WebTestClientRequestConverter mishandles cookies whose value contains =#1040
Open
config25 wants to merge 1 commit intospring-projects:3.0.xfrom
Open
WebTestClientRequestConverter mishandles cookies whose value contains =#1040config25 wants to merge 1 commit intospring-projects:3.0.xfrom
config25 wants to merge 1 commit intospring-projects:3.0.xfrom
Conversation
config25
force-pushed
the
fix/cookie-equals-sign-parsing
branch
from
4cf5c5a to
ac1b011
Compare
wilkinsona
changed the title
wilkinsona
added
type: bug
wilkinsona
requested changes
Apr 13, 2026
| } | ||
|
|
||
| @Test | ||
| void requestWithCookieValueContainingEqualsSign() { |
Member
There was a problem hiding this comment.
This method has to be public as the 3.0.x branch uses JUnit 4.
Contributor
Author
There was a problem hiding this comment.
Sorry about that, I missed the JUnit 4 requirement on the 3.0.x branch. Both test methods are now public. Thank you for catching this!
...test/java/org/springframework/restdocs/webtestclient/WebTestClientRequestConverterTests.java
Outdated
Show resolved
Hide resolved
Fixes spring-projectsgh-1038 Signed-off-by: config25 <yhkim052556@naver.com>
config25
force-pushed
the
fix/cookie-equals-sign-parsing
branch
from
ac1b011 to
f0a2e34
Compare
wilkinsona
requested changes
Apr 13, 2026
Comment on lines
+108
to
+110
| if (separator == -1) { | ||
| return new RequestCookie(header, ""); | ||
| } |
Member
There was a problem hiding this comment.
I don't think this is correct. To have an empty-string value, I believe the header's value would have to be malformed=. Without the equals sign, there should be no cookie at all as the header is invalid. I think failing in this case is fine so I'd just remove lines 108-110.
wilkinsona
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WebTestClientRequestConverter.createRequestCookie()usessplit("=")toparse cookie headers. This causes two problems:
=(e.g. Base64-padded values likeYWJjZGVm==)are silently truncated at the first
==throwArrayIndexOutOfBoundsExceptionReplace
split("=")withindexOf('=')to split on only the first=andhandle the no-
=case by returning an empty value.Fixes gh-1038
base branch 3.0.x