You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@manifoldcf.apache.org by kw...@apache.org on 2010/08/26 19:49:50 UTC
svn commit: r989844 - in
/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie:
CookiePolicy.java CookieSpecMediumSecurity.java
Author: kwright
Date: Thu Aug 26 17:49:50 2010
New Revision: 989844
URL: http://svn.apache.org/viewvc?rev=989844&view=rev
Log:
Add ability to lower cookie security, since most browsers permit this. Part of ticket CONNECTORS-97.
Added:
incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java (with props)
Modified:
incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java
Modified: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java
URL: http://svn.apache.org/viewvc/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java?rev=989844&r1=989843&r2=989844&view=diff
==============================================================================
--- incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java (original)
+++ incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookiePolicy.java Thu Aug 26 17:49:50 2010
@@ -69,6 +69,11 @@ public abstract class CookiePolicy {
*/
public static final String BROWSER_COMPATIBILITY = "compatibility";
+ /**
+ * Medium-security browser compatibility setting.
+ */
+ public static final String BROWSER_COMPATIBILITY_MEDIUM_SECURITY = "compatibilitymediumsecurity";
+
/**
* The Netscape cookie draft compliant policy.
*
@@ -109,6 +114,7 @@ public abstract class CookiePolicy {
CookiePolicy.registerCookieSpec(RFC_2109, RFC2109Spec.class);
CookiePolicy.registerCookieSpec(RFC_2965, RFC2965Spec.class);
CookiePolicy.registerCookieSpec(BROWSER_COMPATIBILITY, CookieSpecBase.class);
+ CookiePolicy.registerCookieSpec(BROWSER_COMPATIBILITY_MEDIUM_SECURITY, CookieSpecMediumSecurity.class);
CookiePolicy.registerCookieSpec(NETSCAPE, NetscapeDraftSpec.class);
CookiePolicy.registerCookieSpec(IGNORE_COOKIES, IgnoreCookiesSpec.class);
}
Added: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java
URL: http://svn.apache.org/viewvc/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java?rev=989844&view=auto
==============================================================================
--- incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java (added)
+++ incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java Thu Aug 26 17:49:50 2010
@@ -0,0 +1,153 @@
+/*
+ * $HeadURL: https://svn.apache.org/repos/asf/incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java $
+ * $Revision: 653067 $
+ * $Date: 2008-05-03 08:42:39 -0400 (Sat, 03 May 2008) $
+ *
+ * ====================================================================
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.commons.httpclient.cookie;
+
+import java.util.Collection;
+import java.util.Date;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+
+import org.apache.commons.httpclient.Cookie;
+import org.apache.commons.httpclient.Header;
+import org.apache.commons.httpclient.HeaderElement;
+import org.apache.commons.httpclient.NameValuePair;
+import org.apache.commons.httpclient.util.DateParseException;
+import org.apache.commons.httpclient.util.DateUtil;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ *
+ * Cookie management functions shared by all specification.
+ *
+ * @author B.C. Holmes
+ * @author <a href="mailto:jericho@thinkfree.com">Park, Sung-Gu</a>
+ * @author <a href="mailto:dsale@us.britannica.com">Doug Sale</a>
+ * @author Rod Waldhoff
+ * @author dIon Gillard
+ * @author Sean C. Sullivan
+ * @author <a href="mailto:JEvans@Cyveillance.com">John Evans</a>
+ * @author Marc A. Saegesser
+ * @author <a href="mailto:oleg@ural.ru">Oleg Kalnichevski</a>
+ * @author <a href="mailto:mbowler@GargoyleSoftware.com">Mike Bowler</a>
+ *
+ * @since 2.0
+ */
+public class CookieSpecMediumSecurity extends CookieSpecBase {
+
+ /** Log object */
+ protected static final Log LOG = LogFactory.getLog(CookieSpecMediumSecurity.class);
+
+ /** Default constructor */
+ public CookieSpecMediumSecurity() {
+ super();
+ }
+
+ /**
+ * Performs most common {@link Cookie} validation
+ *
+ * @param host the host from which the {@link Cookie} was received
+ * @param port the port from which the {@link Cookie} was received
+ * @param path the path from which the {@link Cookie} was received
+ * @param secure <tt>true</tt> when the {@link Cookie} was received using a
+ * secure connection
+ * @param cookie The cookie to validate.
+ * @throws MalformedCookieException if an exception occurs during
+ * validation
+ */
+
+ public void validate(String host, int port, String path,
+ boolean secure, final Cookie cookie)
+ throws MalformedCookieException {
+
+ LOG.trace("enter CookieSpecMediumSecurity.validate("
+ + "String, port, path, boolean, Cookie)");
+ if (host == null) {
+ throw new IllegalArgumentException(
+ "Host of origin may not be null");
+ }
+ if (host.trim().equals("")) {
+ throw new IllegalArgumentException(
+ "Host of origin may not be blank");
+ }
+ if (port < 0) {
+ throw new IllegalArgumentException("Invalid port: " + port);
+ }
+ if (path == null) {
+ throw new IllegalArgumentException(
+ "Path of origin may not be null.");
+ }
+ if (path.trim().equals("")) {
+ path = PATH_DELIM;
+ }
+ host = host.toLowerCase(Locale.ENGLISH);
+ // check version
+ if (cookie.getVersion() < 0) {
+ throw new MalformedCookieException ("Illegal version number "
+ + cookie.getValue());
+ }
+
+ // security check... we musn't allow the server to give us an
+ // invalid domain scope
+
+ // Validate the cookies domain attribute. NOTE: Domains without
+ // any dots are allowed to support hosts on private LANs that don't
+ // have DNS names. Since they have no dots, to domain-match the
+ // request-host and domain must be identical for the cookie to sent
+ // back to the origin-server.
+ if (host.indexOf(".") >= 0) {
+ // Not required to have at least two dots. RFC 2965.
+ // A Set-Cookie2 with Domain=ajax.com will be accepted.
+
+ // domain must match host
+ if (!host.endsWith(cookie.getDomain())) {
+ String s = cookie.getDomain();
+ if (s.startsWith(".")) {
+ s = s.substring(1, s.length());
+ }
+ if (!host.equals(s)) {
+ throw new MalformedCookieException(
+ "Illegal domain attribute \"" + cookie.getDomain()
+ + "\". Domain of origin: \"" + host + "\"");
+ }
+ }
+ } else {
+ if (!host.equals(cookie.getDomain())) {
+ throw new MalformedCookieException(
+ "Illegal domain attribute \"" + cookie.getDomain()
+ + "\". Domain of origin: \"" + host + "\"");
+ }
+ }
+
+ }
+
+}
Propchange: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: incubator/lcf/upstream/commons-httpclient-3x/src/java/org/apache/commons/httpclient/cookie/CookieSpecMediumSecurity.java
------------------------------------------------------------------------------
svn:keywords = Id