[UNDERTOW-2603] Fix double cookie on quoted value

baranowb · baranowb · commit 3e2bca5146bf · 2025-09-10T15:42:30.000+02:00
diff --git a/core/src/main/java/io/undertow/util/Cookies.java b/core/src/main/java/io/undertow/util/Cookies.java
@@ -326,7 +326,35 @@ private static void parseCookie(final String cookie, final Set<Cookie> parsedCoo
                             i++;
                             cookieCount = createCookie(name, containsEscapedQuotes ? unescapeDoubleQuotes(cookie.substring(start, i)) : cookie.substring(start, i), maxCookies, cookieCount, cookies, additional);
                         } else {
+                            final boolean existed = cookies.containsKey(name);
                             cookieCount = createCookie(name, containsEscapedQuotes ? unescapeDoubleQuotes(cookie.substring(start, i)) : cookie.substring(start, i), maxCookies, cookieCount, cookies, additional);
+                           //if there is more, make sure next is separator
+                            if (i + 1 < cookie.length() && (cookie.charAt(i + 1) == ';'      // Cookie: key="\"; key2=...
+                                    || (commaIsSeperator && cookie.charAt(i + 1) == ','))) { // Cookie: key="\", key2=...
+                                //adjust position to delimiter and let state == 0 spin again whole thing
+                               i++;
+                               start++;
+                            } else {
+                                if(UndertowLogger.REQUEST_LOGGER.isTraceEnabled()) {
+                                    UndertowLogger.REQUEST_LOGGER.trace("Ignoring invalid cookies in header " + cookie);
+                                }
+                                if(!existed) {
+                                    //RN we dont add copy, so lets not remove proper cookie that we stored
+                                    //prior to this one
+                                    cookies.remove(name);
+                                }
+                                additional.remove(name);
+                                //seek next separator
+                                while(i<cookie.length()) {
+                                    char seeker = cookie.charAt(i);
+                                    if(!(seeker == ';'      // Cookie: key="\"; key2=...
+                                            || (commaIsSeperator && seeker == ','))) {
+                                        i++;
+                                    } else {
+                                        break;
+                                    }
+                                }
+                            }
                         }
                         state = 0;
                         start = i + 1;
diff --git a/core/src/test/java/io/undertow/util/CookiesTestCase.java b/core/src/test/java/io/undertow/util/CookiesTestCase.java
@@ -221,6 +221,15 @@ public void testCommaSeparatedCookies() {
         cookie = cookies.get("SHIPPING");
         Assert.assertNotNull(cookie);
         Assert.assertEquals("FEDEX", cookie.getValue());
+
+        cookies = Cookies.parseRequestCookies(5, false, Arrays.asList("CUSTOMER=\"WILE_E_COYOTE\", BAD_CUSTOMER=\"APPLE\"  IGNORED=PART, SHIPPING=FEDEX" ), true);
+        Assert.assertEquals(2, cookies.size());
+        cookie = cookies.get("CUSTOMER");
+        Assert.assertNotNull(cookie);
+        Assert.assertEquals("WILE_E_COYOTE", cookie.getValue());
+        cookie = cookies.get("SHIPPING");
+        Assert.assertNotNull(cookie);
+        Assert.assertEquals("FEDEX", cookie.getValue());
     }
 
     @Test
