hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmitry Grytsovets (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-1043) BasicPathHandler match bug
Date Fri, 14 Jan 2011 15:23:45 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12981790#action_12981790
] 

Dmitry Grytsovets commented on HTTPCLIENT-1043:
-----------------------------------------------

> The HTTP specification clearly states that the path attribute must be a prefix of the
request-URI. See the extracts above. Therefore a cookie with the path "/d1/d2" can be sent
to "/d1/d2/d3" but cannot be sent to "/d1".

> If your application needs to be compatible with broken web sites that violate the HTTP
specification, you can implement a custom cookie spec or override the path matching logic
of the default implementation. 


Simple scenario,
You on page http://localhost/stat/
When you enter password for domain.tld, page http://localhost/stat/ trying to set cookie for
http://localhost/stat/domain.tld/
Current version of client  REJECT this cookies
As you can see in my test

CookieSpec cookiespec = new RFC2109Spec();
//login page
CookieOrigin readOrigin = new CookieOrigin("127.0.0.1", 80, "/d1", false); 
//trying to set cookies for it's CHILD
BasicHeader header = new BasicHeader("Set-Cookie",
"cookie-name=cookie-value; domain=127.0.0.1; path=/d1/d2"); 
//this part must be fixed
List<Cookie> cookies = cookiespec.parse(header, readOrigin);
try {
for (int i = 0; i < cookies.size(); i++) {
cookiespec.validate(cookies.get(i), readOrigin);
}
} catch (MalformedCookieException e) {
//BUT CLIENT REJECTS IT
Assert.fail("MalformedCookieException exception should havn't been thrown");
} 

> BasicPathHandler match bug
> --------------------------
>
>                 Key: HTTPCLIENT-1043
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1043
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpCookie
>    Affects Versions: 4.0.1, 4.0.2, 4.0.3, 4.1 Alpha1, 4.1 Alpha2, 4.1 Beta1
>            Reporter: Dmitry Grytsovets
>            Priority: Minor
>
> in BasicPathHandler
>    boolean match = targetpath.startsWith (topmostPath);
>         // if there is a match and these values are not exactly the same we have
>         // to make sure we're not matcing "/foobar" and "/foo"
>         if (match && targetpath.length() != topmostPath.length()) {
>             if (!topmostPath.endsWith("/")) {
>                 match = (targetpath.charAt(topmostPath.length()) == '/');
>             }
>         }
> must be changed to
>    boolean match = topmostPath.startsWith (targetpath);
>         // if there is a match and these values are not exactly the same we have
>         // to make sure we're not matcing "/foobar" and "/foo"
>         if (match && targetpath.length() != topmostPath.length()) {
>             if (!targetPath.endsWith("/")) {
>                 match = (topmostPath.charAt(targetpath.length()-1) == '/');
>             }
>         }
> example 
> targetpath = "/stat/" // where are you
> topmostPath  = "/stat/domain.tld/" // cookie for path

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message