You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/30 09:47:58 UTC
svn commit: r1628367 -
/tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
Author: markt
Date: Tue Sep 30 07:47:58 2014
New Revision: 1628367
URL: http://svn.apache.org/r1628367
Log:
Restore throwing of IAE for control characters in cookie header removed in r1628366
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java?rev=1628367&r1=1628366&r2=1628367&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java Tue Sep 30 07:47:58 2014
@@ -204,7 +204,7 @@ public final class LegacyCookieProcessor
// Skip whitespace and non-token characters (separators)
while (pos < end &&
- (httpSeparatorFlags[(char) bytes[pos]] &&
+ (isHttpSeparator((char) bytes[pos]) &&
!getAllowHttpSepsInV0() ||
CookieSupport.isV0Separator((char) bytes[pos]) ||
isWhiteSpace(bytes[pos])))
@@ -273,7 +273,7 @@ public final class LegacyCookieProcessor
if (version == 0 &&
!CookieSupport.isV0Separator((char)bytes[pos]) &&
getAllowHttpSepsInV0() ||
- !httpSeparatorFlags[(char)bytes[pos]] ||
+ !isHttpSeparator((char)bytes[pos]) ||
bytes[pos] == '=') {
// Token
valueStart = pos;
@@ -440,7 +440,7 @@ public final class LegacyCookieProcessor
int version, boolean isName){
int pos = off;
while (pos < end &&
- (!httpSeparatorFlags[(char)bytes[pos]] ||
+ (!isHttpSeparator((char)bytes[pos]) ||
version == 0 && getAllowHttpSepsInV0() && bytes[pos] != '=' &&
!CookieSupport.isV0Separator((char)bytes[pos]) ||
!isName && bytes[pos] == '=' && getAllowEqualsInValue())) {
@@ -454,6 +454,17 @@ public final class LegacyCookieProcessor
}
+ private boolean isHttpSeparator(final char c) {
+ if (c < 0x20 || c >= 0x7f) {
+ if (c != 0x09) {
+ throw new IllegalArgumentException(
+ "Control character in cookie value or attribute.");
+ }
+ }
+
+ return httpSeparatorFlags[c];
+ }
+
/**
* Given a starting position after an initial quote character, this gets
* the position of the end quote. This escapes anything after a '\' char
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org