Author: markt
Date: Wed May 21 13:55:16 2014
New Revision: 1596574
URL: http://svn.apache.org/r1596574
Log:
Apply patch 04 from jboynes to improve cookie handling.
Prevent V0 cookies using '=' in cookie names
I've checked back though the archives and I can find no record of a user asking
for this feature. Also, given the known behaviour of browsers it is unlikely to
have worked any way. On that basis, this should be safe.
Modified:
tomcat/trunk/java/javax/servlet/http/Cookie.java
tomcat/trunk/test/javax/servlet/http/TestCookieNetscapeValidator.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/javax/servlet/http/Cookie.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Cookie.java?rev=1596574&r1=1596573&r2=1596574&view=diff
==============================================================================
--- tomcat/trunk/java/javax/servlet/http/Cookie.java (original)
+++ tomcat/trunk/java/javax/servlet/http/Cookie.java Wed May 21 13:55:16 2014
@@ -421,7 +421,10 @@ class CookieNameValidator {
}
class NetscapeValidator extends CookieNameValidator {
- private static final String NETSCAPE_SEPARATORS = ",; ";
+ // the Netscape specification describes NAME=VALUE as
+ // "a sequence of characters excluding semi-colon, comma and white space"
+ // we also exclude the '=' character that separates NAME from VALUE
+ private static final String NETSCAPE_SEPARATORS = ",; " + "=";
NetscapeValidator() {
super(NETSCAPE_SEPARATORS);
Modified: tomcat/trunk/test/javax/servlet/http/TestCookieNetscapeValidator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/javax/servlet/http/TestCookieNetscapeValidator.java?rev=1596574&r1=1596573&r2=1596574&view=diff
==============================================================================
--- tomcat/trunk/test/javax/servlet/http/TestCookieNetscapeValidator.java
(original)
+++ tomcat/trunk/test/javax/servlet/http/TestCookieNetscapeValidator.java Wed
May 21 13:55:16 2014
@@ -30,12 +30,14 @@ public class TestCookieNetscapeValidator
@Test
public void actualCharactersAllowedInName() {
// "any character except comma, semicolon and whitespace"
+ // also disallow '=' as that is interpreted as a delimiter by browsers
BitSet allowed = new BitSet(256);
allowed.or(TestCookie.CHAR);
allowed.andNot(TestCookie.CTL);
allowed.clear(';');
allowed.clear(',');
allowed.clear(' ');
+ allowed.clear('=');
TestCookie.checkCharInName(validator, allowed);
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1596574&r1=1596573&r2=1596574&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed May 21 13:55:16 2014
@@ -87,12 +87,19 @@
Relax cookie naming restrictions. Cookie attribute names used in the
<code>Set-Cookie</code> header may be used unambiguously as cookie
names. The restriction that prevented such usage has been removed.
- (jboynes/markt)
+ (jboynes/markt)
</fix>
<fix>
Further relax cookie naming restrictions. Version 0 (a.k.a Netscape
format) cookies may now use names that start with the <code>$</code>
- character. (jboynes/markt)
+ character. (jboynes/markt)
+ </fix>
+ <fix>
+ Restrict cookie naming so that the <code>=</code> character is no
longer
+ permitted in a version 0 (a.k.a. Netscape format) cookie name. While
+ Tomcat allowed this, browsers always truncated the name at the
+ <code>=</code> character leading to a mis-match between the cookie the
+ server set and the cookie returned by the browser. (jboynes/markt)
</fix>
</changelog>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
