https://issues.apache.org/bugzilla/show_bug.cgi?id=46903
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #1 from Mark Thomas <ma...@apache.org> 2009-04-09 04:27:21 PST ---
There are two separate issues here.
For cookies, we have to prevent invalid characters to prevent security issues
(see CVE-2007-3385 & CVE-2007-5333). It took a couple of iterations to get an
implementation that was a) secure and b) backwards compatible. Bug 46597 is
tracking the back-porting of the remaining changes to 5.5.x and will hopefully
be included in 5.5.28 onwards. Once this has been applied, the default
behaviour will be to switch invalid v0 cookies to v1 and to quote where
necessary.
The jsp quoting rules may be relaxed by setting
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING="false"
STRICT_SERVLET_COMPLIANCE is not intended to be a catch-all for all of the
settings for servlet, jsp and el spec compatibility. The expected behaviour
(for 5.5.27) is documented at
http://tomcat.apache.org/tomcat-5.5-doc/confiG/systemprops.html which will be
updated as required with each new 5.5.x release.
The cookie element is a duplicate and the quoting element a won't fix so I am
marking this as won't fix.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
