tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [VOTE] Release build 6.0.15
Date Thu, 08 Nov 2007 21:13:38 GMT
Filip Hanik - Dev Lists wrote:
> Mark Thomas wrote:
>> Filip Hanik - Dev Lists wrote:
>>  
>>> Mark Thomas wrote:
>>>    
>>>> jean-frederic clere wrote:
>>>>      
>>>>> and we are re escaping already escaped strings.
>>>>>             
>>>> The spec isn't 100% clear on who is responsible for escaping the
>>>> values if
>>>> required.
>>>>
>>>> <spec-quote section=SRV.16.1.1.1>
>>>> ... The value can be anything the server chooses to send. ...
>>>> </spec-quote>
>>>> <spec-quote section=SRV.16.1.1.2>
>>>> ...
>>>> setValue(String)
>>>>         
>>> what j-f-c is saying here, is that if there is a value of
>>> Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
>>>
>>> when it is being parsed, it double escapes it
>>> Path="\\"/foo/bar\\""
>>>     
>>
>> I get that ;)
>>
>> What I was trying (not very well) to say was I don't think the spec is
>> clear whether we should escape everything, regardless of if it looks like
>> it is already escaped. I am in favour of the current behaviour because:
>> a) the spec isn't clear but I think it is leaning in the escape
>> everything
>> direction
>>
>> b) I don't like the complexity of adding an "is this value already
>> escaped"
>> function. I think we would be setting ourselves up for another round of
>> cookie handling bugs.
>>   
> the spec says
> 
>   A string of text is parsed as a single word if it is quoted using
>   double-quote marks.
> 
>       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
>       qdtext         = <any TEXT except <">>
> 
>   The backslash character ("\") MAY be used as a single-character
>   quoting mechanism only within quoted-string and comment constructs.
> 
>       quoted-pair    = "\" CHAR
> 
> now I have to digest that :) and will comment some more.

Isn't that the http spec rather than the servlet spec?

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message