SessionCookieConfig name may be null (#5557)

* SessionCookieConfig name may be null Protect against NPE by make a null name in SessionCookieConfig deactive session cookies. * SessionCookieConfig name may be null Protect against NPE by make a null name in SessionCookieConfig deactive session cookies. * SessionCookieConfig name may be null Protect against NPE by make a null name in SessionCookieConfig deactive session cookies. * feedback from review added static method to convert null name to default.
2020-11-03 16:22:26 +01:00 · 2020-11-03 16:22:26 +01:00 · f88f09a148
parent 69185bf31d
commit f88f09a148
2 changed files with 21 additions and 8 deletions
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionHandler.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionHandler.java
@ -46,6 +46,7 @@ import javax.servlet.http.HttpSessionListener;

 import org.eclipse.jetty.http.BadMessageException;
 import org.eclipse.jetty.http.HttpCookie;
+import org.eclipse.jetty.http.Syntax;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.SessionIdManager;
@ -662,7 +663,7 @@ public class SessionHandler extends ScopedHandler
            HttpCookie cookie = null;

            cookie = new HttpCookie(
-                _cookieConfig.getName(),
+                getSessionCookieName(_cookieConfig),
                id,
                _cookieConfig.getDomain(),
                sessionPath,
@ -1378,6 +1379,13 @@ public class SessionHandler extends ScopedHandler
        Session getSession();
    }

+    public static String getSessionCookieName(SessionCookieConfig config)
+    {
+        if (config == null || config.getName() == null)
+            return __DefaultSessionCookie;
+        return config.getName();
+    }
+
    /**
     * CookieConfig
     *
@ -1466,6 +1474,10 @@ public class SessionHandler extends ScopedHandler
        {
            if (_context != null && _context.getContextHandler().isAvailable())
                throw new IllegalStateException("CookieConfig cannot be set after ServletContext is started");
+            if ("".equals(name))
+                throw new IllegalArgumentException("Blank cookie name");
+            if (name != null)
+                Syntax.requireValidRFC2616Token(name, "Bad Session cookie name");
            _sessionCookie = name;
        }

@ -1645,18 +1657,18 @@ public class SessionHandler extends ScopedHandler
            Cookie[] cookies = request.getCookies();
            if (cookies != null && cookies.length > 0)
            {
-                final String sessionCookie = getSessionCookieConfig().getName();
-                for (int i = 0; i < cookies.length; i++)
+                final String sessionCookie = getSessionCookieName(getSessionCookieConfig());
+                for (Cookie cookie : cookies)
                {
-                    if (sessionCookie.equalsIgnoreCase(cookies[i].getName()))
+                    if (sessionCookie.equalsIgnoreCase(cookie.getName()))
                    {
-                        String id = cookies[i].getValue();
+                        String id = cookie.getValue();
                        requestedSessionIdFromCookie = true;
                        if (LOG.isDebugEnabled())
                            LOG.debug("Got Session ID {} from cookie {}", id, sessionCookie);

                        HttpSession s = getHttpSession(id);
-                        
+
                        if (requestedSessionId == null)
                        {
                            //no previous id, always accept this one
--- a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java
+++ b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java
@ -38,6 +38,7 @@ import org.eclipse.jetty.http.pathmap.ServletPathSpec;
 import org.eclipse.jetty.security.ConstraintAware;
 import org.eclipse.jetty.security.ConstraintMapping;
 import org.eclipse.jetty.security.authentication.FormAuthenticator;
+import org.eclipse.jetty.server.session.SessionHandler;
 import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
 import org.eclipse.jetty.servlet.FilterHolder;
 import org.eclipse.jetty.servlet.FilterMapping;
@ -732,7 +733,7 @@ public class StandardDescriptorProcessor extends IterativeDescriptorProcessor
                    case WebFragment:
                    {
                        //a web-fragment set the value, all web-fragments must have the same value
-                        if (!context.getSessionHandler().getSessionCookieConfig().getName().equals(name))
+                        if (!name.equals(SessionHandler.getSessionCookieName(context.getSessionHandler().getSessionCookieConfig())))
                            throw new IllegalStateException("Conflicting cookie-config name " + name + " in " + descriptor.getResource());
                        break;
                    }
@ -806,7 +807,7 @@ public class StandardDescriptorProcessor extends IterativeDescriptorProcessor
                    case WebFragment:
                    {
                        //a web-fragment set the value, all web-fragments must have the same value
-                        if (!context.getSessionHandler().getSessionCookieConfig().getPath().equals(path))
+                        if (!path.equals(context.getSessionHandler().getSessionCookieConfig().getPath()))
                            throw new IllegalStateException("Conflicting cookie-config path " + path + " in " + descriptor.getResource());
                        break;
                    }