Re: Request to backport 6644726

Mon, 14 Feb 2011 04:42:22 -0800 

On 11:35 Fri 11 Feb     , Joe Darcy wrote:
> Networking team,
> 
> Any comments on backporting this change to OpenJDK 6?  My inclination is 
> to approve the backport, but I want your input on the issue.
> 
> -Joe
> 
> On 2/8/2011 1:19 AM, Florian Weimer wrote:
> > This change:
> >
> > # User jccollet
> > # Date 1208423133 -7200
> > # Node ID d44e3bf49ffbcbc5c6ce9a8fa4113153f8368a60
> > # Parent  a954a6f3be6fa69014f00488f52b2da12e6634bf
> > 6644726: Cookie management issues
> > Summary: Many changes to accomodate RFC 2965 and old Netscape specs
> > Reviewed-by: chegar
> >
> > diff -r a954a6f3be6f -r d44e3bf49ffb 
> > src/share/classes/java/net/CookieManager.java
> > --- a/src/share/classes/java/net/CookieManager.java     Wed Apr 16 14:17:54 
> > 2008 +0100
> > +++ b/src/share/classes/java/net/CookieManager.java     Thu Apr 17 11:05:33 
> > 2008 +0200
> > @@ -205,11 +205,31 @@
> >           if (cookieJar == null)
> >               return Collections.unmodifiableMap(cookieMap);
> >
> > +        boolean secureLink = "https".equalsIgnoreCase(uri.getScheme());
> >           List<HttpCookie>  cookies = new java.util.ArrayList<HttpCookie>();
> > +        String path = uri.getPath();
> > +        if (path == null || path.isEmpty()) {
> > +            path = "/";
> > +        }
> >           for (HttpCookie cookie : cookieJar.get(uri)) {
> >               // apply path-matches rule (RFC 2965 sec. 3.3.4)
> > -            if (pathMatches(uri.getPath(), cookie.getPath())) {
> > -                cookies.add(cookie);
> > +            // and check for the possible "secure" tag (i.e. don't send
> > +            // 'secure' cookies over unsecure links)
> > +            if (pathMatches(path, cookie.getPath())&&
> > +                    (secureLink || !cookie.getSecure())) {
> > [...]
> >
> > is arguably a security fix (sending HTTPS-only cookies over HTTP is a
> > problem).  The whole patch seems to be quite important for
> > interoperability.  (Further changes from JDK 7 and maybe even new
> > development may be required to get cookie support working; I will
> > check that if backporting such changes is fine in principle.)
> >
> 

This is only a fragment of 6644726.  Please only use the existing bug ID
if the whole patch is going to be backported.
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

Reply via email to