SEC-1425: AbstractRememberMeServices not handling properly empty cookie #1668

Closed
spring-issuemaster opened this Issue Feb 27, 2010 · 2 comments

1 participant

@spring-issuemaster

Cedomir Igaly (Migrated from SEC-1425) said:

Whwn empty cookie is sent to AbstractRememberMeServices, it will throw java.lang.ArrayIndexOutOfBoundsException instead of org.springframework.security.web.authentication.rememberme.InvalidCookieException

This can be fixed by adding

if (tokens.length == 0) {
throw new InvalidCookieException( "No cookie!?");
}

after

String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);

@spring-issuemaster

Luke Taylor said:

Thanks for spotting this. I think it should only happen if the cookie is empty, so I've added a check for that at an earlier stage, rather than checking the length of the token array.

@spring-issuemaster

Cedomir Igaly said:

Don't thamk me - thank spammer(s) who are attacking my site :-)

[H] cookie: JSESSIONID=AB001555D4E0BC5E97EBB6404741F91A; SPRING_SECURITY_REMEMBER_ME_COOKIE=""

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment