tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject Re: Cookies are broken in 6.0.16?
Date Sat, 09 Feb 2008 23:18:33 GMT
Filip,

Would you consider auto-encoding only = and ; in the cookie value, but 
leaving everything else alone for v0 cookies? Would this possibly pass TCK?

- Jim
> no regression, if you do this
>
>  c = new javax.servlet.http.Cookie("abcv1","123==");
>  c.setVersion(1);
>  response.addCookie(c);
>
> then it works just fine.
>
> however, if you do
>  c = new javax.servlet.http.Cookie("abcv0","123==");
>  response.addCookie(c);
>
> then it doesn't. if we encode it, (which we did at our first attempt 
> for v0 cookies) we actually don't pass the TCK.
> only v1 cookies should be double quoted, in previous versions of 
> tomcat, I believe everything got double quoted, regardless of version 
> on the cookie.
>
> v0 cookies, the spec says
>
> /NAME/=/VALUE/
>    This string is a sequence of characters excluding semi-colon, comma
>    and white space. If there is a need to place such data in the name
>    or value, some encoding method such as URL style %XX encoding is
>    recommended, though no encoding is defined or required.
>
> the problem was that encoding wasn't defined nor required. so when we 
> followed the spec, and added %XX encoding, TCK tests failed.
>
> at this point I would say, we handle cookies correctly. if one needs 
> == at the end of the cookie, then they need to use v1 cookies, 
> according to spec
>
> Filip
>
>
>
> Remy Maucherat wrote:
>> On Sat, 2008-02-09 at 13:03 +0000, Mark Thomas wrote:
>>  
>>> Maik Jablonski wrote:
>>>    
>>>> Hi,
>>>>
>>>> I've just encountered that Cookies seem to be a little bit broken in
>>>> 6.0.16. If you want to read a cookie which ends on one or more
>>>> equals-sign (=), the equals-signs are removed by Tomcat when the
>>>> cookie is read.
>>>>
>>>> Is it a bug or a "undocumented" change?
>>>>       
>>> It is neither. The changes are documented in the change log. As a 
>>> result of
>>> a couple of minor security issues (see
>>> http://tomcat.apache.org/security-6.html) the cookie handling code 
>>> has been
>>> tightened up to make it spec compliant.
>>>
>>> By default the servlet spec uses version 0 cookies. The name value 
>>> pairs
>>> are defined as:
>>> <spec-quote>
>>> NAME=VALUE
>>> This string is a sequence of characters excluding semi-colon, comma and
>>> white space. If there is a need to place such data in the name or 
>>> value,
>>> some encoding method such as URL style %XX encoding is recommended, 
>>> though
>>> no encoding is defined or required.
>>> </spec-quote>
>>>
>>> The difficulty here is that although '=' is the delimiter between 
>>> NAME and
>>> VALUE there is no need to encode it if it appears in the name or the 
>>> value.
>>> This causes some ambiguities when parsing a header of the form:
>>> Set-Cookie: foo=bar=bartoo
>>>
>>> Is the name 'foo' or 'foo=bar'? Is the value 'bar=bartoo' or 'bartoo'?
>>>
>>> The changes to the cookie parsing mean the second '=' and any text 
>>> beyond
>>> it are now ignored.
>>>
>>> If you set the cookie version to 1 then the quoting will be applied 
>>> where
>>> necessary and your example will work as you intend.
>>>     
>>
>> It seems to me like an annoying regression. response.addCookie(new
>> Cookie("test_cookie3", "123===")) looks like something which should be
>> working. Are you sure there's nothing that could be done about it ?
>> Maybe some additional encoding for '=' when not quoting ?
>>
>> Rémy
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>>   
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message