Author: olegk Date: Mon Jun 13 12:04:56 2005 New Revision: 190485 URL: http://svn.apache.org/viewcvs?rev=190485&view=rev Log: PR #35225 (CookieSpecBase.domainMatch() leaks cookies to 3rd party domains)
Fixed a major problem with the browser compatibility policy leaking cookies to 3rd party domains (.mydomain.com -> .notmydomain.com) Contributed by Oleg Kalnichevski Reviewed by Ortwin Glück Modified: jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java Modified: jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java URL: http://svn.apache.org/viewcvs/jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java?rev=190485&r1=190484&r2=190485&view=diff ============================================================================== --- jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java (original) +++ jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java Mon Jun 13 12:04:56 2005 @@ -502,9 +502,14 @@ * @param domain The cookie domain attribute. * @return true if the specified host matches the given domain. */ - public boolean domainMatch(final String host, final String domain) { - return host.endsWith(domain) - || (domain.startsWith(".") && host.endsWith(domain.substring(1))); + public boolean domainMatch(final String host, String domain) { + if (host.equals(domain)) { + return true; + } + if (!domain.startsWith(".")) { + domain = "." + domain; + } + return host.endsWith(domain) || host.equals(domain.substring(1)); } /** Modified: jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java URL: http://svn.apache.org/viewcvs/jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java?rev=190485&r1=190484&r2=190485&view=diff ============================================================================== --- jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java (original) +++ jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java Mon Jun 13 12:04:56 2005 @@ -792,13 +792,49 @@ cookiespec.validate("sourceforge.net", 80, "/", false, cookie); } - public void testSecondDomainLevelCookieMatch() throws Exception { + public void testSecondDomainLevelCookieMatch1() throws Exception { Cookie cookie = new Cookie(".sourceforge.net", "name", null, "/", null, false); cookie.setDomainAttributeSpecified(true); cookie.setPathAttributeSpecified(true); CookieSpec cookiespec = new CookieSpecBase(); assertTrue(cookiespec.match("sourceforge.net", 80, "/", false, cookie)); + } + + public void testSecondDomainLevelCookieMatch2() throws Exception { + Cookie cookie = new Cookie("sourceforge.net", "name", null, "/", null, false); + cookie.setDomainAttributeSpecified(true); + cookie.setPathAttributeSpecified(true); + + CookieSpec cookiespec = new CookieSpecBase(); + assertTrue(cookiespec.match("www.sourceforge.net", 80, "/", false, cookie)); + } + + public void testSecondDomainLevelCookieMatch3() throws Exception { + Cookie cookie = new Cookie(".sourceforge.net", "name", null, "/", null, false); + cookie.setDomainAttributeSpecified(true); + cookie.setPathAttributeSpecified(true); + + CookieSpec cookiespec = new CookieSpecBase(); + assertTrue(cookiespec.match("www.sourceforge.net", 80, "/", false, cookie)); + } + + public void testInvalidSecondDomainLevelCookieMatch1() throws Exception { + Cookie cookie = new Cookie(".sourceforge.net", "name", null, "/", null, false); + cookie.setDomainAttributeSpecified(true); + cookie.setPathAttributeSpecified(true); + + CookieSpec cookiespec = new CookieSpecBase(); + assertFalse(cookiespec.match("antisourceforge.net", 80, "/", false, cookie)); + } + + public void testInvalidSecondDomainLevelCookieMatch2() throws Exception { + Cookie cookie = new Cookie("sourceforge.net", "name", null, "/", null, false); + cookie.setDomainAttributeSpecified(true); + cookie.setPathAttributeSpecified(true); + + CookieSpec cookiespec = new CookieSpecBase(); + assertFalse(cookiespec.match("antisourceforge.net", 80, "/", false, cookie)); } public void testMatchNullHost() throws Exception { --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]