Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie secure and httpOnly for PLAY_ERRORS cookie lost on exception #1423

Open
Alexandermjos opened this issue Jul 29, 2022 · 1 comment
Open

Cookie secure and httpOnly for PLAY_ERRORS cookie lost on exception #1423

Alexandermjos opened this issue Jul 29, 2022 · 1 comment

Comments

@Alexandermjos
Copy link

Hi.
It looks like the ERROR cookie (PLAY_ERRORS) is missing the cookie configuration for "secure" and "httpOnly" when an exception occurs.

This was discovered by an automated security scan in a project I am working on.

I have debugged and traced the issue back to ValidationPlugin.java's clear() method:

play1/framework/src/play/data/validation/ValidationPlugin.java

Lines 189 to 201 in 8fad39b

static void clear() {
try {
if (Http.Response.current() != null && Http.Response.current().cookies != null) {
Cookie cookie = new Cookie();
cookie.name = Scope.COOKIE_PREFIX + "_ERRORS";
cookie.value = "";
cookie.sendOnError = true;
Http.Response.current().cookies.put(cookie.name, cookie);
}
} catch (Exception e) {
throw new UnexpectedException("Errors serializationProblem", e);
}
}

which is called "onInvocationException()"

play1/framework/src/play/data/validation/ValidationPlugin.java

Lines 98 to 101 in 8fad39b

@Override
public void onInvocationException(Throwable e) {
clear();
}

I think this can be fixed by adding these two lines here:

play1/framework/src/play/data/validation/ValidationPlugin.java

Line 195 in 8fad39b

cookie.sendOnError = true;

cookie.secure = Scope.COOKIE_SECURE; cookie.httpOnly = Scope.SESSION_HTTPONLY;

Play Version (1.5.x / etc)

Reproduced on Play 1.5.2. Code involved in issue is unchanged from 1.5.2 to latest version

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

Windows 10

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

openjdk version "1.8.0_282"
OpenJDK Runtime Environment (build 1.8.0_282-b08)
OpenJDK 64-Bit Server VM (build 25.282-b08, mixed mode)

Library Dependencies

None

Expected Behavior

Please describe the expected behavior of the issue, starting from the first action.

  1. PLAY_ERRORS should have the same values for "secure" and "httpOnly" for validation errors as for exceptions

Actual Behavior

"secure" and "httpOnly" flag is not set when an exception occurs.

Reproducible Test Case

Create a nullpointer in a form
@Fraserhardy
Copy link
Contributor

@Alexandermjos I think this is also related to my issue #1420

We had similar issues raised by vulnerability scans but only on error pages. I traced to a slightly different place though.

play1/framework/src/play/server/PlayHandler.java

Line 752 in 8fad39b

public static void serve500(Exception e, ChannelHandlerContext ctx, HttpRequest nettyRequest) {

The way error responses are created seems quite strange in this PlayHandler.java.
Although I think your specific issue is more within the Validation class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Fraserhardy @Alexandermjos