-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 4/26/17 3:18 PM, Mark Thomas wrote: > On 26/04/17 20:13, Christopher Schultz wrote: >> On 4/26/17 2:55 PM, Mark Thomas wrote: > > <snip/> > >>> RFC 2109 allows quoted string to be used. In this Tomcat can >>> (and will) do what needs to be done to make the cookie value >>> 'just work'. >> So does 6265 just basically do-away with all attempts to quote >> things and say "if you want weird stuff in there, use base64"? > > Exactly. > > <quote> To maximize compatibility with user agents, servers that > wish to store arbitrary data in a cookie-value SHOULD encode that > data, for example, using Base64 [RFC4648]. </quote> Done. With backward-compatibility. ;) Since everything I have is name=value[,name=value] I just decided to look for anything that includes an equals sign anywhere other at the end(s) of the input and consider that a non-base64-encoded cookie value. Fortunately, I've got the cookie-value-generation in one single place in the code and, similarly, the cookie-value-reading code is in another one single place, it was easy to add this symmetrically. I'll keep this in mind for future Cookie exploits... er, adventures. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZAPTjAAoJEBzwKT+lPKRYR8YQAIP2VZvX/cvDHGu+34Hvrqdo MiNReQwd4EZos+vecH2X3rpy+4nFWach3HTqFJyatDzHRuEiw4DnYiQfakPErBW7 x9gy1PErkGbpm6B0Z2WgaqXcQy9ChUTzIrzRyqkhAeDA0ZAA+6N2GHexsFFWkhVS 2UPXQfQt71Bs3+cZDQzCiMzWFSuob4P4cqWV6rpXiZIu19gu5ibkRfs5jR/vQEpn 5nttICtSuNJQMVAXkI9uPzsXOgOq1Q9/WiWc39Dp2tTasCj0xBlVfd29HgRraNbv YHREO0aVFocFfZRofQSTbr9xFzhnJ9u6oN5eIpQNXYIFw7arKqKujYak7hWj53Jr 3iybfRLeVY/uo8vHgAyOmtvBQxLeagTgtmgYIQyVF2l+vsmJl7C4y+j1BHuP5h81 jPf9rpj4JwXQVBxu6W6Bs4Xn++jZ+vA3eDFqUyz4E+FBxIwYDjd5tvX9/2+Z3QNn QMYQZRNH3iV50+YJdhQUxjWJvrnowmn/zMylDJWWBxuh6ih2Dw89F1y1Uyqj8Uc4 unVaYsN8ttkKLh25+OpTg3JNiBDixL1xJVCkvIdV/xvuy5AGQxLk+esDS5kAZKg0 tdTsLonq0VLhrMZQTXsHC8wXKHMSlhg3DQQl/a8vCWLC8NTMOyHseZut3vJfehi0 j7XSmYIgqsUooSPIeebR =mhKU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org