tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49000] Cookie parsing bug when an empty value has an equal sign on the end
Date Sun, 04 Apr 2010 15:38:50 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49000

Mark Thomas <markt@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--- Comment #2 from Mark Thomas <markt@apache.org> 2010-04-04 15:38:49 UTC ---
Hmm. Neither of those two cookies are valid since both name and value are
mandatory.

Tomcat 6 (and probably earlier) has allowed what is referred to in the code as
name only cookies. I think this is another candidate for a cookie configuration
option in Tomcat 7 (ALLOW_NAME_ONLY_COOKIES ?) that defaults to false and
rejects these invalid cookies.

In terms of what this option does allow, since we are outside the spec, we can
choose what we want to allow and disallow. I quite like the current allow
'name' but not 'name=' as the latter looks like an error whilst the first looks
an attempt to have a name only cookie.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message