You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@manifoldcf.apache.org by kw...@apache.org on 2010/08/26 19:49:50 UTC

svn commit: r989844 - in /incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie: CookiePolicy.java CookieSpecMediumSecurity.java

Author: kwright
Date: Thu Aug 26 17:49:50 2010
New Revision: 989844

URL: http://svn.apache.org/viewvc?rev=989844&view=rev
Log:
Add ability to lower cookie security, since most browsers permit this.  Part of ticket CONNECTORS-97.

Added:
    incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java   (with props)
Modified:
    incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java

Modified: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java
URL: http://svn.apache.org/viewvc/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java?rev=989844&r1=989843&r2=989844&view=diff
==============================================================================
--- incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java (original)
+++ incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java Thu Aug 26 17:49:50 2010
@@ -69,6 +69,11 @@ public abstract class CookiePolicy {
      */
     public static final String BROWSER_COMPATIBILITY = "compatibility";
     
+    /**
+     * Medium-security browser compatibility setting.
+     */
+    public static final String BROWSER_COMPATIBILITY_MEDIUM_SECURITY = "compatibilitymediumsecurity";
+    
     /** 
      * The Netscape cookie draft compliant policy. 
      * 
@@ -109,6 +114,7 @@ public abstract class CookiePolicy {
         CookiePolicy.registerCookieSpec(RFC_2109, RFC2109Spec.class);
         CookiePolicy.registerCookieSpec(RFC_2965, RFC2965Spec.class);
         CookiePolicy.registerCookieSpec(BROWSER_COMPATIBILITY, CookieSpecBase.class);
+        CookiePolicy.registerCookieSpec(BROWSER_COMPATIBILITY_MEDIUM_SECURITY, CookieSpecMediumSecurity.class);
         CookiePolicy.registerCookieSpec(NETSCAPE, NetscapeDraftSpec.class);
         CookiePolicy.registerCookieSpec(IGNORE_COOKIES, IgnoreCookiesSpec.class);
     }

Added: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java
URL: http://svn.apache.org/viewvc/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java?rev=989844&view=auto
==============================================================================
--- incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java (added)
+++ incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java Thu Aug 26 17:49:50 2010
@@ -0,0 +1,153 @@
+/*
+ * $HeadURL: https://svn.apache.org/repos/asf/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java $
+ * $Revision: 653067 $
+ * $Date: 2008-05-03 08:42:39 -0400 (Sat, 03 May 2008) $
+ *
+ * ====================================================================
+ *
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */ 
+
+package org.apache.commons.httpclient.cookie;
+
+import java.util.Collection;
+import java.util.Date;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+
+import org.apache.commons.httpclient.Cookie;
+import org.apache.commons.httpclient.Header;
+import org.apache.commons.httpclient.HeaderElement;
+import org.apache.commons.httpclient.NameValuePair;
+import org.apache.commons.httpclient.util.DateParseException;
+import org.apache.commons.httpclient.util.DateUtil;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * 
+ * Cookie management functions shared by all specification.
+ *
+ * @author  B.C. Holmes
+ * @author <a href="mailto:jericho@thinkfree.com">Park, Sung-Gu</a>
+ * @author <a href="mailto:dsale@us.britannica.com">Doug Sale</a>
+ * @author Rod Waldhoff
+ * @author dIon Gillard
+ * @author Sean C. Sullivan
+ * @author <a href="mailto:JEvans@Cyveillance.com">John Evans</a>
+ * @author Marc A. Saegesser
+ * @author <a href="mailto:oleg@ural.ru">Oleg Kalnichevski</a>
+ * @author <a href="mailto:mbowler@GargoyleSoftware.com">Mike Bowler</a>
+ * 
+ * @since 2.0 
+ */
+public class CookieSpecMediumSecurity extends CookieSpecBase {
+    
+    /** Log object */
+    protected static final Log LOG = LogFactory.getLog(CookieSpecMediumSecurity.class);
+
+    /** Default constructor */
+    public CookieSpecMediumSecurity() {
+        super();
+    }
+
+	/**
+      * Performs most common {@link Cookie} validation
+      *
+      * @param host the host from which the {@link Cookie} was received
+      * @param port the port from which the {@link Cookie} was received
+      * @param path the path from which the {@link Cookie} was received
+      * @param secure <tt>true</tt> when the {@link Cookie} was received using a
+      * secure connection
+      * @param cookie The cookie to validate.
+      * @throws MalformedCookieException if an exception occurs during
+      * validation
+      */
+    
+    public void validate(String host, int port, String path, 
+        boolean secure, final Cookie cookie) 
+        throws MalformedCookieException {
+            
+        LOG.trace("enter CookieSpecMediumSecurity.validate("
+            + "String, port, path, boolean, Cookie)");
+        if (host == null) {
+            throw new IllegalArgumentException(
+                "Host of origin may not be null");
+        }
+        if (host.trim().equals("")) {
+            throw new IllegalArgumentException(
+                "Host of origin may not be blank");
+        }
+        if (port < 0) {
+            throw new IllegalArgumentException("Invalid port: " + port);
+        }
+        if (path == null) {
+            throw new IllegalArgumentException(
+                "Path of origin may not be null.");
+        }
+        if (path.trim().equals("")) {
+            path = PATH_DELIM;
+        }
+        host = host.toLowerCase(Locale.ENGLISH);
+        // check version
+        if (cookie.getVersion() < 0) {
+            throw new MalformedCookieException ("Illegal version number " 
+                + cookie.getValue());
+        }
+
+        // security check... we musn't allow the server to give us an
+        // invalid domain scope
+
+        // Validate the cookies domain attribute.  NOTE:  Domains without 
+        // any dots are allowed to support hosts on private LANs that don't 
+        // have DNS names.  Since they have no dots, to domain-match the 
+        // request-host and domain must be identical for the cookie to sent 
+        // back to the origin-server.
+        if (host.indexOf(".") >= 0) {
+            // Not required to have at least two dots.  RFC 2965.
+            // A Set-Cookie2 with Domain=ajax.com will be accepted.
+
+            // domain must match host
+            if (!host.endsWith(cookie.getDomain())) {
+                String s = cookie.getDomain();
+                if (s.startsWith(".")) {
+                    s = s.substring(1, s.length());
+                }
+                if (!host.equals(s)) { 
+                    throw new MalformedCookieException(
+                        "Illegal domain attribute \"" + cookie.getDomain() 
+                        + "\". Domain of origin: \"" + host + "\"");
+                }
+            }
+        } else {
+            if (!host.equals(cookie.getDomain())) {
+                throw new MalformedCookieException(
+                    "Illegal domain attribute \"" + cookie.getDomain() 
+                    + "\". Domain of origin: \"" + host + "\"");
+            }
+        }
+
+    }
+
+}

Propchange: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java
------------------------------------------------------------------------------
    svn:keywords = Id