From 1f93a979d2ac264798e5779b5b7172dfafe0066f Mon Sep 17 00:00:00 2001
From: baranowb <baranowb@gmail.com>
Date: Mon, 5 Feb 2024 08:58:22 +0100
Subject: [PATCH] [UNDERTOW-2342] CVE-2023-4639 ignore cookie with improper
 quotes

Signed-off-by: Flavia Rainone <frainone@redhat.com>
---
 core/src/main/java/io/undertow/util/Cookies.java  |  3 +++
 .../java/io/undertow/util/CookiesTestCase.java    | 15 +++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/core/src/main/java/io/undertow/util/Cookies.java b/core/src/main/java/io/undertow/util/Cookies.java
index ef16ac0cac..5a7b465204 100644
--- a/core/src/main/java/io/undertow/util/Cookies.java
+++ b/core/src/main/java/io/undertow/util/Cookies.java
@@ -318,6 +318,9 @@ private static void parseCookie(final String cookie, final Set<Cookie> parsedCoo
                         cookieCount = createCookie(name, containsEscapedQuotes ? unescapeDoubleQuotes(cookie.substring(start, i)) : cookie.substring(start, i), maxCookies, cookieCount, cookies, additional);
                         state = 0;
                         start = i + 1;
+                    } else if (c == ';' || (commaIsSeperator && c == ',')) {
+                        state = 0;
+                        start = i + 1;
                     }
                     // Skip the next double quote char '"' when it is escaped by backslash '\' (i.e. \") inside the quoted value
                     if (c == '\\' && (i + 1 < cookie.length()) && cookie.charAt(i + 1) == '"') {
diff --git a/core/src/test/java/io/undertow/util/CookiesTestCase.java b/core/src/test/java/io/undertow/util/CookiesTestCase.java
index 3e57d83cfe..3b4f2f2e5f 100644
--- a/core/src/test/java/io/undertow/util/CookiesTestCase.java
+++ b/core/src/test/java/io/undertow/util/CookiesTestCase.java
@@ -450,6 +450,21 @@ public void testSameSiteCookie() {
         Assert.assertNull(cookie.getSameSiteMode());
     }
 
+    @Test
+    public void testNoDoubleQuoteTermination() {
+        Map<String, Cookie> cookies = Cookies.parseRequestCookies(4, false, Arrays.asList("CUSTOMER=\"WILE_E_COYOTE\"; BAD=\"X; SHIPPING=FEDEX"), true);
+        Assert.assertEquals(2, cookies.size());
+        Cookie cookie = cookies.get("CUSTOMER");
+        Assert.assertEquals("CUSTOMER", cookie.getName());
+        Assert.assertEquals("WILE_E_COYOTE", cookie.getValue());
+        cookie = cookies.get("BAD");
+        Assert.assertNull(cookie);
+        cookie = cookies.get("SHIPPING");
+        Assert.assertEquals("SHIPPING", cookie.getName());
+        Assert.assertEquals("FEDEX", cookie.getValue());
+        Assert.assertNotNull(cookie);
+    }
+
     // RFC6265 allows US-ASCII characters excluding CTLs, whitespace,
     // double quote, comma, semicolon and backslash as cookie value.
     // This does not change even if value is quoted.