Add support for colons in remember-me token values

We have an issue where token strings that contain a colon break the existing decoding strategy, which tokenizes on colons. This change urlencodes the individual tokens when creating the cookie string; and urldecodes them decoding the cookie and extracting the tokens. This also eliminates the need for existing code to deal with openid tokens which contain urls, and thus colons. Fixes gh-3355
2016-01-11 13:16:55 -05:00 · 2016-01-11 13:16:55 -05:00 · aceba1f1cf
parent 37c6605062
commit aceba1f1cf
2 changed files with 21 additions and 11 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
@ -15,7 +15,11 @@
 */
 package org.springframework.security.web.authentication.rememberme;

+import java.io.UnsupportedEncodingException;
 import java.lang.reflect.Method;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;

 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@ -226,13 +230,14 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 		String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText,
 				DELIMITER);

-		if ((tokens[0].equalsIgnoreCase("http") || tokens[0].equalsIgnoreCase("https"))
-				&& tokens[1].startsWith("//")) {
-			// Assume we've accidentally split a URL (OpenID identifier)
-			String[] newTokens = new String[tokens.length - 1];
-			newTokens[0] = tokens[0] + ":" + tokens[1];
-			System.arraycopy(tokens, 2, newTokens, 1, newTokens.length - 1);
-			tokens = newTokens;
+		for (int i = 0; i < tokens.length; i++) {
+			try {
+				tokens[i] = URLDecoder.decode(tokens[i], StandardCharsets.UTF_8.name());
+			} catch (UnsupportedEncodingException uee) {
+				throw new InvalidCookieException(
+					"Unable to decode Cookie token using UTF-8; value was '" + tokens[i]
+						+ "'");
+			}
 		}

 		return tokens;
@ -247,8 +252,13 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
 	protected String encodeCookie(String[] cookieTokens) {
 		StringBuilder sb = new StringBuilder();
 		for (int i = 0; i < cookieTokens.length; i++) {
-			sb.append(cookieTokens[i]);
-
+			try {
+				sb.append(URLEncoder.encode(cookieTokens[i], StandardCharsets.UTF_8.name()));
+			} catch (UnsupportedEncodingException uee) {
+				throw new InvalidCookieException(
+					"Unable to encode Cookie token using UTF-8; value was '" + cookieTokens[i]
+						+ "'");
+			}
 			if (i < cookieTokens.length - 1) {
 				sb.append(DELIMITER);
 			}
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
@ -88,7 +88,7 @@ public class AbstractRememberMeServicesTests {

 	@Test
 	public void cookieShouldBeCorrectlyEncodedAndDecoded() throws Exception {
-		String[] cookie = new String[] { "name", "cookie", "tokens", "blah" };
+		String[] cookie = new String[] { "name:with:colon", "cookie", "tokens", "blah" };
 		MockRememberMeServices services = new MockRememberMeServices(uds);

 		String encoded = services.encodeCookie(cookie);
@ -97,7 +97,7 @@ public class AbstractRememberMeServicesTests {
 		String[] decoded = services.decodeCookie(encoded);

 		assertThat(decoded.length).isEqualTo(4);
-		assertThat(decoded[0]).isEqualTo("name");
+		assertThat(decoded[0]).isEqualTo("name:with:colon");
 		assertThat(decoded[1]).isEqualTo("cookie");
 		assertThat(decoded[2]).isEqualTo("tokens");
 		assertThat(decoded[3]).isEqualTo("blah");