You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/07/02 19:03:02 UTC

DO NOT REPLY [Bug 10418] New: - logic whether URL needs to be encoded in HttpServletResponse.encodeURL() broken

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10418>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10418

logic whether  URL needs to be encoded in HttpServletResponse.encodeURL() broken

           Summary: logic whether  URL needs to be encoded in
                    HttpServletResponse.encodeURL() broken
           Product: Tomcat 4
           Version: 4.0.4 Final
          Platform: All
               URL: http://www.freiheit.com/users/hzeller/SessionBugDemonstr
                    ation.java
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: H.Zeller@acm.org


[ This applies to current 4.1 CVS as well ] 
The logic to determine whether a URL needs to be encoded in  
HttpServletResponse.encodeURL() is broken. In  
HttpServletResponseBase.isEncodeable(String location), it  
decides, that the URL needn't be encoded in the URL, if the  
current ID comes from the cookie; see code-snippet from  
HttpServletResponseBase:  
-------  
    if (hreq.isRequestedSessionIdFromCookie()) {  
        return (false);  
    }  
------  
  
However, this does not take into account, that the session ID we got  
might have been from some previous session that already is invalidated,  
i.e. is not valid. In this case isRequestedSessionIdFromCookie() will  
return true, but this does not say anything if future (valid) sessions  
will come through the cookie.  
  
The fix is easy: So the only way to check this correctly is:  
---------  
   if (hreq.isRequestedSessionIdFromCookie()  
       && hreq.isRequestedSessionIdValid()) {  
     return (false);  
   }  
---------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>