You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2015/10/25 17:02:03 UTC
svn commit: r1710457 - in /tomcat/tc6.0.x/trunk: STATUS.txt
java/org/apache/tomcat/util/http/Cookies.java webapps/docs/changelog.xml
webapps/docs/config/systemprops.xml
Author: kkolinko
Date: Sun Oct 25 16:02:03 2015
New Revision: 1710457
URL: http://svn.apache.org/viewvc?rev=1710457&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57896
Backport org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER option
This is backport of r1675821 and r1678180 from Tomcat 7.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Oct 25 16:02:03 2015
@@ -28,22 +28,6 @@ None
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57896
- Backport org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER option
-
- Like in Tomcat 7, the fix is to be applied to the call to
- Cookies.processCookieHeader(byte[], int, int)
-
- In Tomcat 6 there is also a call to Cookies.processCookieHeader(String) when
- header value is already a String, but that call does not need this fix, as
- String is immutable, and that method does not perform decoding of embedded '\"'.
- It only strips surrounding '"'s in a value.
-
- http://svn.apache.org/r1675821 (fix)
- http://svn.apache.org/r1678180 (documentation)
- +1: kkolinko, markt, remm
- -1:
-
* Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57943
Prevent the same socket being added to the cache twice. Patch based on
analysis by Ian Luo / Sun Qi.
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java Sun Oct 25 16:02:03 2015
@@ -52,6 +52,12 @@ public final class Cookies { // extends
*/
public static final boolean ALLOW_EQUALS_IN_VALUE;
+ /**
+ * If set to true, the cookie header will be preserved. In most cases
+ * except debugging, this is not useful.
+ */
+ public static final boolean PRESERVE_COOKIE_HEADER;
+
/*
List of Separator Characters (see isSeparator())
Excluding the '/' char violates the RFC, but
@@ -75,6 +81,15 @@ public final class Cookies { // extends
ALLOW_EQUALS_IN_VALUE = Boolean.valueOf(System.getProperty(
"org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE",
"false")).booleanValue();
+
+ String preserveCookieHeader = System.getProperty(
+ "org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER");
+ if (preserveCookieHeader == null) {
+ PRESERVE_COOKIE_HEADER = ServerCookie.STRICT_SERVLET_COMPLIANCE;
+ } else {
+ PRESERVE_COOKIE_HEADER =
+ Boolean.valueOf(preserveCookieHeader).booleanValue();
+ }
}
/**
@@ -201,10 +216,18 @@ public final class Cookies { // extends
// Uncomment to test the new parsing code
if( cookieValue.getType() == MessageBytes.T_BYTES ) {
if( dbg>0 ) log( "Parsing b[]: " + cookieValue.toString());
- ByteChunk bc=cookieValue.getByteChunk();
- processCookieHeader( bc.getBytes(),
- bc.getOffset(),
- bc.getLength());
+ ByteChunk bc = cookieValue.getByteChunk();
+ if (PRESERVE_COOKIE_HEADER) {
+ int len = bc.getLength();
+ if (len > 0) {
+ byte[] buf = new byte[len];
+ System.arraycopy(bc.getBytes(), bc.getOffset(), buf, 0, len);
+ processCookieHeader(buf, 0, len);
+ }
+ } else {
+ processCookieHeader(bc.getBytes(), bc.getOffset(),
+ bc.getLength());
+ }
} else {
if( dbg>0 ) log( "Parsing S: " + cookieValue.toString());
processCookieHeader( cookieValue.toString() );
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Oct 25 16:02:03 2015
@@ -51,6 +51,14 @@
including the fix for <bug>57021</bug> that improves logging when the
Tomcat-Native DLL fails to load. (markt)
</fix>
+ <fix>
+ <bug>57896</bug>: Support defensive copying of "cookie" header so that
+ unescaping double quotes in a cookie value does not corrupt original
+ value of "cookie" header. This is an opt-in feature, enabled by
+ <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code>
+ or <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code>
+ system property. (kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Sun Oct 25 16:02:03 2015
@@ -298,6 +298,7 @@
<p>If this is <code>true</code> the default value will be changed for:
<ul>
<li><code>org.apache.catalina.connector.Request. ALLOW_EMPTY_QUERY_STRING</code> property</li>
+ <li><code>org.apache.tomcat.util.http.ServerCookie. PRESERVE_COOKIE_HEADER</code> property</li>
<li>The <code>webXmlValidation</code> attribute of any
<a href="context.html">Context</a> element.</li>
<li>The <code>webXmlNamespaceAware</code> attribute of any
@@ -349,6 +350,16 @@
<p>If not specified, the default value of <code>true</code> will be used.</p>
</property>
+ <property
+ name="org.apache.tomcat.util.http. ServerCookie.PRESERVE_COOKIE_HEADER">
+ <p>If this is <code>true</code> Tomcat will ensure that cookie
+ processing does not modify cookie header returned by
+ <code>HttpServletRequest.getHeader()</code>.</p>
+ <p>If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> is set to
+ <code>true</code>, the default of this setting will be <code>true</code>,
+ else the default value will be <code>false</code>.</p>
+ </property>
+
</properties>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org