From a82cab7afdb1fc58830b1c415f1874d36b2c6c92 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Tue, 13 Sep 2016 10:27:51 -0400 Subject: [PATCH] Revert "Add support for colons in remember-me token values" This reverts commit aceba1f1cf63625c00daaa0b05f30de0a5a7999d. --- .../AbstractRememberMeServices.java | 28 ++++++------------- .../AbstractRememberMeServicesTests.java | 4 +-- 2 files changed, 11 insertions(+), 21 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java index fd4824d492..56283d3990 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java @@ -15,11 +15,7 @@ */ package org.springframework.security.web.authentication.rememberme; -import java.io.UnsupportedEncodingException; import java.lang.reflect.Method; -import java.net.URLDecoder; -import java.net.URLEncoder; -import java.nio.charset.StandardCharsets; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; @@ -230,14 +226,13 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER); - for (int i = 0; i < tokens.length; i++) { - try { - tokens[i] = URLDecoder.decode(tokens[i], StandardCharsets.UTF_8.name()); - } catch (UnsupportedEncodingException uee) { - throw new InvalidCookieException( - "Unable to decode Cookie token using UTF-8; value was '" + tokens[i] - + "'"); - } + if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https")) + && tokens[1].startsWith("//")) { + // Assume we've accidentally split a URL (OpenID identifier) + String[] newTokens = new String[tokens.length - 1]; + newTokens[0] = tokens[0] + ":" + tokens[1]; + System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1); + tokens = newTokens; } return tokens; @@ -252,13 +247,8 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, protected String encodeCookie(String[] cookieTokens) { StringBuilder sb = new StringBuilder(); for (int i = 0; i < cookieTokens.length; i++) { - try { - sb.append(URLEncoder.encode(cookieTokens[i], StandardCharsets.UTF_8.name())); - } catch (UnsupportedEncodingException uee) { - throw new InvalidCookieException( - "Unable to encode Cookie token using UTF-8; value was '" + cookieTokens[i] - + "'"); - } + sb.append(cookieTokens[i]); + if (i < cookieTokens.length - 1) { sb.append(DELIMITER); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index 4a06f6f5f9..946335a009 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -88,7 +88,7 @@ public class AbstractRememberMeServicesTests { @Test public void cookieShouldBeCorrectlyEncodedAndDecoded() throws Exception { - String[] cookie = new String[] { "name:with:colon", "cookie", "tokens", "blah" }; + String[] cookie = new String[] { "name", "cookie", "tokens", "blah" }; MockRememberMeServices services = new MockRememberMeServices(uds); String encoded = services.encodeCookie(cookie); @@ -97,7 +97,7 @@ public class AbstractRememberMeServicesTests { String[] decoded = services.decodeCookie(encoded); assertThat(decoded.length).isEqualTo(4); - assertThat(decoded[0]).isEqualTo("name:with:colon"); + assertThat(decoded[0]).isEqualTo("name"); assertThat(decoded[1]).isEqualTo("cookie"); assertThat(decoded[2]).isEqualTo("tokens"); assertThat(decoded[3]).isEqualTo("blah");