tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Cookies are broken in 6.0.16?
Date Sun, 10 Feb 2008 00:23:27 GMT
actually not, in previous version, we double quoted v0 cookies, and so 
browsers treated them as v1 in terms of value
any sort of encoding attempt we made was miserable between different 
browsers.
filip

Jim Manico wrote:
> Filip,
>
> Would you consider auto-encoding only = and ; in the cookie value, but 
> leaving everything else alone for v0 cookies? Would this possibly pass 
> TCK?
>
> - Jim
>> no regression, if you do this
>>
>>  c = new javax.servlet.http.Cookie("abcv1","123==");
>>  c.setVersion(1);
>>  response.addCookie(c);
>>
>> then it works just fine.
>>
>> however, if you do
>>  c = new javax.servlet.http.Cookie("abcv0","123==");
>>  response.addCookie(c);
>>
>> then it doesn't. if we encode it, (which we did at our first attempt 
>> for v0 cookies) we actually don't pass the TCK.
>> only v1 cookies should be double quoted, in previous versions of 
>> tomcat, I believe everything got double quoted, regardless of version 
>> on the cookie.
>>
>> v0 cookies, the spec says
>>
>> /NAME/=/VALUE/
>>    This string is a sequence of characters excluding semi-colon, comma
>>    and white space. If there is a need to place such data in the name
>>    or value, some encoding method such as URL style %XX encoding is
>>    recommended, though no encoding is defined or required.
>>
>> the problem was that encoding wasn't defined nor required. so when we 
>> followed the spec, and added %XX encoding, TCK tests failed.
>>
>> at this point I would say, we handle cookies correctly. if one needs 
>> == at the end of the cookie, then they need to use v1 cookies, 
>> according to spec
>>
>> Filip
>>
>>
>>
>> Remy Maucherat wrote:
>>> On Sat, 2008-02-09 at 13:03 +0000, Mark Thomas wrote:
>>>  
>>>> Maik Jablonski wrote:
>>>>   
>>>>> Hi,
>>>>>
>>>>> I've just encountered that Cookies seem to be a little bit broken in
>>>>> 6.0.16. If you want to read a cookie which ends on one or more
>>>>> equals-sign (=), the equals-signs are removed by Tomcat when the
>>>>> cookie is read.
>>>>>
>>>>> Is it a bug or a "undocumented" change?
>>>>>       
>>>> It is neither. The changes are documented in the change log. As a 
>>>> result of
>>>> a couple of minor security issues (see
>>>> http://tomcat.apache.org/security-6.html) the cookie handling code 
>>>> has been
>>>> tightened up to make it spec compliant.
>>>>
>>>> By default the servlet spec uses version 0 cookies. The name value 
>>>> pairs
>>>> are defined as:
>>>> <spec-quote>
>>>> NAME=VALUE
>>>> This string is a sequence of characters excluding semi-colon, comma 
>>>> and
>>>> white space. If there is a need to place such data in the name or 
>>>> value,
>>>> some encoding method such as URL style %XX encoding is recommended, 
>>>> though
>>>> no encoding is defined or required.
>>>> </spec-quote>
>>>>
>>>> The difficulty here is that although '=' is the delimiter between 
>>>> NAME and
>>>> VALUE there is no need to encode it if it appears in the name or 
>>>> the value.
>>>> This causes some ambiguities when parsing a header of the form:
>>>> Set-Cookie: foo=bar=bartoo
>>>>
>>>> Is the name 'foo' or 'foo=bar'? Is the value 'bar=bartoo' or 'bartoo'?
>>>>
>>>> The changes to the cookie parsing mean the second '=' and any text 
>>>> beyond
>>>> it are now ignored.
>>>>
>>>> If you set the cookie version to 1 then the quoting will be applied 
>>>> where
>>>> necessary and your example will work as you intend.
>>>>     
>>>
>>> It seems to me like an annoying regression. response.addCookie(new
>>> Cookie("test_cookie3", "123===")) looks like something which should be
>>> working. Are you sure there's nothing that could be done about it ?
>>> Maybe some additional encoding for '=' when not quoting ?
>>>
>>> Rémy
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>>
>>>   
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message