View Javadoc
1   /*
2    * Copyright 2015 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.codec.http.cookie;
17  
18  import io.netty.handler.codec.DateFormatter;
19  import io.netty.handler.codec.http.cookie.CookieHeaderNames.SameSite;
20  
21  import java.util.Date;
22  
23  import static io.netty.util.internal.ObjectUtil.checkNotNull;
24  
25  /**
26   * A <a href="https://tools.ietf.org/html/rfc6265">RFC6265</a> compliant cookie decoder to be used client side.
27   *
28   * It will store the way the raw value was wrapped in {@link Cookie#setWrap(boolean)} so it can be
29   * eventually sent back to the Origin server as is.
30   *
31   * @see ClientCookieEncoder
32   */
33  public final class ClientCookieDecoder extends CookieDecoder {
34  
35      /**
36       * Strict encoder that validates that name and value chars are in the valid scope
37       * defined in RFC6265
38       */
39      public static final ClientCookieDecoder STRICT = new ClientCookieDecoder(true);
40  
41      /**
42       * Lax instance that doesn't validate name and value
43       */
44      public static final ClientCookieDecoder LAX = new ClientCookieDecoder(false);
45  
46      private ClientCookieDecoder(boolean strict) {
47          super(strict);
48      }
49  
50      /**
51       * Decodes the specified Set-Cookie HTTP header value into a {@link Cookie}.
52       *
53       * @return the decoded {@link Cookie}
54       */
55      public Cookie decode(String header) {
56          final int headerLen = checkNotNull(header, "header").length();
57  
58          if (headerLen == 0) {
59              return null;
60          }
61  
62          CookieBuilder cookieBuilder = null;
63  
64          loop: for (int i = 0;;) {
65  
66              // Skip spaces and separators.
67              for (;;) {
68                  if (i == headerLen) {
69                      break loop;
70                  }
71                  char c = header.charAt(i);
72                  if (c == ',') {
73                      // Having multiple cookies in a single Set-Cookie header is
74                      // deprecated, modern browsers only parse the first one
75                      break loop;
76  
77                  } else if (c == '\t' || c == '\n' || c == 0x0b || c == '\f'
78                          || c == '\r' || c == ' ' || c == ';') {
79                      i++;
80                      continue;
81                  }
82                  break;
83              }
84  
85              int nameBegin = i;
86              int nameEnd;
87              int valueBegin;
88              int valueEnd;
89  
90              for (;;) {
91                  char curChar = header.charAt(i);
92                  if (curChar == ';') {
93                      // NAME; (no value till ';')
94                      nameEnd = i;
95                      valueBegin = valueEnd = -1;
96                      break;
97  
98                  } else if (curChar == '=') {
99                      // NAME=VALUE
100                     nameEnd = i;
101                     i++;
102                     if (i == headerLen) {
103                         // NAME= (empty value, i.e. nothing after '=')
104                         valueBegin = valueEnd = 0;
105                         break;
106                     }
107 
108                     valueBegin = i;
109                     // NAME=VALUE;
110                     int semiPos = header.indexOf(';', i);
111                     valueEnd = i = semiPos > 0 ? semiPos : headerLen;
112                     break;
113                 } else {
114                     i++;
115                 }
116 
117                 if (i == headerLen) {
118                     // NAME (no value till the end of string)
119                     nameEnd = headerLen;
120                     valueBegin = valueEnd = -1;
121                     break;
122                 }
123             }
124 
125             if (valueEnd > 0 && header.charAt(valueEnd - 1) == ',') {
126                 // old multiple cookies separator, skipping it
127                 valueEnd--;
128             }
129 
130             if (cookieBuilder == null) {
131                 // cookie name-value pair
132                 DefaultCookie cookie = initCookie(header, nameBegin, nameEnd, valueBegin, valueEnd);
133 
134                 if (cookie == null) {
135                     return null;
136                 }
137 
138                 cookieBuilder = new CookieBuilder(cookie, header);
139             } else {
140                 // cookie attribute
141                 cookieBuilder.appendAttribute(nameBegin, nameEnd, valueBegin, valueEnd);
142             }
143         }
144         return cookieBuilder != null ? cookieBuilder.cookie() : null;
145     }
146 
147     private static class CookieBuilder {
148 
149         private final String header;
150         private final DefaultCookie cookie;
151         private String domain;
152         private String path;
153         private long maxAge = Long.MIN_VALUE;
154         private int expiresStart;
155         private int expiresEnd;
156         private boolean secure;
157         private boolean httpOnly;
158         private SameSite sameSite;
159         private boolean partitioned;
160 
161         CookieBuilder(DefaultCookie cookie, String header) {
162             this.cookie = cookie;
163             this.header = header;
164         }
165 
166         private long mergeMaxAgeAndExpires() {
167             // max age has precedence over expires
168             if (maxAge != Long.MIN_VALUE) {
169                 return maxAge;
170             } else if (isValueDefined(expiresStart, expiresEnd)) {
171                 Date expiresDate = DateFormatter.parseHttpDate(header, expiresStart, expiresEnd);
172                 if (expiresDate != null) {
173                     long maxAgeMillis = expiresDate.getTime() - System.currentTimeMillis();
174                     return maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0 ? 1 : 0);
175                 }
176             }
177             return Long.MIN_VALUE;
178         }
179 
180         Cookie cookie() {
181             cookie.setDomain(domain);
182             cookie.setPath(path);
183             cookie.setMaxAge(mergeMaxAgeAndExpires());
184             cookie.setSecure(secure);
185             cookie.setHttpOnly(httpOnly);
186             cookie.setSameSite(sameSite);
187             cookie.setPartitioned(partitioned);
188             return cookie;
189         }
190 
191         /**
192          * Parse and store a key-value pair. First one is considered to be the
193          * cookie name/value. Unknown attribute names are silently discarded.
194          *
195          * @param keyStart
196          *            where the key starts in the header
197          * @param keyEnd
198          *            where the key ends in the header
199          * @param valueStart
200          *            where the value starts in the header
201          * @param valueEnd
202          *            where the value ends in the header
203          */
204         void appendAttribute(int keyStart, int keyEnd, int valueStart, int valueEnd) {
205             int length = keyEnd - keyStart;
206 
207             if (length == 4) {
208                 parse4(keyStart, valueStart, valueEnd);
209             } else if (length == 6) {
210                 parse6(keyStart, valueStart, valueEnd);
211             } else if (length == 7) {
212                 parse7(keyStart, valueStart, valueEnd);
213             } else if (length == 8) {
214                 parse8(keyStart, valueStart, valueEnd);
215             } else if (length == 11) {
216                 parse11(keyStart);
217             }
218         }
219 
220         private void parse4(int nameStart, int valueStart, int valueEnd) {
221             if (header.regionMatches(true, nameStart, CookieHeaderNames.PATH, 0, 4)) {
222                 path = computeValue(valueStart, valueEnd);
223             }
224         }
225 
226         private void parse6(int nameStart, int valueStart, int valueEnd) {
227             if (header.regionMatches(true, nameStart, CookieHeaderNames.DOMAIN, 0, 5)) {
228                 domain = computeValue(valueStart, valueEnd);
229             } else if (header.regionMatches(true, nameStart, CookieHeaderNames.SECURE, 0, 5)) {
230                 secure = true;
231             }
232         }
233 
234         private void setMaxAge(String value) {
235             try {
236                 maxAge = Math.max(Long.parseLong(value), 0L);
237             } catch (NumberFormatException e1) {
238                 // ignore failure to parse -> treat as session cookie
239             }
240         }
241 
242         private void parse7(int nameStart, int valueStart, int valueEnd) {
243             if (header.regionMatches(true, nameStart, CookieHeaderNames.EXPIRES, 0, 7)) {
244                 expiresStart = valueStart;
245                 expiresEnd = valueEnd;
246             } else if (header.regionMatches(true, nameStart, CookieHeaderNames.MAX_AGE, 0, 7)) {
247                 setMaxAge(computeValue(valueStart, valueEnd));
248             }
249         }
250 
251         private void parse8(int nameStart, int valueStart, int valueEnd) {
252             if (header.regionMatches(true, nameStart, CookieHeaderNames.HTTPONLY, 0, 8)) {
253                 httpOnly = true;
254             } else if (header.regionMatches(true, nameStart, CookieHeaderNames.SAMESITE, 0, 8)) {
255                 sameSite = SameSite.of(computeValue(valueStart, valueEnd));
256             }
257         }
258 
259         private void parse11(int nameStart) {
260             if (header.regionMatches(true, nameStart, CookieHeaderNames.PARTITIONED, 0, 11)) {
261                 partitioned = true;
262             }
263         }
264 
265         private static boolean isValueDefined(int valueStart, int valueEnd) {
266             return valueStart != -1 && valueStart != valueEnd;
267         }
268 
269         private String computeValue(int valueStart, int valueEnd) {
270             return isValueDefined(valueStart, valueEnd) ? header.substring(valueStart, valueEnd) : null;
271         }
272     }
273 }