SecurityManager: remove double quotes from session cookie content
Sometimes, RFC 6265-compliant [0] web servers may send back a cookie whose value is enclosed in double quotes, such as: Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard Where the double quotes at the start and the end of the header value are just delimiters. This is perfectly legal: Etherpad parsing logic should cope with that, and remove the quotes early in the request phase. Somehow, this does not happen, and in such cases the actual value that sessionCookie ends up having is: sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"' As quick measure, let's strip the double quotes (when present). Note that here we are being minimal, limiting ourselves to just removing quotes at the start and the end of the string. Fixes #3819. Also, see #3820. [0] https://tools.ietf.org/html/rfc6265pull/3851/head
parent
08b83ae358
commit
df08883a00
|
@ -96,7 +96,30 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
|
||||||
// get information about all sessions contained in this cookie
|
// get information about all sessions contained in this cookie
|
||||||
if (sessionCookie) {
|
if (sessionCookie) {
|
||||||
let groupID = padID.split("$")[0];
|
let groupID = padID.split("$")[0];
|
||||||
let sessionIDs = sessionCookie.split(',');
|
|
||||||
|
/*
|
||||||
|
* Sometimes, RFC 6265-compliant web servers may send back a cookie whose
|
||||||
|
* value is enclosed in double quotes, such as:
|
||||||
|
*
|
||||||
|
* Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard
|
||||||
|
*
|
||||||
|
* Where the double quotes at the start and the end of the header value are
|
||||||
|
* just delimiters. This is perfectly legal: Etherpad parsing logic should
|
||||||
|
* cope with that, and remove the quotes early in the request phase.
|
||||||
|
*
|
||||||
|
* Somehow, this does not happen, and in such cases the actual value that
|
||||||
|
* sessionCookie ends up having is:
|
||||||
|
*
|
||||||
|
* sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'
|
||||||
|
*
|
||||||
|
* As quick measure, let's strip the double quotes (when present).
|
||||||
|
* Note that here we are being minimal, limiting ourselves to just removing
|
||||||
|
* quotes at the start and the end of the string.
|
||||||
|
*
|
||||||
|
* Fixes #3819.
|
||||||
|
* Also, see #3820.
|
||||||
|
*/
|
||||||
|
let sessionIDs = sessionCookie.replace(/^"|"$/g, '').split(',');
|
||||||
|
|
||||||
// was previously iterated in parallel using async.forEach
|
// was previously iterated in parallel using async.forEach
|
||||||
try {
|
try {
|
||||||
|
|
Loading…
Reference in New Issue