tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject RE: [PATCH] Cookie, Cookie2 Header fix for mod_jk
Date Wed, 07 Dec 2005 19:16:03 GMT
 

> -----Original Message-----
> From: Mladen Turk [mailto:mturk@apache.org] 
> Sent: Wednesday, December 07, 2005 10:09 AM
> To: Tomcat Developers List
> Subject: Re: [PATCH] Cookie, Cookie2 Header fix for mod_jk
> 
> Andre Gebers wrote:
> > Hi,
> > 
> > newer versions of opera send the Cookie2-header along with the 
> > Cookie-header which looks somewhat like this:
> > 
> 
> Right, but the patch would not work.
> It would be a security hole, because the http rfc
> diferentiates cookie from cookie2.
> 
> Right now the Cookie2 header is passed as unknown header,
> so it should work anyhow if the remote accepts the Cookie2.
> IIRC it is not part of Servlet-spec, so it would not show
> in javax.servlet.Cookie.
> 

I agree that the patch is simply masking the real problem.  With the current
mod_jk code what Tomcat sees is:
  Cookie: myCookie=1234
  Cookie: $Version=1
which it should handle just fine.  After the patch, it sees the correct
headers, but ignores the Cookie2 one.  So it looks like it's really a
problem with multi-valued headers (but I don't see anything immediately
jumping out at me in the code).

> We would need to extend the AJP1.3 protocol to support
> missing HTTP/1.1 features (the Cookie2 is not the only one).
> 
> I'm in a process of proposing those additions, but it will
> probably be inside jk3 (jk1.3).
> 
> Thanks,
> Mladen.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 



This message is intended only for the use of the person(s) listed above as the intended recipient(s),
and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended
recipient, you may not read, copy, or distribute this message or any attachment. If you received
this communication in error, please notify us immediately by e-mail and then delete all copies
of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message