JamoCA/JWPlayerNonASCIICookieBug.htm

## JWPlayerNonASCIICookieBug.htm
<p>If you use non-ASCII characters as a "caption label" (ie, "<tt>Español</tt>"), JWPlayer saves the unencoded value in a cookie (<tt>jwplayer.captionLabel=Español</tt>). I found information on adding caption tracks here:<br>
<a href="http://www.3playmedia.com/how-it-works/how-to-guides/jw-player/" target="_blank">http://www.3playmedia.com/how-it-works/how-to-guides/jw-player/</a></p>

<p>More Info on allowable characters here:<br>
<a href="http://stackoverflow.com/a/1969339/693068" target="_blank">http://stackoverflow.com/a/1969339/693068</a></p>

<p>This RFC6265 non-compliant cookie value is currently causing problems with ColdFusion 10/11 using TomCat 7.  Any request to the Java platform with an invalid cookie will cause a 500 Server error.<br>
<a href="http://stackoverflow.com/q/33289047/693068" target="_blank">http://stackoverflow.com/q/33289047/693068</a></p>

<p>It's a standard practice to display language choices in the language of the speaker/reader, but saving the unicode value directly without using Javascript's "<tt>encodeURIComponent</tt>" should be avoided.</p>

<p>[UPDATE 12/16/2015] On 11/19/2015 (less than 30 days after reporting this), <a href="https://support.jwplayer.com/customer/en/portal/articles/1403726-jw-player-7-release-notes#version722">JWPlayer 7.2</a> was released and all settings are now saved using local storage.</p>

<p>[UPDATE 12/16/2015] Adobe ColdFusion was notified about this issue at the same time. New <a href="http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-and-coldfusion-10-update-18-are-now-available">CF 10/11 patches</a> were released on 11/17/2015, but this issue probably wasn't fixed. (I can't test it anywhere yet.)</p>

<p>To see if your ColdFusion server is vulnerable, add the following javascript to your website. If you add this JS to TryCF.com, you wan't be able to access CF any more.</p>

<pre>
&lt;script type="text/javascript"&gt;
document.cookie = "lang=Español";
&lt;/script&gt;
</pre>

<p>Here's the offending JWPlayer caption label.</p>

<pre>
&lt;script type="text/javascript"&gt;
jwplayer('playerDiv').setup({
	file: 'https://youtu.be/ZdBwIl9JPbY',
	image: 'https://i.ytimg.com/vi/NXt_-RZOj1U/sddefault.jpg',
	title: 'Demo',
	width: '100%',
	aspectratio: '4:3'
	cookies: true,
	tracks: [{
		file: "/jwplayer_en.vtt",
		label: 'English',
		kind: 'captions',
		"default":true
	},{
		file: "/jwplayer_es.vtt",
		label: '<span style="background-color:#ff0;">Español</span>',
		kind: 'captions'
	}],
});
&lt;/script&gt;
</pre>

<p>The above configuration causes JWPlayer to generate a "<tt>jwplayer.captionLabel=Español</tt>" cookie when switching to Spanish.  After the invalid cookie is created, no new web requests to the ColdFusion 10/11 Tomcat server can be processed.</p>

<p><b>SOLUTION:</b> Use <tt>encodeURIComponent</tt> so that the value is properly enocoded as "Espa%C3%B1ol". (NOTE: <tt>encodeURIComponent</tt> is already being used in the JWPlayer Javascript library. It should be used when saving cookies.)</p>
	<p>If you use non-ASCII characters as a "caption label" (ie, "<tt>Español</tt>"), JWPlayer saves the unencoded value in a cookie (<tt>jwplayer.captionLabel=Español</tt>). I found information on adding caption tracks here:<br>
	<a href="http://www.3playmedia.com/how-it-works/how-to-guides/jw-player/" target="_blank">http://www.3playmedia.com/how-it-works/how-to-guides/jw-player/</a></p>

	<p>More Info on allowable characters here:<br>
	<a href="http://stackoverflow.com/a/1969339/693068" target="_blank">http://stackoverflow.com/a/1969339/693068</a></p>

	<p>This RFC6265 non-compliant cookie value is currently causing problems with ColdFusion 10/11 using TomCat 7. Any request to the Java platform with an invalid cookie will cause a 500 Server error.<br>
	<a href="http://stackoverflow.com/q/33289047/693068" target="_blank">http://stackoverflow.com/q/33289047/693068</a></p>

	<p>It's a standard practice to display language choices in the language of the speaker/reader, but saving the unicode value directly without using Javascript's "<tt>encodeURIComponent</tt>" should be avoided.</p>

	<p>[UPDATE 12/16/2015] On 11/19/2015 (less than 30 days after reporting this), <a href="https://support.jwplayer.com/customer/en/portal/articles/1403726-jw-player-7-release-notes#version722">JWPlayer 7.2</a> was released and all settings are now saved using local storage.</p>

	<p>[UPDATE 12/16/2015] Adobe ColdFusion was notified about this issue at the same time. New <a href="http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-and-coldfusion-10-update-18-are-now-available">CF 10/11 patches</a> were released on 11/17/2015, but this issue probably wasn't fixed. (I can't test it anywhere yet.)</p>

	<p>To see if your ColdFusion server is vulnerable, add the following javascript to your website. If you add this JS to TryCF.com, you wan't be able to access CF any more.</p>

	<pre>
	<script type="text/javascript">
	document.cookie = "lang=Español";
	</script>
	</pre>

	<p>Here's the offending JWPlayer caption label.</p>

	<pre>
	<script type="text/javascript">
	jwplayer('playerDiv').setup({
	file: 'https://youtu.be/ZdBwIl9JPbY',
	image: 'https://i.ytimg.com/vi/NXt_-RZOj1U/sddefault.jpg',
	title: 'Demo',
	width: '100%',
	aspectratio: '4:3'
	cookies: true,
	tracks: [{
	file: "/jwplayer_en.vtt",
	label: 'English',
	kind: 'captions',
	"default":true
	},{
	file: "/jwplayer_es.vtt",
	label: '<span style="background-color:#ff0;">Español</span>',
	kind: 'captions'
	}],
	});
	</script>
	</pre>

	<p>The above configuration causes JWPlayer to generate a "<tt>jwplayer.captionLabel=Español</tt>" cookie when switching to Spanish. After the invalid cookie is created, no new web requests to the ColdFusion 10/11 Tomcat server can be processed.</p>

	<p><b>SOLUTION:</b> Use <tt>encodeURIComponent</tt> so that the value is properly enocoded as "Espa%C3%B1ol". (NOTE: <tt>encodeURIComponent</tt> is already being used in the JWPlayer Javascript library. It should be used when saving cookies.)</p>