Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
JWPlayer 7 saves UTF-8 cookies without encoding them as per RFC6265. Invalid cookies cause critical server issue with Tomcat Java.
<p>If you use non-ASCII characters as a "caption label" (ie, "<tt>Español</tt>"), JWPlayer saves the unencoded value in a cookie (<tt>jwplayer.captionLabel=Español</tt>). I found information on adding caption tracks here:<br>
<a href="http://www.3playmedia.com/how-it-works/how-to-guides/jw-player/" target="_blank">http://www.3playmedia.com/how-it-works/how-to-guides/jw-player/</a></p>
<p>More Info on allowable characters here:<br>
<a href="http://stackoverflow.com/a/1969339/693068" target="_blank">http://stackoverflow.com/a/1969339/693068</a></p>
<p>This RFC6265 non-compliant cookie value is currently causing problems with ColdFusion 10/11 using TomCat 7. Any request to the Java platform with an invalid cookie will cause a 500 Server error.<br>
<a href="http://stackoverflow.com/q/33289047/693068" target="_blank">http://stackoverflow.com/q/33289047/693068</a></p>
<p>It's a standard practice to display language choices in the language of the speaker/reader, but saving the unicode value directly without using Javascript's "<tt>encodeURIComponent</tt>" should be avoided.</p>
<p>[UPDATE 12/16/2015] On 11/19/2015 (less than 30 days after reporting this), <a href="https://support.jwplayer.com/customer/en/portal/articles/1403726-jw-player-7-release-notes#version722">JWPlayer 7.2</a> was released and all settings are now saved using local storage.</p>
<p>[UPDATE 12/16/2015] Adobe ColdFusion was notified about this issue at the same time. New <a href="http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-and-coldfusion-10-update-18-are-now-available">CF 10/11 patches</a> were released on 11/17/2015, but this issue probably wasn't fixed. (I can't test it anywhere yet.)</p>
<p>To see if your ColdFusion server is vulnerable, add the following javascript to your website. If you add this JS to TryCF.com, you wan't be able to access CF any more.</p>
<pre>
&lt;script type="text/javascript"&gt;
document.cookie = "lang=Español";
&lt;/script&gt;
</pre>
<p>Here's the offending JWPlayer caption label.</p>
<pre>
&lt;script type="text/javascript"&gt;
jwplayer('playerDiv').setup({
file: 'https://youtu.be/ZdBwIl9JPbY',
image: 'https://i.ytimg.com/vi/NXt_-RZOj1U/sddefault.jpg',
title: 'Demo',
width: '100%',
aspectratio: '4:3'
cookies: true,
tracks: [{
file: "/jwplayer_en.vtt",
label: 'English',
kind: 'captions',
"default":true
},{
file: "/jwplayer_es.vtt",
label: '<span style="background-color:#ff0;">Español</span>',
kind: 'captions'
}],
});
&lt;/script&gt;
</pre>
<p>The above configuration causes JWPlayer to generate a "<tt>jwplayer.captionLabel=Español</tt>" cookie when switching to Spanish. After the invalid cookie is created, no new web requests to the ColdFusion 10/11 Tomcat server can be processed.</p>
<p><b>SOLUTION:</b> Use <tt>encodeURIComponent</tt> so that the value is properly enocoded as "Espa%C3%B1ol". (NOTE: <tt>encodeURIComponent</tt> is already being used in the JWPlayer Javascript library. It should be used when saving cookies.)</p>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.