代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/jetty 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From: Markus Koschany <apo@debian.org>
Date: Tue, 26 Sep 2023 23:42:03 +0200
Subject: CVE-2023-26049
Origin: https://github.com/eclipse/jetty.project/pull/9352
---
.../org/eclipse/jetty/http/CookieCompliance.java | 2 +-
.../org/eclipse/jetty/server/CookieCutter.java | 205 ++++++++++-----
.../org/eclipse/jetty/server/CookieCutterTest.java | 280 ++++++++++++++++-----
.../java/org/eclipse/jetty/server/RequestTest.java | 2 +
4 files changed, 361 insertions(+), 128 deletions(-)
diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/CookieCompliance.java b/jetty-http/src/main/java/org/eclipse/jetty/http/CookieCompliance.java
index b2d339c..d514c15 100644
--- a/jetty-http/src/main/java/org/eclipse/jetty/http/CookieCompliance.java
+++ b/jetty-http/src/main/java/org/eclipse/jetty/http/CookieCompliance.java
@@ -22,4 +22,4 @@ package org.eclipse.jetty.http;
* The compliance for Cookie handling.
*
*/
-public enum CookieCompliance { RFC6265, RFC2965 }
+public enum CookieCompliance { RFC6265, RFC2965, RFC6265_LEGACY }
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java b/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
index 5dce1cf..e28d262 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
@@ -107,23 +107,24 @@ public class CookieCutter
_lastCookies=null;
_fieldList.add(_fields++,f);
}
-
-
+
protected void parseFields()
{
- _lastCookies=null;
- _cookies=null;
-
+ _lastCookies = null;
+ _cookies = null;
+
List<Cookie> cookies = new ArrayList<>();
int version = 0;
// delete excess fields
- while (_fieldList.size()>_fields)
+ while (_fieldList.size() > _fields)
+ {
_fieldList.remove(_fields);
-
- StringBuilder unquoted=null;
-
+ }
+
+ StringBuilder unquoted = null;
+
// For each cookie field
for (String hdr : _fieldList)
{
@@ -132,25 +133,31 @@ public class CookieCutter
Cookie cookie = null;
- boolean invalue=false;
- boolean inQuoted=false;
- boolean quoted=false;
- boolean escaped=false;
- int tokenstart=-1;
- int tokenend=-1;
+ boolean invalue = false;
+ boolean inQuoted = false;
+ boolean quoted = false;
+ boolean escaped = false;
+ boolean reject = false;
+ int tokenstart = -1;
+ int tokenend = -1;
for (int i = 0, length = hdr.length(); i <= length; i++)
{
- char c = i==length?0:hdr.charAt(i);
-
- // System.err.printf("i=%d/%d c=%s v=%b q=%b/%b e=%b u=%s s=%d e=%d \t%s=%s%n" ,i,length,c==0?"|":(""+c),invalue,inQuoted,quoted,escaped,unquoted,tokenstart,tokenend,name,value);
-
+ char c = i == length ? 0 : hdr.charAt(i);
+
// Handle quoted values for name or value
if (inQuoted)
{
+ boolean eol = c == 0 && i == hdr.length();
+ if (!eol && _compliance != CookieCompliance.RFC2965 && isRFC6265RejectedCharacter(inQuoted, c))
+ {
+ reject = true;
+ continue;
+ }
+
if (escaped)
{
- escaped=false;
- if (c>0)
+ escaped = false;
+ if (c > 0)
unquoted.append(c);
else
{
@@ -160,7 +167,7 @@ public class CookieCutter
}
continue;
}
-
+
switch (c)
{
case '"':
@@ -175,15 +182,24 @@ public class CookieCutter
continue;
case 0:
- // unterminated quote, let's ignore quotes
+ // unterminated quote
+ if (_compliance == CookieCompliance.RFC6265)
+ continue;
+ // let's ignore quotes
unquoted.setLength(0);
inQuoted = false;
i--;
continue;
-
+
+ case ';':
+ if (_compliance == CookieCompliance.RFC6265)
+ reject = true;
+ else
+ unquoted.append(c);
+ continue;
+
default:
unquoted.append(c);
- continue;
}
}
else
@@ -191,7 +207,14 @@ public class CookieCutter
// Handle name and value state machines
if (invalue)
{
- // parse the value
+ boolean eol = c == 0 && i == hdr.length();
+ if (!eol && _compliance == CookieCompliance.RFC6265 && isRFC6265RejectedCharacter(inQuoted, c))
+ {
+ reject = true;
+ continue;
+ }
+
+ // parse the cookie-value
switch (c)
{
case ' ':
@@ -199,19 +222,19 @@ public class CookieCutter
break;
case ',':
- if (_compliance!=CookieCompliance.RFC2965)
+ if (_compliance != CookieCompliance.RFC2965)
{
if (quoted)
{
// must have been a bad internal quote. let's fix as best we can
- unquoted.append(hdr,tokenstart,i--);
+ unquoted.append(hdr, tokenstart, i--);
inQuoted = true;
quoted = false;
continue;
}
- if (tokenstart<0)
+ if (tokenstart < 0)
tokenstart = i;
- tokenend=i;
+ tokenend = i;
continue;
}
// fall through
@@ -226,8 +249,8 @@ public class CookieCutter
unquoted.setLength(0);
quoted = false;
}
- else if(tokenstart>=0)
- value = tokenend>=tokenstart?hdr.substring(tokenstart, tokenend+1):hdr.substring(tokenstart);
+ else if (tokenstart >= 0)
+ value = tokenend >= tokenstart ? hdr.substring(tokenstart, tokenend + 1) : hdr.substring(tokenstart);
else
value = "";
@@ -235,22 +258,22 @@ public class CookieCutter
{
if (name.startsWith("$"))
{
- if (_compliance==CookieCompliance.RFC2965)
+ if (_compliance == CookieCompliance.RFC2965)
{
String lowercaseName = name.toLowerCase(Locale.ENGLISH);
- switch(lowercaseName)
+ switch (lowercaseName)
{
case "$path":
- if (cookie!=null)
+ if (cookie != null)
cookie.setPath(value);
break;
case "$domain":
- if (cookie!=null)
+ if (cookie != null)
cookie.setDomain(value);
break;
case "$port":
- if (cookie!=null)
- cookie.setComment("$port="+value);
+ if (cookie != null)
+ cookie.setComment("$port=" + value);
break;
case "$version":
version = Integer.parseInt(value);
@@ -265,7 +288,10 @@ public class CookieCutter
cookie = new Cookie(name, value);
if (version > 0)
cookie.setVersion(version);
- cookies.add(cookie);
+ if (!reject)
+ {
+ cookies.add(cookie);
+ }
}
}
catch (Exception e)
@@ -275,46 +301,68 @@ public class CookieCutter
name = null;
tokenstart = -1;
- invalue=false;
+ invalue = false;
+ reject = false;
break;
}
case '"':
- if (tokenstart<0)
+ if (tokenstart < 0)
{
- tokenstart=i;
- inQuoted=true;
- if (unquoted==null)
- unquoted=new StringBuilder();
+ tokenstart = i;
+ inQuoted = true;
+ if (unquoted == null)
+ unquoted = new StringBuilder();
break;
}
+ else if (_compliance == CookieCompliance.RFC6265)
+ {
+ reject = true;
+ continue;
+ }
// fall through to default case
default:
+ if (_compliance == CookieCompliance.RFC6265 && quoted)
+ {
+ reject = true;
+ continue;
+ }
+
if (quoted)
{
// must have been a bad internal quote. let's fix as best we can
- unquoted.append(hdr,tokenstart,i--);
+ unquoted.append(hdr, tokenstart, i--);
inQuoted = true;
quoted = false;
continue;
}
- if (tokenstart<0)
+
+ if (_compliance == CookieCompliance.RFC6265_LEGACY && isRFC6265RejectedCharacter(inQuoted, c))
+ reject = true;
+
+ if (tokenstart < 0)
tokenstart = i;
- tokenend=i;
- continue;
+ tokenend = i;
}
}
else
{
- // parse the name
+ // parse the cookie-name
switch (c)
{
case ' ':
case '\t':
continue;
+ case ';':
+ // a cookie terminated with no '=' sign.
+ tokenstart = -1;
+ invalue = false;
+ reject = false;
+ continue;
+
case '=':
if (quoted)
{
@@ -322,8 +370,8 @@ public class CookieCutter
unquoted.setLength(0);
quoted = false;
}
- else if(tokenstart>=0)
- name = tokenend>=tokenstart?hdr.substring(tokenstart, tokenend+1):hdr.substring(tokenstart);
+ else if (tokenstart >= 0)
+ name = tokenend >= tokenstart ? hdr.substring(tokenstart, tokenend + 1) : hdr.substring(tokenstart);
tokenstart = -1;
invalue = true;
@@ -333,14 +381,18 @@ public class CookieCutter
if (quoted)
{
// must have been a bad internal quote. let's fix as best we can
- unquoted.append(hdr,tokenstart,i--);
+ unquoted.append(hdr, tokenstart, i--);
inQuoted = true;
quoted = false;
continue;
}
- if (tokenstart<0)
- tokenstart=i;
- tokenend=i;
+
+ if (_compliance != CookieCompliance.RFC2965 && isRFC6265RejectedCharacter(inQuoted, c))
+ reject = true;
+
+ if (tokenstart < 0)
+ tokenstart = i;
+ tokenend = i;
continue;
}
}
@@ -348,8 +400,45 @@ public class CookieCutter
}
}
- _cookies = (Cookie[]) cookies.toArray(new Cookie[cookies.size()]);
- _lastCookies=_cookies;
+ _cookies = cookies.toArray(new Cookie[0]);
+ _lastCookies = _cookies;
+ }
+
+
+ protected boolean isRFC6265RejectedCharacter(boolean inQuoted, char c)
+ {
+ // LEGACY test
+ if (_compliance == CookieCompliance.RFC6265_LEGACY)
+ {
+ if (inQuoted)
+ {
+ // We only reject if a Control Character is encountered
+ if (Character.isISOControl(c))
+ return true;
+ }
+ else
+ {
+ return Character.isISOControl(c) || // control characters
+ c > 127 || // 8-bit characters
+ c == ',' || // comma
+ c == ';'; // semicolon
+ }
+ return false;
+ }
+
+ /* From RFC6265 - Section 4.1.1 - Syntax
+ * cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+ * ; US-ASCII characters excluding CTLs,
+ * ; whitespace DQUOTE, comma, semicolon,
+ * ; and backslash
+ *
+ * Note: DQUOTE and semicolon are used as separator by the parser,
+ * so we can consider them authorized.
+ */
+ return c > 127 || // 8-bit characters
+ Character.isISOControl(c) || // control characters
+ c == ',' || // comma
+ c == '\\'; // backslash
}
}
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutterTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutterTest.java
index ec534a1..3e84ce6 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutterTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/CookieCutterTest.java
@@ -1,6 +1,6 @@
//
// ========================================================================
-// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
+// Copyright (c) 1995-2022 Mort Bay Consulting Pty Ltd and others.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
@@ -18,18 +18,21 @@
package org.eclipse.jetty.server;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-
+import java.util.Arrays;
+import java.util.List;
import javax.servlet.http.Cookie;
import org.eclipse.jetty.http.CookieCompliance;
-import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
public class CookieCutterTest
{
- private Cookie[] parseCookieHeaders(CookieCompliance compliance,String... headers)
+ private Cookie[] parseCookieHeaders(CookieCompliance compliance, String... headers)
{
CookieCutter cutter = new CookieCutter(compliance);
for (String header : headers)
@@ -38,7 +41,7 @@ public class CookieCutterTest
}
return cutter.getCookies();
}
-
+
private void assertCookie(String prefix, Cookie cookie,
String expectedName,
String expectedValue,
@@ -50,142 +53,174 @@ public class CookieCutterTest
assertThat(prefix + ".version", cookie.getVersion(), is(expectedVersion));
assertThat(prefix + ".path", cookie.getPath(), is(expectedPath));
}
-
+
/**
* Example from RFC2109 and RFC2965
*/
@Test
- public void testRFC_Single()
+ public void testRFCSingle()
{
String rawCookie = "$Version=\"1\"; Customer=\"WILE_E_COYOTE\"; $Path=\"/acme\"";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC2965,rawCookie);
-
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(1));
assertCookie("Cookies[0]", cookies[0], "Customer", "WILE_E_COYOTE", 1, "/acme");
}
-
+
+ /**
+ * Example from RFC2109 and RFC2965.
+ * <p>
+ * Lenient parsing, input has no spaces after ';' token.
+ * </p>
+ */
+ @Test
+ public void testRFCSingleLenientNoSpaces()
+ {
+ String rawCookie = "$Version=\"1\";Customer=\"WILE_E_COYOTE\";$Path=\"/acme\"";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
+
+ assertThat("Cookies.length", cookies.length, is(1));
+ assertCookie("Cookies[0]", cookies[0], "Customer", "WILE_E_COYOTE", 1, "/acme");
+ }
+
/**
* Example from RFC2109 and RFC2965
*/
@Test
- public void testRFC_Double()
+ public void testRFCDouble()
{
String rawCookie = "$Version=\"1\"; " +
- "Customer=\"WILE_E_COYOTE\"; $Path=\"/acme\"; " +
- "Part_Number=\"Rocket_Launcher_0001\"; $Path=\"/acme\"";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC2965,rawCookie);
-
+ "Customer=\"WILE_E_COYOTE\"; $Path=\"/acme\"; " +
+ "Part_Number=\"Rocket_Launcher_0001\"; $Path=\"/acme\"";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(2));
assertCookie("Cookies[0]", cookies[0], "Customer", "WILE_E_COYOTE", 1, "/acme");
assertCookie("Cookies[1]", cookies[1], "Part_Number", "Rocket_Launcher_0001", 1, "/acme");
}
-
+
/**
* Example from RFC2109 and RFC2965
*/
@Test
- public void testRFC_Triple()
+ public void testRFCTriple()
{
String rawCookie = "$Version=\"1\"; " +
- "Customer=\"WILE_E_COYOTE\"; $Path=\"/acme\"; " +
- "Part_Number=\"Rocket_Launcher_0001\"; $Path=\"/acme\"; " +
- "Shipping=\"FedEx\"; $Path=\"/acme\"";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC2965,rawCookie);
-
+ "Customer=\"WILE_E_COYOTE\"; $Path=\"/acme\"; " +
+ "Part_Number=\"Rocket_Launcher_0001\"; $Path=\"/acme\"; " +
+ "Shipping=\"FedEx\"; $Path=\"/acme\"";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(3));
assertCookie("Cookies[0]", cookies[0], "Customer", "WILE_E_COYOTE", 1, "/acme");
assertCookie("Cookies[1]", cookies[1], "Part_Number", "Rocket_Launcher_0001", 1, "/acme");
assertCookie("Cookies[2]", cookies[2], "Shipping", "FedEx", 1, "/acme");
}
-
+
/**
* Example from RFC2109 and RFC2965
*/
@Test
- public void testRFC_PathExample()
+ public void testRFCPathExample()
{
String rawCookie = "$Version=\"1\"; " +
- "Part_Number=\"Riding_Rocket_0023\"; $Path=\"/acme/ammo\"; " +
- "Part_Number=\"Rocket_Launcher_0001\"; $Path=\"/acme\"";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC2965,rawCookie);
-
+ "Part_Number=\"Riding_Rocket_0023\"; $Path=\"/acme/ammo\"; " +
+ "Part_Number=\"Rocket_Launcher_0001\"; $Path=\"/acme\"";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(2));
assertCookie("Cookies[0]", cookies[0], "Part_Number", "Riding_Rocket_0023", 1, "/acme/ammo");
assertCookie("Cookies[1]", cookies[1], "Part_Number", "Rocket_Launcher_0001", 1, "/acme");
}
-
+
/**
* Example from RFC2109
*/
@Test
- public void testRFC2109_CookieSpoofingExample()
+ public void testRFC2109CookieSpoofingExample()
{
String rawCookie = "$Version=\"1\"; " +
- "session_id=\"1234\"; " +
- "session_id=\"1111\"; $Domain=\".cracker.edu\"";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC2965,rawCookie);
-
+ "session_id=\"1234\"; " +
+ "session_id=\"1111\"; $Domain=\".cracker.edu\"";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(2));
assertCookie("Cookies[0]", cookies[0], "session_id", "1234", 1, null);
assertCookie("Cookies[1]", cookies[1], "session_id", "1111", 1, null);
}
-
+
/**
* Example from RFC2965
*/
@Test
- public void testRFC2965_CookieSpoofingExample()
+ public void testRFC2965CookieSpoofingExample()
{
String rawCookie = "$Version=\"1\"; session_id=\"1234\", " +
- "$Version=\"1\"; session_id=\"1111\"; $Domain=\".cracker.edu\"";
-
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC2965,rawCookie);
+ "$Version=\"1\"; session_id=\"1111\"; $Domain=\".cracker.edu\"";
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC2965, rawCookie);
assertThat("Cookies.length", cookies.length, is(2));
assertCookie("Cookies[0]", cookies[0], "session_id", "1234", 1, null);
assertCookie("Cookies[1]", cookies[1], "session_id", "1111", 1, null);
- cookies = parseCookieHeaders(CookieCompliance.RFC6265,rawCookie);
- assertThat("Cookies.length", cookies.length, is(2));
- assertCookie("Cookies[0]", cookies[0], "session_id", "1234\", $Version=\"1", 0, null);
- assertCookie("Cookies[1]", cookies[1], "session_id", "1111", 0, null);
+ cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+ assertThat("Cookies.length", cookies.length, is(1));
+ assertCookie("Cookies[0]", cookies[0], "session_id", "1111", 0, null);
}
-
+
/**
* Example from RFC6265
*/
@Test
- public void testRFC6265_SidExample()
+ public void testRFC6265SidExample()
{
String rawCookie = "SID=31d4d96e407aad42";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC6265,rawCookie);
-
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(1));
assertCookie("Cookies[0]", cookies[0], "SID", "31d4d96e407aad42", 0, null);
}
-
+
/**
* Example from RFC6265
*/
@Test
- public void testRFC6265_SidLangExample()
+ public void testRFC6265SidLangExample()
{
String rawCookie = "SID=31d4d96e407aad42; lang=en-US";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC6265,rawCookie);
-
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
+ assertThat("Cookies.length", cookies.length, is(2));
+ assertCookie("Cookies[0]", cookies[0], "SID", "31d4d96e407aad42", 0, null);
+ assertCookie("Cookies[1]", cookies[1], "lang", "en-US", 0, null);
+ }
+
+ /**
+ * Example from RFC6265.
+ * <p>
+ * Lenient parsing, input has no spaces after ';' token.
+ * </p>
+ */
+ @Test
+ public void testRFC6265SidLangExampleLenient()
+ {
+ String rawCookie = "SID=31d4d96e407aad42;lang=en-US";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(2));
assertCookie("Cookies[0]", cookies[0], "SID", "31d4d96e407aad42", 0, null);
assertCookie("Cookies[1]", cookies[1], "lang", "en-US", 0, null);
}
-
+
/**
* Basic name=value, following RFC6265 rules
*/
@@ -193,13 +228,13 @@ public class CookieCutterTest
public void testKeyValue()
{
String rawCookie = "key=value";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC6265,rawCookie);
-
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(1));
assertCookie("Cookies[0]", cookies[0], "key", "value", 0, null);
}
-
+
/**
* Basic name=value, following RFC6265 rules
*/
@@ -207,9 +242,116 @@ public class CookieCutterTest
public void testDollarName()
{
String rawCookie = "$key=value";
-
- Cookie cookies[] = parseCookieHeaders(CookieCompliance.RFC6265,rawCookie);
-
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
assertThat("Cookies.length", cookies.length, is(0));
}
+
+ @Test
+ public void testMultipleCookies()
+ {
+ String rawCookie = "testcookie; server.id=abcd; server.detail=cfg";
+
+ // The first cookie "testcookie" should be ignored, per RFC6265, as it's missing the "=" sign.
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
+ assertThat("Cookies.length", cookies.length, is(2));
+ assertCookie("Cookies[0]", cookies[0], "server.id", "abcd", 0, null);
+ assertCookie("Cookies[1]", cookies[1], "server.detail", "cfg", 0, null);
+ }
+
+ @Test
+ public void testExcessiveSemicolons()
+ {
+ char[] excessive = new char[65535];
+ Arrays.fill(excessive, ';');
+ String rawCookie = "foo=bar; " + new String(excessive) + "; xyz=pdq";
+
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, rawCookie);
+
+ assertThat("Cookies.length", cookies.length, is(2));
+ assertCookie("Cookies[0]", cookies[0], "foo", "bar", 0, null);
+ assertCookie("Cookies[1]", cookies[1], "xyz", "pdq", 0, null);
+ }
+
+ @ParameterizedTest
+ @MethodSource("rfc6265Cookies")
+ public void testRFC6265CookieParsing(Param param)
+ {
+ Cookie[] cookies = parseCookieHeaders(CookieCompliance.RFC6265, param.input);
+
+ assertThat("Cookies.length (" + dump(cookies) + ")", cookies.length, is(param.expected.size()));
+ for (int i = 0; i < cookies.length; i++)
+ {
+ Cookie cookie = cookies[i];
+ assertThat("Cookies[" + i + "] (" + dump(cookies) + ")", cookie.getName() + "=" + cookie.getValue(), is(param.expected.get(i)));
+ }
+ }
+
+ public static List<Param> rfc6265Cookies()
+ {
+ return Arrays.asList(
+ new Param("A=1; B=2; C=3", "A=1", "B=2", "C=3"),
+ new Param("A=\"1\"; B=2; C=3", "A=1", "B=2", "C=3"),
+ new Param("A=\"1\"; B=\"2\"; C=\"3\"", "A=1", "B=2", "C=3"),
+ new Param("A=1; B=2; C=\"3", "A=1", "B=2"),
+ new Param("A=1 ; B=2; C=3", "A=1", "B=2", "C=3"),
+ new Param("A= 1; B=2; C=3", "A=1", "B=2", "C=3"),
+ new Param("A=\"1; B=2\"; C=3", "C=3"),
+ new Param("A=\"1; B=2; C=3"),
+ new Param("A=\"1 B=2\"; C=3", "A=1 B=2", "C=3"),
+ new Param("A=\"\"1; B=2; C=3", "B=2", "C=3"),
+ new Param("A=\"\" ; B=2; C=3", "A=", "B=2", "C=3"),
+ new Param("A=\"\"; B=2; C=3", "A=", "B=2", "C=3"),
+ new Param("A=1\"\"; B=2; C=3", "B=2", "C=3"),
+ new Param("A=1\"; B=2; C=3", "B=2", "C=3"),
+ new Param("A=1\"1; B=2; C=3", "B=2", "C=3"),
+ new Param("A=\" 1\"; B=2; C=3", "A= 1", "B=2", "C=3"),
+ new Param("A=\"1 \"; B=2; C=3", "A=1 ", "B=2", "C=3"),
+ new Param("A=\" 1 \"; B=2; C=3", "A= 1 ", "B=2", "C=3"),
+ new Param("A=\" 1 1 \"; B=2; C=3", "A= 1 1 ", "B=2", "C=3"),
+ new Param("A=1,; B=2; C=3", "B=2", "C=3"),
+ new Param("A=\"1,\"; B=2; C=3", "B=2", "C=3"),
+ new Param("A=\\1; B=2; C=3", "B=2", "C=3"),
+ new Param("A=\"\\1\"; B=2; C=3", "B=2", "C=3"),
+ new Param("A=1\u0007; B=2; C=3", "B=2", "C=3"),
+ new Param("A=\"1\u0007\"; B=2; C=3", "B=2", "C=3"),
+ new Param("€"),
+ new Param("@={}"),
+ new Param("$X=Y; N=V", "N=V"),
+ new Param("N=V; $X=Y", "N=V")
+ );
+ }
+
+ private static String dump(Cookie[] cookies)
+ {
+ StringBuilder sb = new StringBuilder();
+ for (Cookie cookie : cookies)
+ {
+ sb.append("<").append(cookie.getName()).append(">=<").append(cookie.getValue()).append("> | ");
+ }
+ if (sb.length() > 0)
+ sb.delete(sb.length() - 2, sb.length() - 1);
+ return sb.toString();
+ }
+
+ private static class Param
+ {
+ private final String input;
+ private final List<String> expected;
+
+ public Param(String input, String... expected)
+ {
+ this.input = input;
+ this.expected = Arrays.asList(expected);
+ }
+
+ @Override
+ public String toString()
+ {
+ return input + " -> " + expected.toString();
+ }
+ }
}
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java
index 425a9ae..f119864 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java
@@ -61,6 +61,7 @@ import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.Part;
import org.eclipse.jetty.http.BadMessageException;
+import org.eclipse.jetty.http.CookieCompliance;
import org.eclipse.jetty.http.HttpCompliance;
import org.eclipse.jetty.http.HttpTester;
import org.eclipse.jetty.http.MimeTypes;
@@ -97,6 +98,7 @@ public class RequestTest
http.getHttpConfiguration().setRequestHeaderSize(512);
http.getHttpConfiguration().setResponseHeaderSize(512);
http.getHttpConfiguration().setOutputBufferSize(2048);
+ http.getHttpConfiguration().setRequestCookieCompliance(CookieCompliance.RFC6265_LEGACY);
http.getHttpConfiguration().addCustomizer(new ForwardedRequestCustomizer());
_connector = new LocalConnector(_server,http);
_server.addConnector(_connector);
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手