Author: markt Date: Wed Oct 1 12:58:41 2014 New Revision: 1628693 URL: http://svn.apache.org/r1628693 Log: Add validation of cookie values.
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java Modified: tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java?rev=1628693&r1=1628692&r2=1628693&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java Wed Oct 1 12:58:41 2014 @@ -81,12 +81,37 @@ public class Rfc6265CookieProcessor impl // generation. header.append(cookie.getName()); header.append('='); - // TODO: Value also needs validation that varies depending on the spec - // being used. This is currently delayed until the header is - // generated. - header.append(cookie.getValue()); + String value = cookie.getValue(); + if (value != null) { + validateCookieValue(value); + header.append(value); + } // TODO add support for the attributes. return header.toString(); } + + + private void validateCookieValue(String value) { + if (value == null || value.length() == 0) { + return; + } + + int start = 0; + int end = value.length(); + + if (end > 1 && value.charAt(0) == '"' && value.charAt(end - 1) == '"') { + start = 1; + end--; + } + + char[] chars = value.toCharArray(); + for (int i = start; i < end; i++) { + char c = chars[i]; + if (c < 0x21 || c == 0x22 || c == 0x2c || c == 0x3b || c == 0x5c || c == 0x7f) { + // TODO i18n + throw new IllegalArgumentException(); + } + } + } } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org