Fix #9468 Space in Cookie name

Added a violation to allow unquoted spaces in cookie values Signed-off-by: gregw <gregw@webtide.com>
jetty · Mar 7, 2023 · 3c0d6b8 · 3c0d6b8
1 parent 4d14641
commit 3c0d6b8
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 3 deletions.
diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/CookieCompliance.java b/jetty-http/src/main/java/org/eclipse/jetty/http/CookieCompliance.java
@@ -94,7 +94,12 @@ public enum Violation implements ComplianceViolation
         /**
          * Whitespace was found around the cookie name and/or around the cookie value.
          */
-        OPTIONAL_WHITE_SPACE("https://www.rfc-editor.org/rfc/rfc6265#section-5.2", "White space around name/value");
+        OPTIONAL_WHITE_SPACE("https://www.rfc-editor.org/rfc/rfc6265#section-5.2", "White space around name/value"),
+
+        /**
+         * Allow spaces within values without quotes.
+         */
+        SPACE_IN_VALUES("https://www.rfc-editor.org/rfc/rfc6265#section-5.2", "Space in value");
 
         private final String url;
         private final String description;
@@ -130,10 +135,11 @@ public String getDescription()
      * <ul>
      * <li>{@link Violation#INVALID_COOKIES}</li>
      * <li>{@link Violation#OPTIONAL_WHITE_SPACE}</li>
+     * <li>{@link Violation#SPACE_IN_VALUES}</li>
      * </ul>
      */
     public static final CookieCompliance RFC6265 = new CookieCompliance("RFC6265", of(
-        Violation.INVALID_COOKIES, Violation.OPTIONAL_WHITE_SPACE)
+        Violation.INVALID_COOKIES, Violation.OPTIONAL_WHITE_SPACE, Violation.SPACE_IN_VALUES)
     );
 
     /**

diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/RFC6265CookieParser.java b/jetty-http/src/main/java/org/eclipse/jetty/http/RFC6265CookieParser.java
@@ -26,6 +26,7 @@
 import static org.eclipse.jetty.http.CookieCompliance.Violation.ESCAPE_IN_QUOTES;
 import static org.eclipse.jetty.http.CookieCompliance.Violation.INVALID_COOKIES;
 import static org.eclipse.jetty.http.CookieCompliance.Violation.OPTIONAL_WHITE_SPACE;
+import static org.eclipse.jetty.http.CookieCompliance.Violation.SPACE_IN_VALUES;
 import static org.eclipse.jetty.http.CookieCompliance.Violation.SPECIAL_CHARS_IN_QUOTES;
 
 /**
@@ -53,6 +54,7 @@ private enum State
         AFTER_NAME,
         VALUE,
         IN_VALUE,
+        SPACE_IN_VALUE,
         IN_QUOTED_VALUE,
         ESCAPED_VALUE,
         AFTER_QUOTED_VALUE,
@@ -74,6 +76,7 @@ public void parseField(String field)
         String cookieComment = null;
         int cookieVersion = 0;
         boolean cookieInvalid = false;
+        int spaces = 0;
 
         int length = field.length();
         StringBuilder string = new StringBuilder();
@@ -220,7 +223,13 @@ else if (_complianceMode.allows(INVALID_COOKIES))
                     break;
 
                 case IN_VALUE:
-                    if (c == ';' || c == ',' || c == ' ' || c == '\t')
+                    if (c == ' ' && _complianceMode.allows(SPACE_IN_VALUES))
+                    {
+                        reportComplianceViolation(SPACE_IN_VALUES, field);
+                        spaces = 1;
+                        state = State.SPACE_IN_VALUE;
+                    }
+                    else if (c == ' ' || c == ';' || c == ',' || c == '\t')
                     {
                         value = string.toString();
                         i--;
@@ -241,6 +250,33 @@ else if (_complianceMode.allows(INVALID_COOKIES))
                     }
                     break;
 
+                case SPACE_IN_VALUE:
+                    if (c == ' ')
+                    {
+                        spaces++;
+                    }
+                    else if (c == ';' || c == ',' || c == '\t')
+                    {
+                        value = string.toString();
+                        i--;
+                        state = State.END;
+                    }
+                    else if (token.isRfc6265CookieOctet())
+                    {
+                        string.append(" ".repeat(spaces)).append(c);
+                        state = State.IN_VALUE;
+                    }
+                    else if (_complianceMode.allows(INVALID_COOKIES))
+                    {
+                        reportComplianceViolation(INVALID_COOKIES, field);
+                        state = State.INVALID_COOKIE;
+                    }
+                    else
+                    {
+                        throw new InvalidCookieException("Bad Cookie value");
+                    }
+                    break;
+
                 case IN_QUOTED_VALUE:
                     if (c == '"')
                     {

diff --git a/jetty-http/src/test/java/org/eclipse/jetty/http/RFC6265CookieParserLenientTest.java b/jetty-http/src/test/java/org/eclipse/jetty/http/RFC6265CookieParserLenientTest.java
@@ -74,6 +74,8 @@ public static Stream<Arguments> data()
             Arguments.of("abc= \"x\" ", "abc", "x"),
             Arguments.of("abc= \"x\" ;", "abc", "x"),
             Arguments.of("abc= \"x\" ; ", "abc", "x"),
+            Arguments.of("abc = x y z ", "abc", "x y z"),
+            Arguments.of("abc = x  y  z ", "abc", "x  y  z"),
 
             // The backslash character ("\") may be used as a single-character quoting
             // mechanism only within quoted-string and comment constructs.