tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59925] New: LegacyCookieProcessor does not allow the Cookie header with the Path attribute including the leading slash under specific conditions
Date Tue, 02 Aug 2016 09:27:33 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59925

            Bug ID: 59925
           Summary: LegacyCookieProcessor does not allow the Cookie header
                    with the Path attribute including the leading slash
                    under specific conditions
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: nakamura.kyohei.lab@gmail.com

Created attachment 34089
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34089&action=edit
patch against trunk

If forwardSlashIsSeparator and allowHttpSepsInV0 set to true, the
LegacyCookieProcessor should allow the Cookie header with the Path attribute
including the leading slash.
However this is not allowed.

For example, if the LegacyCookieProcessor parses the following Cookie header,

    $Version=0;cname=cvalue;$Path=/example

Expected: The return value of ServerCookie.getPath is "/example".
Actual: The return value of ServerCookie.getPath is null.

Since the slash is not the version 0 separator, the LegacyCookieProcessor
should allow "$Path=/example".

I think this issue was triggered by r1628368 that the exclamation mark for
isV0Separator was removed accidentally.
I made the patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message