Uploaded image for project: 'Community Edition'
  1. Community Edition
  2. MGNLCE-262

CsrfTokenSecurityFilter does not encode cookie path

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Neutral Neutral
    • None
    • None
    • None
    • None

      Steps to reproduce

      1.  create page with non-ascii chars in path e.g. ä
      2. Try to access page (with out being logged in to magnolia) 

      Expected results

      Page is visible

      Actual results

      HTTP Status 500 – Internal Server Error

      Type Exception Report

      Message An invalid path [/testiä] was specified for this cookie

      Description The server encountered an unexpected condition that prevented it from fulfilling the request.

      Exception

      java.lang.IllegalArgumentException: An invalid path [/testiä] was specified for this cookie org.apache.tomcat.util.http.Rfc6265CookieProcessor.validatePath(Rfc6265CookieProcessor.java:241) org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:160) org.apache.catalina.connector.Response.generateCookieString(Response.java:975) org.apache.catalina.connector.Response.addCookie(Response.java:927) org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:385) javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:60) info.magnolia.cms.security.CsrfTokenSecurityFilter.unloggedRequestCheckPasses(CsrfTokenSecurityFilter.java:171) info.magnolia.cms.security.CsrfTokenSecurityFilter.csrfCheckPasses(CsrfTokenSecurityFilter.java:116) info.magnolia.cms.security.CsrfTokenSecurityFilter.doFilter(CsrfTokenSecurityFilter.java:106)

      Workaround

      Development notes

      Magnolia CE 6.2.5, Tomcat 9.0.41

        Acceptance criteria

          1. encode_cookie_path.patch
            2 kB

              Unassigned Unassigned
              ssaarinen Samuli Saarinen
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Bug DoR
                  Task DoD