| Summary: | Invalid V1 cookie generated if value contains separator and ALLOW_HTTP_SEPARATORS_IN_V0 is true | ||
|---|---|---|---|
| Product: | Tomcat 8 | Reporter: | Jeremy Boynes <jboynes> |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 8.0.x-trunk | ||
| Target Milestone: | ---- | ||
| Hardware: | All | ||
| OS: | All | ||
This has been fixed in 8.0.x for 8.0.15 onwards. |
If ALLOW_HTTP_SEPARATORS_IN_V0 is true, then setting a value for a V1 cookie containing a separator results in an invalid value per the V1 specification. For example, Cookie cookie = new Cookie("foo", "a=b"); cookie.setVersion(1); will create a header of the form: Set-Cookie: foo=a=b; Version=1 which is not a valid header per RFC2109. Because the version is specifically set to 1 the property should be ignored as this is not a V0 cookie. The result after auto-quoting would be Set-Cookie: foo="a=b"; Version=1 Alternatively this could result an IAE because the value «a=b» is not a token or quoted-string and hence not valid in a V1 cookie.