Tomcat default stacktrace page will be displayed with invalid locale cookie value

[IsaoTakahashi]

I've found some case that stacktrace is exposed when I use CookieLocaleResolver.

With inputting invalid value (e.g. ') in locale cookie, IllegalArgumentException is thrown and it is not handled any error handler.
As result, tomcat default stacktrace page is displayed.

Although I define Error Handling logic belows, it doesn't work for this situation.

• declare class extending ExceptionHandlerExceptionResolver and add handler with @Exceptionhandler(Exception.class)
• add server.error.whitelabel.enabled=false to avoid displaying whitelabel page

Here is a stacktrace on error page.

java.lang.IllegalArgumentException: Locale part "'" contains invalid characters
	org.springframework.util.StringUtils.validateLocalePart(StringUtils.java:719)
	org.springframework.util.StringUtils.parseLocaleString(StringUtils.java:699)
	org.springframework.web.servlet.i18n.CookieLocaleResolver.parseLocaleValue(CookieLocaleResolver.java:247)
	org.springframework.web.servlet.i18n.CookieLocaleResolver.parseLocaleCookieIfNecessary(CookieLocaleResolver.java:193)
	org.springframework.web.servlet.i18n.CookieLocaleResolver.resolveLocaleContext(CookieLocaleResolver.java:165)
	org.springframework.web.servlet.DispatcherServlet.buildLocaleContext(DispatcherServlet.java:1069)
	org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:959)
	org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
	org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:105)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

Related Issue

I think #7936 is similar situation.

Appendix

I created tiny demo app.
You can reproduce the issue with the app below.
IsaoTakahashi/cookie-locale-exception

[wilkinsona]

@IsaoTakahashi Thanks for the sample. This is indeed similar to #7936. Like that issue there's not much that we can do in Boot about this so I've opened SPR-15182 to see if CookieLocaleResolver can be made more robust. In the meantime, you can use the workaround described in that issue.

[IsaoTakahashi]

@wilkinsona Many thanks for handling!
Just now I've tried with 1.5.0.BUILD-SNAPSHOT and confirmed it is fixed.
(templates/error.html is responded to user)