Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #1546 - more leniency testcase 

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
This commit is contained in:
Joakim Erdfelt 2017-05-15 11:03:12 -07:00
parent c95d6796d6
commit c5a0c5e761
2 changed files with 42 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutterTest.java
View File

@ -138,10 +138,9 @@ public class CookieCutterTest
* Example from RFC2965 * Example from RFC2965
*/ */
@Test @Test
@Ignore @Ignore("comma separation no longer supported by RFC6265")
public void testRFC2965_CookieSpoofingExample() public void testRFC2965_CookieSpoofingExample()
{ {
// Ignored because comma separation no longer supported by RFC6265
String rawCookie = "$Version=\"1\"; session_id=\"1234\", " + String rawCookie = "$Version=\"1\"; session_id=\"1234\", " +
"$Version=\"1\"; session_id=\"1111\"; $Domain=\".cracker.edu\""; "$Version=\"1\"; session_id=\"1111\"; $Domain=\".cracker.edu\"";
@ -182,7 +181,7 @@ public class CookieCutterTest
} }
/** /**
* Basic key=value, following RFC6265 rules * Basic name=value, following RFC6265 rules
*/ */
@Test @Test
public void testKeyValue() public void testKeyValue()
@ -194,4 +193,21 @@ public class CookieCutterTest
assertThat("Cookies.length", cookies.length, is(1)); assertThat("Cookies.length", cookies.length, is(1));
assertCookie("Cookies[0]", cookies[0], "key", "value", 0, null); assertCookie("Cookies[0]", cookies[0], "key", "value", 0, null);
} }
/**
* Multiple name=value, heavy abuse, badly terminated quotes, lenient behavior test
*/
@Test
public void testMultiName_BadQuoteTerminate()
{
// TODO: this seems very hokey, and allowing this as 3 separate entries is probably a security issue.
String rawCookie = "a=\"b; $Path=/a; c=d; $PATH=/c; e=f\"; $Path=/e/";
Cookie cookies[] = parseCookieHeaders(rawCookie);
assertThat("Cookies.length", cookies.length, is(3));
assertCookie("Cookies[0]", cookies[0], "a", "\"b", 0, "/a");
assertCookie("Cookies[1]", cookies[1], "c", "d", 0, "/c");
assertCookie("Cookies[2]", cookies[2], "e", "f\"", 0, "/e/");
}
} }

24
jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutter_LenientTest.java
View File

@ -76,7 +76,7 @@ public class CookieCutter_LenientTest
ret.add(new String[]{"some-thing-else=to-parse", "some-thing-else", "to-parse"}); ret.add(new String[]{"some-thing-else=to-parse", "some-thing-else", "to-parse"});
// RFC2109 - names with attr/token syntax starting with '$' (and not a cookie reserved word) // RFC2109 - names with attr/token syntax starting with '$' (and not a cookie reserved word)
// See https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-5.2 // See https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-5.2
// Cannot pass names through as Cookie class does not allow them // Cannot pass names through as javax.servlet.http.Cookie class does not allow them
ret.add(new String[]{"$foo=bar", null, null}); ret.add(new String[]{"$foo=bar", null, null});
// Tests that conform to RFC6265 // Tests that conform to RFC6265
@ -95,11 +95,33 @@ public class CookieCutter_LenientTest
// Escaped quotes // Escaped quotes
ret.add(new String[]{"foo=\"bar\\\"=\\\"baz\"", "foo", "bar\"=\"baz"}); ret.add(new String[]{"foo=\"bar\\\"=\\\"baz\"", "foo", "bar\"=\"baz"});
// Unterminated Quotes
ret.add(new String[]{"x=\"abc", "x", "\"abc"});
// Unterminated Quotes with valid cookie params after it
ret.add(new String[]{"x=\"abc $Path=/", "x", "\"abc"});
// UTF-8 values // UTF-8 values
ret.add(new String[]{"2sides=\u262F", "2sides", "\u262f"}); // 2 byte ret.add(new String[]{"2sides=\u262F", "2sides", "\u262f"}); // 2 byte
ret.add(new String[]{"currency=\"\u20AC\"", "currency", "\u20AC"}); // 3 byte ret.add(new String[]{"currency=\"\u20AC\"", "currency", "\u20AC"}); // 3 byte
ret.add(new String[]{"gothic=\"\uD800\uDF48\"", "gothic", "\uD800\uDF48"}); // 4 byte ret.add(new String[]{"gothic=\"\uD800\uDF48\"", "gothic", "\uD800\uDF48"}); // 4 byte
// Spaces
ret.add(new String[]{"foo=bar baz", "foo", "bar baz"});
ret.add(new String[]{"foo=\"bar baz\"", "foo", "bar baz"});
ret.add(new String[]{"z=a b c d e f g", "z", "a b c d e f g"});
// Bad tspecials usage
ret.add(new String[]{"foo=bar;baz", "foo", "bar;baz"}); // TODO: not sure supporting this is sane
ret.add(new String[]{"foo=\"bar;baz\"", "foo", "bar;baz"});
ret.add(new String[]{"z=a;b,c:d;e/f[g]", "z", "a;b,c:d;e/f[g]"});
ret.add(new String[]{"z=\"a;b,c:d;e/f[g]\"", "z", "a;b,c:d;e/f[g]"});
// Quoted with other Cookie keywords
ret.add(new String[]{"x=\"$Version=0\"", "x", "$Version=0"});
ret.add(new String[]{"x=\"$Path=/\"", "x", "$Path=/"});
ret.add(new String[]{"x=\"$Path=/ $Domain=.foo.com\"", "x", "$Path=/ $Domain=.foo.com"});
ret.add(new String[]{"x=\" $Path=/ $Domain=.foo.com \"", "x", " $Path=/ $Domain=.foo.com "});
// Lots of equals signs // Lots of equals signs
ret.add(new String[]{"query=b=c&d=e", "query", "b=c&d=e"}); ret.add(new String[]{"query=b=c&d=e", "query", "b=c&d=e"});