tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfcl...@gmail.com>
Subject Re: svn commit: r1138468 - /tomcat/tc6.0.x/trunk/STATUS.txt
Date Thu, 23 Jun 2011 13:35:23 GMT
On 06/22/2011 08:44 PM, Mark Thomas wrote:
> On 22/06/2011 17:43, jean-frederic clere wrote:
>> On 06/22/2011 03:56 PM, markt@apache.org wrote:
>>> Author: markt
>>> Date: Wed Jun 22 13:56:05 2011
>>> New Revision: 1138468
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
>>> Log:
>>> Vote
>>>
>>> Modified:
>>>       tomcat/tc6.0.x/trunk/STATUS.txt
>>>
>>> Modified: tomcat/tc6.0.x/trunk/STATUS.txt
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
>>>
>>> ==============================================================================
>>>
>>> --- tomcat/tc6.0.x/trunk/STATUS.txt (original)
>>> +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
>>> @@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
>>>      Based on https://issues.jboss.org/browse/JBWEB-196
>>>      http://people.apache.org/~jfclere/patches/patch.110622.txt
>>>      +1: jfclere
>>> +  -1: markt Separators are defined by the HTTP specification and as
>>> per section
>>> +            2.2 of RFC 2616 must be quoted to be used within a
>>> parameter value.
>>
>> If you look in org/apache/tomcat/util/http/CookieSupport.java
>> you will see:
>> private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'};
>>
>> The switch is to be backward compatible with pre CVE-2007-5333
>> applications.
>
> If I am reading the proposed patch correctly (I may have lost track of
> an '!' along the way), it changes the current behaviour to prevent
> switching to v1 by default.
>
> If the purpose is to allow http separators in v0 cookies then why not
> just back-port the ALLOW_HTTP_SEPARATORS_IN_V0 setting from Tomcat 7?
>
> To be clear, I think:
> - the default should remain as it is
> - if a new option is introduced, it should be a port from Tomcat 7, not
> an entirely new option

Ok I will propose another patch.

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message