[UNDERTOW-2342] CVE-2023-4639 ignore cookie with improper quotes

Signed-off-by: Flavia Rainone <[email protected]>

core/src/main/java/io/undertow/util/Cookies.java

@@ -318,6 +318,9 @@ private static void parseCookie(final String cookie, final Set<Cookie> parsedCoo
                         cookieCount = createCookie(name, containsEscapedQuotes ? unescapeDoubleQuotes(cookie.substring(start, i)) : cookie.substring(start, i), maxCookies, cookieCount, cookies, additional);
                         state = 0;
                         start = i + 1;
+                    } else if (c == ';' || (commaIsSeperator && c == ',')) {
+                        state = 0;
+                        start = i + 1;
                     }
                     // Skip the next double quote char '"' when it is escaped by backslash '\' (i.e. \") inside the quoted value
                     if (c == '\\' && (i + 1 < cookie.length()) && cookie.charAt(i + 1) == '"') {

core/src/test/java/io/undertow/util/CookiesTestCase.java

@@ -450,6 +450,21 @@ public void testSameSiteCookie() {
         Assert.assertNull(cookie.getSameSiteMode());
     }
 
+    @Test
+    public void testNoDoubleQuoteTermination() {
+        Map<String, Cookie> cookies = Cookies.parseRequestCookies(4, false, Arrays.asList("CUSTOMER=\"WILE_E_COYOTE\"; BAD=\"X; SHIPPING=FEDEX"), true);
+        Assert.assertEquals(2, cookies.size());
+        Cookie cookie = cookies.get("CUSTOMER");
+        Assert.assertEquals("CUSTOMER", cookie.getName());
+        Assert.assertEquals("WILE_E_COYOTE", cookie.getValue());
+        cookie = cookies.get("BAD");
+        Assert.assertNull(cookie);
+        cookie = cookies.get("SHIPPING");
+        Assert.assertEquals("SHIPPING", cookie.getName());
+        Assert.assertEquals("FEDEX", cookie.getValue());
+        Assert.assertNotNull(cookie);
+    }
+
     // RFC6265 allows US-ASCII characters excluding CTLs, whitespace,
     // double quote, comma, semicolon and backslash as cookie value.
     // This does not change even if value is quoted.