row
Reputation: 21
Tomcat can't handle request with encoded chars in cookie
I'm using Tomcat 8 as servlet container. One of my experiments gives interesting result.
I used "EditThisCookie" Chrome extension to add cookie with russian text (UTF-8). Request looks like:
GET / HTTP/1.1
Host: localhost
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.17 (KHTML, like Gecko) Chrome/33.0.2045.89 Safari/536.17
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: test=ТеÑÑ
Server returns 500 error with blank page.
in catalina.log:
java.lang.IllegalArgumentException: Control character in cookie value or attribute.
at org.apache.tomcat.util.http.LegacyCookieProcessor.isV0Separator(LegacyCookieProcessor.java:748)
at org.apache.tomcat.util.http.LegacyCookieProcessor.processCookieHeader(LegacyCookieProcessor.java:545)
at org.apache.tomcat.util.http.LegacyCookieProcessor.parseCookieHeader(LegacyCookieProcessor.java:273)
at org.apache.catalina.connector.Request.parseCookies(Request.java:2949)
at org.apache.catalina.connector.Request.getServerCookies(Request.java:2004)
at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:1205)
at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:916)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:513)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2463)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2452)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
Does it mean that any stored XSS or "bad browser extension" etc can lead to denial of service?
Upvotes: 1
Views: 2170
Answers (1)
Ramesh PVK
Reputation: 15446
By default the Tomcat does not read unicode values.
You have to expilictly set the URIEncoding attribute to UTF-8. You can configure that in /conf/server.xml under <Connector> element.
Reference: Tomcat configuration
Upvotes: 1
Related Questions
- Java, Tomcat : AN invalid character was present in the cookie value
- An invalid character[44] was present in the Cookie value
- java.lang.IllegalArgumentException: Control character in cookie value or attribute
- How to set request encoding in Tomcat?
- Tomcat 7 exception when cookie contain umlaut characters
- java tomcat utf-8 encoding issue
- special character is rejected by tomcat cookie parser
- Character encoding problems with tomcat
- UTF-8 decoding problems in Java & Tomcat7
- Character encoding in tomcat