hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Liang Sun (Issue Comment Edited) (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Edited] (HTTPCLIENT-1006) BrowserCompatSpec: don't trim " around cookie value
Date Sat, 11 Feb 2012 08:13:59 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13206054#comment-13206054
] 

Liang Sun edited comment on HTTPCLIENT-1006 at 2/11/12 8:12 AM:
----------------------------------------------------------------

I'm glad to hear that.
To make some complement, you can do the strip most times, but in some circumstances, you can
not. Here is an example:
session="abc\075"
If you strip out the quotes, this will be
session=abc\075

The above cookie value will be parsed as
session=abc
because according to RFC 2109:

value           =       word
word            =       token | quoted-string

and RFC 2068

token          = 1*<any CHAR except CTLs or tspecials>
tspecials      = "(" | ")" | "" | "@"
                         | "," | ";" | ":" | "\" | <">
                         | "/" | "[" | "]" | "?" | "="
                         | "{" | "}" | SP | HT

That means a token (value without quoted-string) should not contain a character "\" (it's
a tspecial)
But in above example, you strip out the quoted-string to make it a token, which contains a
character "\".
                
      was (Author: alazyrabbit):
    Yes, you can do the strip most times, but in some circumstances, you can not. Here is
an example:
session="abc\075"
If you strip out the quotes, this will be
session=abc\075

The above cookie value will be parsed as
session=abc
because according to RFC 2109:

value           =       word
word            =       token | quoted-string

and RFC 2068

token          = 1*<any CHAR except CTLs or tspecials>
tspecials      = "(" | ")" | "" | "@"
                         | "," | ";" | ":" | "\" | <">
                         | "/" | "[" | "]" | "?" | "="
                         | "{" | "}" | SP | HT

That means a token (value without quoted-string) should not contain a character "\" (it's
a tspecial)
But in above example, you strip out the quoted-string to make it a token, which contains a
character "\".
                  
> BrowserCompatSpec: don't trim " around cookie value
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1006
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1006
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpCookie
>    Affects Versions: 4.0.2
>            Reporter: Marc Guillemot
>
> If the server sends a cookie header like:
> Set-Cookie: first="hello world"
> then HttpClient parses it as cookie with value >hello world<, wrongly removing
the leading and trailing quotes. The incorrect quote removal occurs in BasicHeaderValueParser.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message