JBoss EAP 7 parses a request cookie incorrectly when a backslash-escaped double quote exists in the quoted cookie value

Solution Unverified - Updated -

Issue

JBoss EAP 7 parses a request cookie incorrectly when a backslash-escaped double quote exists in the quoted cookie value.

For example, a quoted cookie value "example \"cookie\" value" is parsed incorrectly as example \. So, Cookie#getValue() returns the incorrect cookie value example \, but it should be example "cookie" value. Note that the correct value example "cookie" value is returned in JBoss EAP 6.x.

  • example.jsp
<%
Cookie[] cookies = request.getCookies();
for (Cookie cookie: cookies) {
    out.println("cookie key = " + cookie.getName());
    out.println("cookie val = " + cookie.getValue());
}
%>
  • Send a request with a cookie having a backslash-escaped double quote exists in the quoted cookie value:
$ curl -v http://localhost:8080/test/example.jsp -H 'Cookie: EXAMPLECOOKIE="example \"cookie\" value"'
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> Cookie: EXAMPLECOOKIE="example \"cookie\" value"
> 
< HTTP/1.1 200 OK
< Connection: keep-alive
< X-Powered-By: Undertow/1
< X-Powered-By: JSP/2.3
< Server: JBoss-EAP/7
< ....
< 
cookie key = EXAMPLECOOKIE
cookie val = example \

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content