Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jetty 9.4.51: org.eclipse.jetty.http.HttpCookie.getSetCookie does not handle RFC6265_LEGACY #9717

Closed
atennapel opened this issue May 1, 2023 · 4 comments
Closed

Jetty 9.4.51: org.eclipse.jetty.http.HttpCookie.getSetCookie does not handle RFC6265_LEGACY #9717

atennapel opened this issue May 1, 2023 · 4 comments
Labels
End-of-Life release Question

Comments

@atennapel
Copy link

atennapel commented May 1, 2023
edited
Loading

Jetty version(s)

9.4.51

Description

org.eclipse.jetty.http.HttpCookie.getSetCookie does not handle RFC6265_LEGACY and will result in IllegalStateException.

How to reproduce?

Set

http.getHttpConfiguration().setRequestCookieCompliance(CookieCompliance.RFC6265_LEGACY);
http.getHttpConfiguration().setResponseCookieCompliance(CookieCompliance.RFC6265_LEGACY);

and add a cookie.
@atennapel atennapel added the Bug For general bugs on Jetty side label May 1, 2023
@atennapel atennapel mentioned this issue May 1, 2023
Merged
@atennapel
Copy link
Author

atennapel commented May 1, 2023
edited
Loading

This is a result of the PR: #9352 . Which is similar to the change for Jetty 10, but there the HttpCookie is also updated to handle the legacy CookieCompliance and in the 9 PR it's not.

Compare https://github.com/eclipse/jetty.project/blob/7f55e82d005436516efd136e2b8362cb64c8411e/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java#L282 with https://github.com/eclipse/jetty.project/blob/986751c1e1b10814feba9e88eef4870ad9910407/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java#L286 to see the issue.

@atennapel atennapel changed the title Jetty 9.4.15: org.eclipse.jetty.http.HttpCookie.getSetCookie does not handle RFC6265_LEGACY Jetty 9.4.51: org.eclipse.jetty.http.HttpCookie.getSetCookie does not handle RFC6265_LEGACY May 1, 2023
@atennapel
Copy link
Author

I have an additional question: does using RFC6265_LEGACY mean you are still exposed to https://nvd.nist.gov/vuln/detail/CVE-2023-26049 ?

@joakime
Copy link
Contributor

joakime commented May 1, 2023
edited
Loading

Keep in mind that Jetty 9.x is now at End of Community Support, you should be on Jetty 10, or Jetty 11, or even Jetty 12 by now.

See:

We have testcases in 9.4.51 for RFC6265_LEGACY.

https://github.com/eclipse/jetty.project/blob/jetty-9.4.51.v20230217/jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java#L144

Also HttpCookie.getSetCookie(CookieCompliance) is for a generated cookie, we will not generate a bad cookie, that's why that enum doesn't exist there.

CVE-2023-26049 is for a cookie parsing vulnerability. Using RFC6265_LEGACY will expose you to that vulnerability.

@joakime joakime added End-of-Life release Question and removed Bug For general bugs on Jetty side labels May 1, 2023
@joakime
Copy link
Contributor

joakime commented May 1, 2023
edited
Loading

Closing, not a Bug, and is also for an End of Community Support release.

@joakime joakime closed this as completed May 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
End-of-Life release Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joakime @atennapel