tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48559] Security fix for CVE-2007-5333 causing interoperability problems
Date Sun, 17 Jan 2010 18:18:31 GMT

Mark Thomas <> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Mark Thomas <> 2010-01-17 10:18:30 GMT ---
The fix for CVE-2007-5333 essentially made Tomcat apply the various cookie
specifications more strictly. Where we can safely do so, options have been
added to reduce the strictness of these checks.

The '=' characters that can appear in base64 data will cause the quoting. A new
option will be included in the next 6.0.x release that allows = to be used
without the quotes being added. This may help.

The quotes should be transparent to applications that set and read cookie
values through the Servlet API. If they are not, that is probably a bug in

Applications that read and set cookies directly should be able to handle
specification compliant cookies. If they cannot, that is probably a bug in
those applications.

Depending on circumstances, one option may be to bypass the Servlet API and
set/read the cookie headers directly. Again, applications that do this should
be specification compliant, although they can break the specs at their own

If you need assistance with a specific case, please ask - with examples - on
the Tomcat users mailing list.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message