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #4 from Markus Malkusch  ---
Actually I also don't think Spring is messing around with Cookie parsing, but
something is. The test cases are fine. I double checked by comparing Tomcat's
log on the receiver side. Tomcat receives the Cookie header as sent by the test
cases. I'll start the debugger and come back when I found the cause.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

--- Comment #3 from Mark Thomas  ---
I tested 9.0.x trunk and 8.5.x trunk. Both worked as expected.

Personally, I'd start with your test case and look at exactly what header
values are being sent. I'd be surprised if Spring Boot is playing a role in
Cookie handling.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

Markus Malkusch  changed:

   What|Removed |Added

URL||https://github.com/spring-p
   ||rojects/spring-boot/issues/
   ||8430

--- Comment #2 from Markus Malkusch  ---
Thanks for your effort. I'll then will reopen the ticket on Spring's side as
it's more likely an issue there. In your testcase, did you also use
Tomcat-8.5.11?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60788] Cookies value contains quotes when the Cookie header contains $Version=1 and the header's value is enclosed by quotes

2017-03-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60788

Mark Thomas  changed:

   What|Removed |Added

 Resolution|--- |WORKSFORME
 Status|NEW |RESOLVED

--- Comment #1 from Mark Thomas  ---
I've converted the provided cookie header into a Tomcat test case and the value
is returned unquoted with both the Rfc6265CookieProcessor and the
LegacyCookieProcessor.

There is variation for the path and the domain. They are returned unquoted with
the Legacy processor but quoted with the RFC6265 processor.

It looks like there is something odd going on with your SSCCE.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org