play1 icon indicating copy to clipboard operation
play1 copied to clipboard

Published 20 hours ago verified publisher icon playframework

Cookie secure and httpOnly for PLAY_ERRORS cookie lost on exception

Open Alexandermjos opened this issue 2 years ago • 1 comments

Hi. It looks like the ERROR cookie (PLAY_ERRORS) is missing the cookie configuration for "secure" and "httpOnly" when an exception occurs.

This was discovered by an automated security scan in a project I am working on.

I have debugged and traced the issue back to ValidationPlugin.java's clear() method: https://github.com/playframework/play1/blob/8fad39b17ef215a43e4185bae32ed9caac011f30/framework/src/play/data/validation/ValidationPlugin.java#L189-L201

which is called "onInvocationException()" https://github.com/playframework/play1/blob/8fad39b17ef215a43e4185bae32ed9caac011f30/framework/src/play/data/validation/ValidationPlugin.java#L98-L101

I think this can be fixed by adding these two lines here: https://github.com/playframework/play1/blob/8fad39b17ef215a43e4185bae32ed9caac011f30/framework/src/play/data/validation/ValidationPlugin.java#L195 cookie.secure = Scope.COOKIE_SECURE; cookie.httpOnly = Scope.SESSION_HTTPONLY;

Play Version (1.5.x / etc)

Reproduced on Play 1.5.2. Code involved in issue is unchanged from 1.5.2 to latest version

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

Windows 10

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

openjdk version "1.8.0_282" OpenJDK Runtime Environment (build 1.8.0_282-b08) OpenJDK 64-Bit Server VM (build 25.282-b08, mixed mode)

Library Dependencies

None

Expected Behavior

Please describe the expected behavior of the issue, starting from the first action.

  1. PLAY_ERRORS should have the same values for "secure" and "httpOnly" for validation errors as for exceptions

Actual Behavior

"secure" and "httpOnly" flag is not set when an exception occurs.

Reproducible Test Case

Create a nullpointer in a form

Alexandermjos avatar Jul 29 '22 10:07 Alexandermjos

@Alexandermjos I think this is also related to my issue https://github.com/playframework/play1/issues/1420

We had similar issues raised by vulnerability scans but only on error pages. I traced to a slightly different place though. https://github.com/playframework/play1/blob/8fad39b17ef215a43e4185bae32ed9caac011f30/framework/src/play/server/PlayHandler.java#L752

The way error responses are created seems quite strange in this PlayHandler.java. Although I think your specific issue is more within the Validation class.

Fraserhardy avatar Aug 11 '22 12:08 Fraserhardy