tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: Cookies are broken in 6.0.16?
Date Sat, 09 Feb 2008 22:28:06 GMT
On Sat, 2008-02-09 at 13:03 +0000, Mark Thomas wrote:
> Maik Jablonski wrote:
> > Hi,
> > 
> > I've just encountered that Cookies seem to be a little bit broken in
> > 6.0.16. If you want to read a cookie which ends on one or more
> > equals-sign (=), the equals-signs are removed by Tomcat when the
> > cookie is read.
> >
> > Is it a bug or a "undocumented" change?
> 
> It is neither. The changes are documented in the change log. As a result of
> a couple of minor security issues (see
> http://tomcat.apache.org/security-6.html) the cookie handling code has been
> tightened up to make it spec compliant.
> 
> By default the servlet spec uses version 0 cookies. The name value pairs
> are defined as:
> <spec-quote>
> NAME=VALUE
> This string is a sequence of characters excluding semi-colon, comma and
> white space. If there is a need to place such data in the name or value,
> some encoding method such as URL style %XX encoding is recommended, though
> no encoding is defined or required.
> </spec-quote>
> 
> The difficulty here is that although '=' is the delimiter between NAME and
> VALUE there is no need to encode it if it appears in the name or the value.
> This causes some ambiguities when parsing a header of the form:
> Set-Cookie: foo=bar=bartoo
> 
> Is the name 'foo' or 'foo=bar'? Is the value 'bar=bartoo' or 'bartoo'?
> 
> The changes to the cookie parsing mean the second '=' and any text beyond
> it are now ignored.
> 
> If you set the cookie version to 1 then the quoting will be applied where
> necessary and your example will work as you intend.

It seems to me like an annoying regression. response.addCookie(new
Cookie("test_cookie3", "123===")) looks like something which should be
working. Are you sure there's nothing that could be done about it ?
Maybe some additional encoding for '=' when not quoting ?

Rémy



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message