Issue #3985 - Applying PR Review to CookieCutter

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2019-08-22 12:46:23 -05:00 · 2019-08-22 12:46:23 -05:00 · 318045cd87
parent c1c241349e
commit 318045cd87
2 changed files with 23 additions and 14 deletions
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
@ -314,7 +314,7 @@ public class CookieCutter

                                if (_compliance == CookieCompliance.RFC6265)
                                {
-                                    if (isRFC6265RejectedCharacter(c))
+                                    if (isRFC6265RejectedCharacter(inQuoted, c))
                                    {
                                        reject = true;
                                    }
@ -368,7 +368,7 @@ public class CookieCutter

                                if (_compliance == CookieCompliance.RFC6265)
                                {
-                                    if (isRFC6265RejectedCharacter(c))
+                                    if (isRFC6265RejectedCharacter(inQuoted, c))
                                    {
                                        reject = true;
                                    }
@ -388,20 +388,29 @@ public class CookieCutter
        _lastCookies = _cookies;
    }

-    protected boolean isRFC6265RejectedCharacter(char c)
+    protected boolean isRFC6265RejectedCharacter(boolean inQuoted, char c)
    {
-        // We only reject if a Control Character is encountered
-        if (Character.isISOControl(c))
+        if (inQuoted)
        {
-            return true;
+            // We only reject if a Control Character is encountered
+            if (Character.isISOControl(c))
+            {
+                return true;
+            }
+        }
+        else
+        {
+            /* From RFC6265 - Section 4.1.1 - Syntax
+             *  cookie-octet  = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+             *                  ; US-ASCII characters excluding CTLs,
+             *                  ; whitespace DQUOTE, comma, semicolon,
+             *                  ; and backslash
+             */
+            return Character.isISOControl(c) || // control characters
+                c > 127 || // 8-bit characters
+                c == ',' || // comma
+                c == ';'; // semicolon
        }
-
-        /* TODO: Should we also reject for the complete list of invalid characters in RFC6265?
-         *
-         * US-ASCII characters excluding CTLs,
-         * whitespace DQUOTE, comma, semicolon,
-         * and backslash
-         */

        return false;
    }
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutter_LenientTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutter_LenientTest.java
@ -116,7 +116,7 @@ public class CookieCutter_LenientTest
            Arguments.of("x=\"abc\\", "x", "\"abc\\"),

            // UTF-8 raw values (not encoded) - VIOLATION of RFC6265
-            Arguments.of("2sides=\u262F", "2sides", "\u262f"), // 2 byte (YIN YANG)
+            Arguments.of("2sides=\u262F", null, null), // 2 byte (YIN YANG) - rejected due to not being DQUOTED
            Arguments.of("currency=\"\u20AC\"", "currency", "\u20AC"), // 3 byte (EURO SIGN)
            Arguments.of("gothic=\"\uD800\uDF48\"", "gothic", "\uD800\uDF48"), // 4 byte (GOTHIC LETTER HWAIR)