manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CONNECTORS-119) Submit patch requests for all remaining httpclient customizations
Date Wed, 21 Nov 2012 13:41:58 GMT

    [ https://issues.apache.org/jira/browse/CONNECTORS-119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501969#comment-13501969
] 

Karl Wright commented on CONNECTORS-119:
----------------------------------------

Looked into cookie policy implementations in httpcomponents.

The validate function in effect for 4.2.2 for BROWSER_COMPATIBILITY is as follows:

{code}
    public void validate(final Cookie cookie, final CookieOrigin origin)
            throws MalformedCookieException {
        if (cookie == null) {
            throw new IllegalArgumentException("Cookie may not be null");
        }
        if (origin == null) {
            throw new IllegalArgumentException("Cookie origin may not be null");
        }
        for (CookieAttributeHandler handler: getAttribHandlers()) {
            handler.validate(cookie, origin);
        }
    }
{code}

The code we *don't* want in there is:

{code}
        // another security check... we musn't allow the server to give us a
        // cookie that doesn't match this path

        if (!path.startsWith(cookie.getPath())) {
            throw new MalformedCookieException(
                "Illegal path attribute \"" + cookie.getPath() 
                + "\". Path of origin: \"" + path + "\"");
        }
{code}

The compatibility spec registers the following handler for path:

{code}
        registerAttribHandler(ClientCookie.PATH_ATTR, new BasicPathHandler());
{code}

... which, unfortunately, does exactly the check I don't want done:

{code}
    public void validate(final Cookie cookie, final CookieOrigin origin)
            throws MalformedCookieException {
        if (!match(cookie, origin)) {
            throw new CookieRestrictionViolationException(
                "Illegal path attribute \"" + cookie.getPath()
                + "\". Path of origin: \"" + origin.getPath() + "\"");
        }
    }
{code}

So it looks like we need to request an enhancement/patch from the httpcomponents people for
this one.  Wish I could remember the site(s) that had this issue...


                
> Submit patch requests for all remaining httpclient customizations
> -----------------------------------------------------------------
>
>                 Key: CONNECTORS-119
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-119
>             Project: ManifoldCF
>          Issue Type: Task
>          Components: Framework core
>    Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2
>            Reporter: Karl Wright
>             Fix For: ManifoldCF next
>
>
> Now that commons-httpclient has accepted the NTLM patch, we can in theory start to use
httpclient 4.x plain-vanilla as a replacement for our customized 3.1 httpclient.  But first
we should submit any remaining differences as patch requests.  Specifically, the cross-path
cookie allowance should be submitted.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message