SecurityManager: remove double quotes from session cookie content

Sometimes, RFC 6265-compliant [0] web servers may send back a cookie whose value is enclosed in double quotes, such as: Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard Where the double quotes at the start and the end of the header value are just delimiters. This is perfectly legal: Etherpad parsing logic should cope with that, and remove the quotes early in the request phase. Somehow, this does not happen, and in such cases the actual value that sessionCookie ends up having is: sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"' As quick measure, let's strip the double quotes (when present). Note that here we are being minimal, limiting ourselves to just removing quotes at the start and the end of the string. Fixes #3819. Also, see #3820. [0] https://tools.ietf.org/html/rfc6265
2020-04-02 10:43:25 +03:00 · 2020-04-02 10:43:25 +03:00 · df08883a00
parent 08b83ae358
commit df08883a00
1 changed files with 24 additions and 1 deletions
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@ -96,7 +96,30 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
  // get information about all sessions contained in this cookie
  if (sessionCookie) {
    let groupID = padID.split("$")[0];
-    let sessionIDs = sessionCookie.split(',');
+
+    /*
+     * Sometimes, RFC 6265-compliant web servers may send back a cookie whose
+     * value is enclosed in double quotes, such as:
+     *
+     *   Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard
+     *
+     * Where the double quotes at the start and the end of the header value are
+     * just delimiters. This is perfectly legal: Etherpad parsing logic should
+     * cope with that, and remove the quotes early in the request phase.
+     *
+     * Somehow, this does not happen, and in such cases the actual value that
+     * sessionCookie ends up having is:
+     *
+     *     sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'
+     *
+     * As quick measure, let's strip the double quotes (when present).
+     * Note that here we are being minimal, limiting ourselves to just removing
+     * quotes at the start and the end of the string.
+     *
+     * Fixes #3819.
+     * Also, see #3820.
+     */
+    let sessionIDs = sessionCookie.replace(/^"|"$/g, '').split(',');

    // was previously iterated in parallel using async.forEach
    try {