Spring Security
  1. Spring Security
  2. SEC-1425

AbstractRememberMeServices not handling properly empty cookie

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      Whwn empty cookie is sent to AbstractRememberMeServices, it will throw java.lang.ArrayIndexOutOfBoundsException instead of org.springframework.security.web.authentication.rememberme.InvalidCookieException

      This can be fixed by adding

      if (tokens.length == 0) {
      throw new InvalidCookieException( "No cookie!?");
      }

      after

      String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for spotting this. I think it should only happen if the cookie is empty, so I've added a check for that at an earlier stage, rather than checking the length of the token array.

        Show
        Luke Taylor added a comment - Thanks for spotting this. I think it should only happen if the cookie is empty, so I've added a check for that at an earlier stage, rather than checking the length of the token array.
        Hide
        Cedomir Igaly added a comment -

        Don't thamk me - thank spammer(s) who are attacking my site

        > [H] cookie: JSESSIONID=AB001555D4E0BC5E97EBB6404741F91A; SPRING_SECURITY_REMEMBER_ME_COOKIE=""

        Show
        Cedomir Igaly added a comment - Don't thamk me - thank spammer(s) who are attacking my site > [H] cookie: JSESSIONID=AB001555D4E0BC5E97EBB6404741F91A; SPRING_SECURITY_REMEMBER_ME_COOKIE=""

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Cedomir Igaly
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: