You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/10/06 08:44:44 UTC
svn commit: r1763518 - in /tomcat/trunk: java/javax/servlet/http/Cookie.java
webapps/docs/changelog.xml
Author: markt
Date: Thu Oct 6 08:44:44 2016
New Revision: 1763518
URL: http://svn.apache.org/viewvc?rev=1763518&view=rev
Log:
When using RFC6265 compliant cookies, the / character should not be allowed in a cookie name since the RFC6265 will drop such cookies as invalid.
Modified:
tomcat/trunk/java/javax/servlet/http/Cookie.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/javax/servlet/http/Cookie.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Cookie.java?rev=1763518&r1=1763517&r2=1763518&view=diff
==============================================================================
--- tomcat/trunk/java/javax/servlet/http/Cookie.java (original)
+++ tomcat/trunk/java/javax/servlet/http/Cookie.java Thu Oct 6 08:44:44 2016
@@ -424,7 +424,11 @@ class RFC6265Validator extends CookieNam
RFC6265Validator() {
super(RFC2616_SEPARATORS);
+ }
+}
+class RFC2109Validator extends RFC6265Validator {
+ RFC2109Validator() {
// special treatment to allow for FWD_SLASH_IS_SEPARATOR property
boolean allowSlash;
String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
@@ -437,11 +441,6 @@ class RFC6265Validator extends CookieNam
allowed.set('/');
}
}
-}
-
-class RFC2109Validator extends RFC6265Validator {
- RFC2109Validator() {
- }
@Override
void validate(String name) {
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1763518&r1=1763517&r2=1763518&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct 6 08:44:44 2016
@@ -125,6 +125,11 @@
<bug>60199</bug>: Log a warning if deserialization issues prevent a
session attribute from being loaded. (markt)
</fix>
+ <fix>
+ <bug>60298</bug>: When using RFC6265 compliant cookies, the
+ <code>/</code> character should not be allowed in a cookie name since
+ the RFC6265 will drop such cookies as invalid. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org