Skip to content

Commit

Permalink
[UNDERTOW-2342] CVE-2023-4639 ignore cookie with impropper quotes
Browse files Browse the repository at this point in the history
Signed-off-by: Flavia Rainone <[email protected]>
  • Loading branch information
baranowb authored and fl4via committed Feb 9, 2024
1 parent c96363d commit b6fa116
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions core/src/main/java/io/undertow/util/Cookies.java
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,9 @@ private static void parseCookie(final String cookie, final Set<Cookie> parsedCoo
cookieCount = createCookie(name, containsEscapedQuotes ? unescapeDoubleQuotes(cookie.substring(start, i)) : cookie.substring(start, i), maxCookies, cookieCount, cookies, additional);
state = 0;
start = i + 1;
} else if (c == ';' || (commaIsSeperator && c == ',')) {
state = 0;
start = i + 1;
}
// Skip the next double quote char '"' when it is escaped by backslash '\' (i.e. \") inside the quoted value
if (c == '\\' && (i + 1 < cookie.length()) && cookie.charAt(i + 1) == '"') {
Expand Down
15 changes: 15 additions & 0 deletions core/src/test/java/io/undertow/util/CookiesTestCase.java
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,21 @@ public void testSameSiteCookie() {
Assert.assertNull(cookie.getSameSiteMode());
}

@Test
public void testNoDoubleQuoteTermination() {
Map<String, Cookie> cookies = Cookies.parseRequestCookies(4, false, Arrays.asList("CUSTOMER=\"WILE_E_COYOTE\"; BAD=\"X; SHIPPING=FEDEX"), true);
Assert.assertEquals(2, cookies.size());
Cookie cookie = cookies.get("CUSTOMER");
Assert.assertEquals("CUSTOMER", cookie.getName());
Assert.assertEquals("WILE_E_COYOTE", cookie.getValue());
cookie = cookies.get("BAD");
Assert.assertNull(cookie);
cookie = cookies.get("SHIPPING");
Assert.assertEquals("SHIPPING", cookie.getName());
Assert.assertEquals("FEDEX", cookie.getValue());
Assert.assertNotNull(cookie);
}

// RFC6265 allows US-ASCII characters excluding CTLs, whitespace,
// double quote, comma, semicolon and backslash as cookie value.
// This does not change even if value is quoted.
Expand Down

0 comments on commit b6fa116

Please sign in to comment.