hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Detlev Beutner (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1006) BrowserCompatSpec: don't trim " around cookie value
Date Wed, 28 Dec 2016 18:07:58 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15783401#comment-15783401
] 

Detlev Beutner commented on HTTPCLIENT-1006:
--------------------------------------------

Hi Oleg,

I don't see the first sentence, but as the RFCs are deprecated, let's just move the interpretation
of RFC 2616 aside and hold to RFC 6265.

But the core question is in your second sentence: "Even on a basic common sense level quotes
as a part of cookie value makes zero sense as they have universally been intended as an escape
mechanism in HTTP related protocols."

This only might hold for consumers outside the cookie-moving-http-req-res-cycle, i.e. for
clients to show content of cookies (JS access) or for servers to read content of (sent-back)
cookies. But outside of such accesses, exactly the opposite holds: If the value needs DQs
as escape mechanism (from server to client), it needs them also on the way back (from client
to server). And that's why, at least for this purpose, the client always needs to preserve
the DQs in the value. It might strip them on API access to the cookies not meant for the core
communication process, but that's all...

Hope this differentiates this a bit and makes clear, why "generally stripping DQs" is always
a bug on client side,
Best regards & thanks in advance
Detlev

> BrowserCompatSpec: don't trim " around cookie value
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1006
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1006
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.0.2
>            Reporter: Marc Guillemot
>
> If the server sends a cookie header like:
> Set-Cookie: first="hello world"
> then HttpClient parses it as cookie with value >hello world<, wrongly removing
the leading and trailing quotes. The incorrect quote removal occurs in BasicHeaderValueParser.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message