[jira] [Commented] (HTTPCLIENT-1006) BrowserCompatSpec: don't trim " around cookie value

Wed, 28 Dec 2016 10:08:46 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15783401#comment-15783401
 ] 

Detlev Beutner commented on HTTPCLIENT-1006:
--------------------------------------------

Hi Oleg,

I don't see the first sentence, but as the RFCs are deprecated, let's just move 
the interpretation of RFC 2616 aside and hold to RFC 6265.

But the core question is in your second sentence: "Even on a basic common sense 
level quotes as a part of cookie value makes zero sense as they have 
universally been intended as an escape mechanism in HTTP related protocols."

This only might hold for consumers outside the 
cookie-moving-http-req-res-cycle, i.e. for clients to show content of cookies 
(JS access) or for servers to read content of (sent-back) cookies. But outside 
of such accesses, exactly the opposite holds: If the value needs DQs as escape 
mechanism (from server to client), it needs them also on the way back (from 
client to server). And that's why, at least for this purpose, the client always 
needs to preserve the DQs in the value. It might strip them on API access to 
the cookies not meant for the core communication process, but that's all...

Hope this differentiates this a bit and makes clear, why "generally stripping 
DQs" is always a bug on client side,
Best regards & thanks in advance
Detlev

> BrowserCompatSpec: don't trim " around cookie value
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1006
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1006
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.0.2
>            Reporter: Marc Guillemot
>
> If the server sends a cookie header like:
> Set-Cookie: first="hello world"
> then HttpClient parses it as cookie with value >hello world<, wrongly 
> removing the leading and trailing quotes. The incorrect quote removal occurs 
> in BasicHeaderValueParser.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to