Hello. Ran into an interesting problem yesterday. After updating Tomcat to 9.0.69 to mitigate a disclosed CVE, some of our tests started failing.
Investigation uncovered that the HTTP client stopped accepting "set-cookie" headers because of "expires" attribute values. There was a change to the format of the "expires" cookie attribute, to replace dashes with spaces between date/month/year : https://github.com/apache/tomcat/commit/d641a43b8a1a0a09862e101c304d2874b0771c6e Interestingly, RFC-6265, section 5.1.1 allows for these delimiters between any of the date components: %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E So, dash (0x2d), was a legitimate delimiter. Apache HTTP client 4.x, however, by default, applies "default" cookie policy, which has a JavaDoc description of: > This policy provides a higher degree of compatibility with common cookie > management of popular HTTP agents for non-standard (Netscape style) cookies. However, what happens in reality, is that if the cookie has "expires" attribute, it's always treated as a "Netspace" cookie, which has the only supported date format of EEE, dd-MMM-yy HH:mm:ss z, see sources of org.apache.http.impl.cookie.DefaultCookieSpec (I have a gnawing feeling I'm missing something here, because format wants 2-digit year, and Tomcat was sending 4 digits. But the outcome is the same - if the date has spaces between the date components, cookies are not accepted, with the "default" cookie policy). It seems that cookie parsing is rather haphazard in the Apache HTTP client. I'm sure this change is breaking things on the client sides here and there, as a result, and I haven't seen any topics on this in the list, so thought somebody might find this useful. SUMMARY: Changing something THAT old was bound to create problems for some clients, I'm not sure how useful this change was in general. Even if the change remains compliant to the relevant specs. Thank you, Pawel. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
