From df08883a009aeaebfbe59a53c592ac25cd3aff06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20Cie=C5=9Blak?= <mgr.inz.marcin.cieslak@gmail.com>
Date: Thu, 2 Apr 2020 10:43:25 +0300
Subject: [PATCH] SecurityManager: remove double quotes from session cookie
 content

Sometimes, RFC 6265-compliant [0] web servers may send back a cookie whose value
is enclosed in double quotes, such as:

    Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard

Where the double quotes at the start and the end of the header value are just
delimiters. This is perfectly legal: Etherpad parsing logic should cope with
that, and remove the quotes early in the request phase.

Somehow, this does not happen, and in such cases the actual value that
sessionCookie ends up having is:

    sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'

As quick measure, let's strip the double quotes (when present).
Note that here we are being minimal, limiting ourselves to just removing quotes
at the start and the end of the string.

Fixes #3819.
Also, see #3820.


[0] https://tools.ietf.org/html/rfc6265
---
 src/node/db/SecurityManager.js | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index 45d45a722..dbc8d6f6d 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -96,7 +96,30 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
   // get information about all sessions contained in this cookie
   if (sessionCookie) {
     let groupID = padID.split("$")[0];
-    let sessionIDs = sessionCookie.split(',');
+
+    /*
+     * Sometimes, RFC 6265-compliant web servers may send back a cookie whose
+     * value is enclosed in double quotes, such as:
+     *
+     *   Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard
+     *
+     * Where the double quotes at the start and the end of the header value are
+     * just delimiters. This is perfectly legal: Etherpad parsing logic should
+     * cope with that, and remove the quotes early in the request phase.
+     *
+     * Somehow, this does not happen, and in such cases the actual value that
+     * sessionCookie ends up having is:
+     *
+     *     sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'
+     *
+     * As quick measure, let's strip the double quotes (when present).
+     * Note that here we are being minimal, limiting ourselves to just removing
+     * quotes at the start and the end of the string.
+     *
+     * Fixes #3819.
+     * Also, see #3820.
+     */
+    let sessionIDs = sessionCookie.replace(/^"|"$/g, '').split(',');
 
     // was previously iterated in parallel using async.forEach
     try {