From 091d0d8d9f8c3aa96f10072831605f17cc4147f7 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 1 Mar 2016 09:57:47 -0600 Subject: [PATCH] DefaultCookieSerializer ignores null Cookie value Previously a null Cookie value was returned by DefaultCookieSerializer readCookieValues(). This could cause NullPointerExeptions later on. This commit ignores cookies with a null value. Fixes gh-392 --- .../web/http/DefaultCookieSerializer.java | 3 +++ .../http/DefaultCookieSerializerTests.java | 24 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/spring-session/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java b/spring-session/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java index f2f8839..36d0814 100644 --- a/spring-session/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java +++ b/spring-session/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java @@ -59,6 +59,9 @@ public class DefaultCookieSerializer implements CookieSerializer { for (Cookie cookie : cookies) { if (cookieName.equals(cookie.getName())) { String sessionId = cookie.getValue(); + if(sessionId == null) { + continue; + } if(jvmRoute != null && sessionId.endsWith(jvmRoute)) { sessionId = sessionId.substring(0, sessionId.length() - jvmRoute.length()); } diff --git a/spring-session/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java b/spring-session/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java index be29c13..e81d5af 100644 --- a/spring-session/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java +++ b/spring-session/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java @@ -88,6 +88,30 @@ public class DefaultCookieSerializerTests { assertThat(serializer.readCookieValues(request)).containsExactly(sessionId, secondSession); } + // gh-392 + @Test + public void readCookieValuesNullCookieValue() { + request.setCookies(new Cookie(cookieName, null)); + + assertThat(serializer.readCookieValues(request)).isEmpty(); + } + + @Test + public void readCookieValuesNullCookieValueAndJvmRoute() { + serializer.setJvmRoute("123"); + request.setCookies(new Cookie(cookieName, null)); + + assertThat(serializer.readCookieValues(request)).isEmpty(); + } + + @Test + public void readCookieValuesNullCookieValueAndNotNullCookie() { + serializer.setJvmRoute("123"); + request.setCookies(new Cookie(cookieName, null), new Cookie(cookieName, sessionId)); + + assertThat(serializer.readCookieValues(request)).containsOnly(sessionId); + } + // --- writeCookie --- @Test