You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/07/02 19:03:02 UTC
DO NOT REPLY [Bug 10418] New: -
logic whether URL needs to be encoded in HttpServletResponse.encodeURL() broken
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10418>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10418
logic whether URL needs to be encoded in HttpServletResponse.encodeURL() broken
Summary: logic whether URL needs to be encoded in
HttpServletResponse.encodeURL() broken
Product: Tomcat 4
Version: 4.0.4 Final
Platform: All
URL: http://www.freiheit.com/users/hzeller/SessionBugDemonstr
ation.java
OS/Version: Linux
Status: NEW
Severity: Critical
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: H.Zeller@acm.org
[ This applies to current 4.1 CVS as well ]
The logic to determine whether a URL needs to be encoded in
HttpServletResponse.encodeURL() is broken. In
HttpServletResponseBase.isEncodeable(String location), it
decides, that the URL needn't be encoded in the URL, if the
current ID comes from the cookie; see code-snippet from
HttpServletResponseBase:
-------
if (hreq.isRequestedSessionIdFromCookie()) {
return (false);
}
------
However, this does not take into account, that the session ID we got
might have been from some previous session that already is invalidated,
i.e. is not valid. In this case isRequestedSessionIdFromCookie() will
return true, but this does not say anything if future (valid) sessions
will come through the cookie.
The fix is easy: So the only way to check this correctly is:
---------
if (hreq.isRequestedSessionIdFromCookie()
&& hreq.isRequestedSessionIdValid()) {
return (false);
}
---------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>