You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/05/10 06:17:40 UTC

[Bug 59450] New: allowHttpSepsInV0 attribute and forwardSlashIsSeparator attribute don't handle correctly

https://bz.apache.org/bugzilla/show_bug.cgi?id=59450

            Bug ID: 59450
           Summary: allowHttpSepsInV0 attribute and
                    forwardSlashIsSeparator attribute don't handle
                    correctly
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: nakamura.kyohei.lab@gmail.com

Created attachment 33833
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33833&action=edit
patch against trunk

When the value of cookie includes slash character ('/') and the cookie version
is 0, the org.apache.tomcat.util.http.LegacyCookieProcessor don't handle them
correctly.
If the allowHttpSepsInV0 attribute set to false and the forwardSlashIsSeparator
attribute set to true, the cookie value should be quoted.
However, it is not quoted.

If the allowHttpSepsInV0 attribute is false and the forwardSlashIsSeparator
attribute is true, allowedWithoutQuotes.clear('/') should be called.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59450] allowHttpSepsInV0 attribute and forwardSlashIsSeparator attribute don't handle correctly

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59450

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report and the patch.

This has been fixed in:
9.0.x for 9.0.0.M5 onwards
8.5.x for 8.5.1 onwards
8.0.x for 8.0.34 onwards

7.0.x and earlier was not affected.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org