svn commit: r190485 - in /jakarta/commons/proper/httpclient/trunk/src: java/org/apache/commons/httpclient/cookie/CookieSpecBase.java test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java

Mon, 13 Jun 2005 12:05:22 -0700 

Author: olegk
Date: Mon Jun 13 12:04:56 2005
New Revision: 190485

URL: http://svn.apache.org/viewcvs?rev=190485&view=rev
Log:
PR #35225 (CookieSpecBase.domainMatch() leaks cookies to 3rd party domains)

Fixed a major problem with the browser compatibility policy leaking cookies to 
3rd party domains (.mydomain.com -> .notmydomain.com)

Contributed by Oleg Kalnichevski
Reviewed by Ortwin Glück

Modified:
    
jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java
    
jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java

Modified: 
jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java
URL: 
http://svn.apache.org/viewcvs/jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java?rev=190485&r1=190484&r2=190485&view=diff
==============================================================================
--- 
jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java
 (original)
+++ 
jakarta/commons/proper/httpclient/trunk/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java
 Mon Jun 13 12:04:56 2005
@@ -502,9 +502,14 @@
      * @param domain The cookie domain attribute.
      * @return true if the specified host matches the given domain.
      */
-    public boolean domainMatch(final String host, final String domain) {
-        return host.endsWith(domain)
-            || (domain.startsWith(".") && host.endsWith(domain.substring(1)));
+    public boolean domainMatch(final String host, String domain) {
+        if (host.equals(domain)) {
+            return true;
+        }
+        if (!domain.startsWith(".")) {
+            domain = "." + domain;
+        }
+        return host.endsWith(domain) || host.equals(domain.substring(1));
     }
 
     /**

Modified: 
jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java
URL: 
http://svn.apache.org/viewcvs/jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java?rev=190485&r1=190484&r2=190485&view=diff
==============================================================================
--- 
jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java
 (original)
+++ 
jakarta/commons/proper/httpclient/trunk/src/test/org/apache/commons/httpclient/cookie/TestCookieCompatibilitySpec.java
 Mon Jun 13 12:04:56 2005
@@ -792,13 +792,49 @@
         cookiespec.validate("sourceforge.net", 80, "/", false, cookie);
     }
 
-    public void testSecondDomainLevelCookieMatch() throws Exception {
+    public void testSecondDomainLevelCookieMatch1() throws Exception {
         Cookie cookie = new Cookie(".sourceforge.net", "name", null, "/", 
null, false); 
         cookie.setDomainAttributeSpecified(true);
         cookie.setPathAttributeSpecified(true);
 
         CookieSpec cookiespec = new CookieSpecBase();
         assertTrue(cookiespec.match("sourceforge.net", 80, "/", false, 
cookie));
+    }
+
+    public void testSecondDomainLevelCookieMatch2() throws Exception {
+        Cookie cookie = new Cookie("sourceforge.net", "name", null, "/", null, 
false); 
+        cookie.setDomainAttributeSpecified(true);
+        cookie.setPathAttributeSpecified(true);
+
+        CookieSpec cookiespec = new CookieSpecBase();
+        assertTrue(cookiespec.match("www.sourceforge.net", 80, "/", false, 
cookie));
+    }
+
+    public void testSecondDomainLevelCookieMatch3() throws Exception {
+        Cookie cookie = new Cookie(".sourceforge.net", "name", null, "/", 
null, false); 
+         cookie.setDomainAttributeSpecified(true);
+         cookie.setPathAttributeSpecified(true);
+
+         CookieSpec cookiespec = new CookieSpecBase();
+         assertTrue(cookiespec.match("www.sourceforge.net", 80, "/", false, 
cookie));
+    }
+         
+    public void testInvalidSecondDomainLevelCookieMatch1() throws Exception {
+        Cookie cookie = new Cookie(".sourceforge.net", "name", null, "/", 
null, false); 
+        cookie.setDomainAttributeSpecified(true);
+        cookie.setPathAttributeSpecified(true);
+
+        CookieSpec cookiespec = new CookieSpecBase();
+        assertFalse(cookiespec.match("antisourceforge.net", 80, "/", false, 
cookie));
+    }
+
+    public void testInvalidSecondDomainLevelCookieMatch2() throws Exception {
+        Cookie cookie = new Cookie("sourceforge.net", "name", null, "/", null, 
false); 
+        cookie.setDomainAttributeSpecified(true);
+        cookie.setPathAttributeSpecified(true);
+
+        CookieSpec cookiespec = new CookieSpecBase();
+        assertFalse(cookiespec.match("antisourceforge.net", 80, "/", false, 
cookie));
     }
 
     public void testMatchNullHost() throws Exception {



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to