You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/01 21:48:06 UTC
svn commit: r1621875 -
/tomcat/trunk/java/org/apache/tomcat/util/http/parser/Cookie.java
Author: markt
Date: Mon Sep 1 19:48:06 2014
New Revision: 1621875
URL: http://svn.apache.org/r1621875
Log:
Fix handling of invalid cookie versions
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/parser/Cookie.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/parser/Cookie.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/parser/Cookie.java?rev=1621875&r1=1621874&r2=1621875&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/parser/Cookie.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/parser/Cookie.java Mon Sep 1 19:48:06 2014
@@ -115,10 +115,17 @@ public class Cookie {
skipLWS(bb);
ByteBuffer value = readCookieValue(bb);
- if (value != null && value.remaining() == 1 && value.get() == (byte) 49) {
- // $Version=1 -> RFC2109
- parseCookieRfc2109(bb, serverCookies);
- return;
+ if (value != null && value.remaining() == 1) {
+ if (value.get() == (byte) 49) {
+ // $Version=1 -> RFC2109
+ parseCookieRfc2109(bb, serverCookies);
+ return;
+ } else {
+ // Unrecognised version.
+ // Ignore this header.
+ value.rewind();
+ logInvalidVersion(value);
+ }
} else {
// Unrecognised version.
// Ignore this header.
@@ -350,8 +357,8 @@ public class Cookie {
if (value == null) {
version = sm.getString("cookie.valueNotPresent");
} else {
- version = new String(value.bytes, value.position(), value.limit(),
- StandardCharsets.UTF_8);
+ version = new String(value.bytes, value.position(),
+ value.limit() - value.position(), StandardCharsets.UTF_8);
}
String message = sm.getString("cookie.invalidCookieVersion", version);
switch (logMode) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org