tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: [VOTE] Release build 6.0.15
Date Thu, 08 Nov 2007 22:44:39 GMT
Mark Thomas wrote:
> Filip Hanik - Dev Lists wrote:
>   
>> Mark Thomas wrote:
>>     
>>> Filip Hanik - Dev Lists wrote:
>>>  
>>>       
>>>> Mark Thomas wrote:
>>>>    
>>>>         
>>>>> jean-frederic clere wrote:
>>>>>      
>>>>>           
>>>>>> and we are re escaping already escaped strings.
>>>>>>             
>>>>>>             
>>>>> The spec isn't 100% clear on who is responsible for escaping the
>>>>> values if
>>>>> required.
>>>>>
>>>>> <spec-quote section=SRV.16.1.1.1>
>>>>> ... The value can be anything the server chooses to send. ...
>>>>> </spec-quote>
>>>>> <spec-quote section=SRV.16.1.1.2>
>>>>> ...
>>>>> setValue(String)
>>>>>         
>>>>>           
>>>> what j-f-c is saying here, is that if there is a value of
>>>> Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
>>>>
>>>> when it is being parsed, it double escapes it
>>>> Path="\\"/foo/bar\\""
>>>>     
>>>>         
>>> I get that ;)
>>>
>>> What I was trying (not very well) to say was I don't think the spec is
>>> clear whether we should escape everything, regardless of if it looks like
>>> it is already escaped. I am in favour of the current behaviour because:
>>> a) the spec isn't clear but I think it is leaning in the escape
>>> everything
>>> direction
>>>
>>> b) I don't like the complexity of adding an "is this value already
>>> escaped"
>>> function. I think we would be setting ourselves up for another round of
>>> cookie handling bugs.
>>>   
>>>       
>> the spec says
>>
>>   A string of text is parsed as a single word if it is quoted using
>>   double-quote marks.
>>
>>       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
>>       qdtext         = <any TEXT except <">>
>>
>>   The backslash character ("\") MAY be used as a single-character
>>   quoting mechanism only within quoted-string and comment constructs.
>>
>>       quoted-pair    = "\" CHAR
>>
>> now I have to digest that :) and will comment some more.
>>     
>
> Isn't that the http spec rather than the servlet spec?
>   
absolutely. there is no syntax definition for HTTP header (and cookies 
being such) in the servlet spec

Filip
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message