JBoss EAP 7 parses a request cookie incorrectly when a backslash-escaped double quote exists in the quoted cookie value
Issue
JBoss EAP 7 parses a request cookie incorrectly when a backslash-escaped double quote exists in the quoted cookie value.
For example, a quoted cookie value "example \"cookie\" value" is parsed incorrectly as example \. So, Cookie#getValue() returns the incorrect cookie value example \, but it should be example "cookie" value. Note that the correct value example "cookie" value is returned in JBoss EAP 6.x.
- example.jsp
<%
Cookie[] cookies = request.getCookies();
for (Cookie cookie: cookies) {
out.println("cookie key = " + cookie.getName());
out.println("cookie val = " + cookie.getValue());
}
%>
- Send a request with a cookie having a backslash-escaped double quote exists in the quoted cookie value:
$ curl -v http://localhost:8080/test/example.jsp -H 'Cookie: EXAMPLECOOKIE="example \"cookie\" value"'
...
> GET /test/example.jsp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> Cookie: EXAMPLECOOKIE="example \"cookie\" value"
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< X-Powered-By: Undertow/1
< X-Powered-By: JSP/2.3
< Server: JBoss-EAP/7
< ....
<
cookie key = EXAMPLECOOKIE
cookie val = example \
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
