tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: [VOTE] Release build 6.0.15
Date Thu, 08 Nov 2007 23:34:36 GMT
Filip Hanik - Dev Lists wrote:
> Mark Thomas wrote:
>> Filip Hanik - Dev Lists wrote:
>>  
>>> Mark Thomas wrote:
>>>    
>>>> Filip Hanik - Dev Lists wrote:
>>>>  
>>>>      
>>>>> Mark Thomas wrote:
>>>>>           
>>>>>> jean-frederic clere wrote:
>>>>>>               
>>>>>>> and we are re escaping already escaped strings.
>>>>>>>                         
>>>>>> The spec isn't 100% clear on who is responsible for escaping the
>>>>>> values if
>>>>>> required.
>>>>>>
>>>>>> <spec-quote section=SRV.16.1.1.1>
>>>>>> ... The value can be anything the server chooses to send. ...
>>>>>> </spec-quote>
>>>>>> <spec-quote section=SRV.16.1.1.2>
>>>>>> ...
>>>>>> setValue(String)
>>>>>>                   
>>>>> what j-f-c is saying here, is that if there is a value of
>>>>> Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
>>>>>
>>>>> when it is being parsed, it double escapes it
>>>>> Path="\\"/foo/bar\\""
>>>>>             
>>>> I get that ;)
>>>>
>>>> What I was trying (not very well) to say was I don't think the spec is
>>>> clear whether we should escape everything, regardless of if it 
>>>> looks like
>>>> it is already escaped. I am in favour of the current behaviour 
>>>> because:
>>>> a) the spec isn't clear but I think it is leaning in the escape
>>>> everything
>>>> direction
>>>>
>>>> b) I don't like the complexity of adding an "is this value already
>>>> escaped"
>>>> function. I think we would be setting ourselves up for another 
>>>> round of
>>>> cookie handling bugs.
>>>>         
>>> the spec says
>>>
>>>   A string of text is parsed as a single word if it is quoted using
>>>   double-quote marks.
>>>
>>>       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
>>>       qdtext         = <any TEXT except <">>
>>>
>>>   The backslash character ("\") MAY be used as a single-character
>>>   quoting mechanism only within quoted-string and comment constructs.
>>>
>>>       quoted-pair    = "\" CHAR
>>>
>>> now I have to digest that :) and will comment some more.
>>>     
>>
>> Isn't that the http spec rather than the servlet spec?
>>   
> absolutely. there is no syntax definition for HTTP header (and cookies 
> being such) in the servlet spec
to be more specific, it might still be broken.


Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
results in
Set-Cookie: C1=C1; Version=1; Domain=d1; Path="\\"/foo/bar\\""

this is invalid syntax, cause \ only escapes one character, and " is not 
allowed within "...." value


with 6.0.15
Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
results in
Set-Cookie: C1=C1; Domain=d1; Path=\"/foo/bar\"

This is also invalid, since we parsed it wrong. the actual value for 
path is "/foo/bar" with the quotes,

btw, all my test JSP is doing is response.addCookie for each cookie 
found in request.getCookies, without modifying them

Filip



>
> Filip
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>>   
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message