SessionCookieConfig name may be null (#5557)

* SessionCookieConfig name may be null

Protect against NPE by make a null name in SessionCookieConfig deactive session cookies.

* SessionCookieConfig name may be null

Protect against NPE by make a null name in SessionCookieConfig deactive session cookies.

* SessionCookieConfig name may be null

Protect against NPE by make a null name in SessionCookieConfig deactive session cookies.

* feedback from review

added static method to convert null name to default.
This commit is contained in:
Greg Wilkins 2020-11-03 16:22:26 +01:00 committed by GitHub
parent 69185bf31d
commit f88f09a148
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 8 deletions

View File

@ -46,6 +46,7 @@ import javax.servlet.http.HttpSessionListener;
import org.eclipse.jetty.http.BadMessageException; import org.eclipse.jetty.http.BadMessageException;
import org.eclipse.jetty.http.HttpCookie; import org.eclipse.jetty.http.HttpCookie;
import org.eclipse.jetty.http.Syntax;
import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.SessionIdManager; import org.eclipse.jetty.server.SessionIdManager;
@ -662,7 +663,7 @@ public class SessionHandler extends ScopedHandler
HttpCookie cookie = null; HttpCookie cookie = null;
cookie = new HttpCookie( cookie = new HttpCookie(
_cookieConfig.getName(), getSessionCookieName(_cookieConfig),
id, id,
_cookieConfig.getDomain(), _cookieConfig.getDomain(),
sessionPath, sessionPath,
@ -1378,6 +1379,13 @@ public class SessionHandler extends ScopedHandler
Session getSession(); Session getSession();
} }
public static String getSessionCookieName(SessionCookieConfig config)
{
if (config == null || config.getName() == null)
return __DefaultSessionCookie;
return config.getName();
}
/** /**
* CookieConfig * CookieConfig
* *
@ -1466,6 +1474,10 @@ public class SessionHandler extends ScopedHandler
{ {
if (_context != null && _context.getContextHandler().isAvailable()) if (_context != null && _context.getContextHandler().isAvailable())
throw new IllegalStateException("CookieConfig cannot be set after ServletContext is started"); throw new IllegalStateException("CookieConfig cannot be set after ServletContext is started");
if ("".equals(name))
throw new IllegalArgumentException("Blank cookie name");
if (name != null)
Syntax.requireValidRFC2616Token(name, "Bad Session cookie name");
_sessionCookie = name; _sessionCookie = name;
} }
@ -1645,18 +1657,18 @@ public class SessionHandler extends ScopedHandler
Cookie[] cookies = request.getCookies(); Cookie[] cookies = request.getCookies();
if (cookies != null && cookies.length > 0) if (cookies != null && cookies.length > 0)
{ {
final String sessionCookie = getSessionCookieConfig().getName(); final String sessionCookie = getSessionCookieName(getSessionCookieConfig());
for (int i = 0; i < cookies.length; i++) for (Cookie cookie : cookies)
{ {
if (sessionCookie.equalsIgnoreCase(cookies[i].getName())) if (sessionCookie.equalsIgnoreCase(cookie.getName()))
{ {
String id = cookies[i].getValue(); String id = cookie.getValue();
requestedSessionIdFromCookie = true; requestedSessionIdFromCookie = true;
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Got Session ID {} from cookie {}", id, sessionCookie); LOG.debug("Got Session ID {} from cookie {}", id, sessionCookie);
HttpSession s = getHttpSession(id); HttpSession s = getHttpSession(id);
if (requestedSessionId == null) if (requestedSessionId == null)
{ {
//no previous id, always accept this one //no previous id, always accept this one

View File

@ -38,6 +38,7 @@ import org.eclipse.jetty.http.pathmap.ServletPathSpec;
import org.eclipse.jetty.security.ConstraintAware; import org.eclipse.jetty.security.ConstraintAware;
import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.authentication.FormAuthenticator; import org.eclipse.jetty.security.authentication.FormAuthenticator;
import org.eclipse.jetty.server.session.SessionHandler;
import org.eclipse.jetty.servlet.ErrorPageErrorHandler; import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
import org.eclipse.jetty.servlet.FilterHolder; import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.FilterMapping; import org.eclipse.jetty.servlet.FilterMapping;
@ -732,7 +733,7 @@ public class StandardDescriptorProcessor extends IterativeDescriptorProcessor
case WebFragment: case WebFragment:
{ {
//a web-fragment set the value, all web-fragments must have the same value //a web-fragment set the value, all web-fragments must have the same value
if (!context.getSessionHandler().getSessionCookieConfig().getName().equals(name)) if (!name.equals(SessionHandler.getSessionCookieName(context.getSessionHandler().getSessionCookieConfig())))
throw new IllegalStateException("Conflicting cookie-config name " + name + " in " + descriptor.getResource()); throw new IllegalStateException("Conflicting cookie-config name " + name + " in " + descriptor.getResource());
break; break;
} }
@ -806,7 +807,7 @@ public class StandardDescriptorProcessor extends IterativeDescriptorProcessor
case WebFragment: case WebFragment:
{ {
//a web-fragment set the value, all web-fragments must have the same value //a web-fragment set the value, all web-fragments must have the same value
if (!context.getSessionHandler().getSessionCookieConfig().getPath().equals(path)) if (!path.equals(context.getSessionHandler().getSessionCookieConfig().getPath()))
throw new IllegalStateException("Conflicting cookie-config path " + path + " in " + descriptor.getResource()); throw new IllegalStateException("Conflicting cookie-config path " + path + " in " + descriptor.getResource());
break; break;
} }