tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: [VOTE] Release build 6.0.15
Date Wed, 07 Nov 2007 22:35:07 GMT
Mark Thomas wrote:
> jean-frederic clere wrote:
>   
>> Filip Hanik - Dev Lists wrote:
>>     
>>> I'm having problems with the cookie parsing
>>>
>>>       
>> It is seems there are 2 problems... The version (only TCK will complain)
>>     
> Haven't looked at this
>   
yes, this is a bug, the version number will never be anything but 0 for 
any parsed cookie.
should that stop a release? I think 6.0.15 is very stable, and long 
needed bug fixes, I'll let Remy as the release manager make the call 
unless someone feels otherwise


>   
>> and we are re escaping already escaped strings.
>>     
> The spec isn't 100% clear on who is responsible for escaping the values if
> required.
>
> <spec-quote section=SRV.16.1.1.1>
> ... The value can be anything the server chooses to send. ...
> </spec-quote>
> <spec-quote section=SRV.16.1.1.2>
> ...
> setValue(String)
>   
what j-f-c is saying here, is that if there is a value of
Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;

when it is being parsed, it double escapes it
Path="\\"/foo/bar\\""

Filip

> ...
> With Version 0 cookies, values should not contain white space, brackets,
> parentheses, equals signs, commas, double quotes, slashes, question marks,
> at signs, colons, and semicolons. Empty values may not behave the same way
> on all browsers.
> ...
> </spec-quote>
>
> This suggests to me that the webapp writer can set what they like for a
> version 1 cookie and it is the server's responsibility to escape it.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message