tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Rfc6265CookieProcessor domain validation errors
Date Thu, 25 Aug 2016 13:59:32 GMT
On 25/08/2016 08:28, Svetlin Zarev wrote:
> Hello!
> 
> The new Rfc6265CookieProcessor fails to validate domains that start with a
> dot. According to rfc6265#5.2.3 [1]:
> 
> If the first character of the attribute-value string is %x2E ("."):
> 
>       Let cookie-domain be the attribute-value without the leading %x2E
>       (".") character.
> Otherwise:
>       Let cookie-domain be the entire attribute-value.
> 
> But Rfc6265CookieProcessor throws an IllegalStateException.
> 
> Steps to reproduce :
> https://gist.github.com/anonymous/d38cdc359ba4cf436b7e55a2757ae1a7
> 
> What do you think ? Is this a bug in the cookie processor or am I
> misunderstanding the RFC ?

This isn't a bug. You are misunderstanding the RFC.

Domain attributes are only sent from servers to user agents.

The general rule to keep in mind is:
"Be lenient in what you accept. Be strict in what you send."

Section 5.2.3 applies to User agents and it is informing them to be
lenient in what the accept since they can, unambiguously, ignore a
leading '.' if present on the domain.

Section 4.1.2.3 is referring to the same behaviour.

Tomcat is strict in what it will allow applications to send. The ABNF
for domain-av does not allow leading '.' so neither does Tomcat.

Tomcat could be lenient here and strip any leading '.' but generally,
Tomcat does not add code to work around application bugs. It expects
those bugs to be fixed in the applications. There are exceptions but
this is one of them and I don't see a compelling case to make it an
exception.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message