You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Svetlin Zarev <sv...@gmail.com> on 2016/08/25 07:28:28 UTC

Rfc6265CookieProcessor domain validation errors

Hello!



The new Rfc6265CookieProcessor fails to validate domains that start with a
dot. According to rfc6265#5.2.3 [1]:



If the first character of the attribute-value string is %x2E ("."):

      Let cookie-domain be the attribute-value without the leading %x2E

      (".") character.

Otherwise:

      Let cookie-domain be the entire attribute-value.



But Rfc6265CookieProcessor throws an IllegalStateException.

Steps to reproduce :
https://gist.github.com/anonymous/d38cdc359ba4cf436b7e55a2757ae1a7



What do you think ? Is this a bug in the cookie processor or am I
misunderstanding the RFC ?



[1] https://tools.ietf.org/html/rfc6265#page-20


Best regards,

Svetlin

Re: Rfc6265CookieProcessor domain validation errors

Posted by Svetlin Zarev <sv...@gmail.com>.

Proposed fix: https://github.com/apache/tomcat85/pull/2

2016-08-25 10:28 GMT+03:00 Svetlin Zarev <sv...@gmail.com>:

> Hello!
>
>
>
> The new Rfc6265CookieProcessor fails to validate domains that start with a
> dot. According to rfc6265#5.2.3 [1]:
>
>
>
> If the first character of the attribute-value string is %x2E ("."):
>
>       Let cookie-domain be the attribute-value without the leading %x2E
>
>       (".") character.
>
> Otherwise:
>
>       Let cookie-domain be the entire attribute-value.
>
>
>
> But Rfc6265CookieProcessor throws an IllegalStateException.
>
> Steps to reproduce : https://gist.github.com/anonymous/
> d38cdc359ba4cf436b7e55a2757ae1a7
>
>
>
> What do you think ? Is this a bug in the cookie processor or am I
> misunderstanding the RFC ?
>
>
>
> [1] https://tools.ietf.org/html/rfc6265#page-20
>
>
> Best regards,
>
> Svetlin
>

Re: Rfc6265CookieProcessor domain validation errors

Posted by Svetlin Zarev <sv...@gmail.com>.

Thanks Mark, this makes sense.

Best regards,
Svetlin


This isn't a bug. You are misunderstanding the RFC.
>
> Domain attributes are only sent from servers to user agents.
>
> The general rule to keep in mind is:
> "Be lenient in what you accept. Be strict in what you send."
>
> Section 5.2.3 applies to User agents and it is informing them to be
> lenient in what the accept since they can, unambiguously, ignore a
> leading '.' if present on the domain.
>
> Section 4.1.2.3 is referring to the same behaviour.
>
> Tomcat is strict in what it will allow applications to send. The ABNF
> for domain-av does not allow leading '.' so neither does Tomcat.
>
> Tomcat could be lenient here and strip any leading '.' but generally,
> Tomcat does not add code to work around application bugs. It expects
> those bugs to be fixed in the applications. There are exceptions but
> this is one of them and I don't see a compelling case to make it an
> exception.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Rfc6265CookieProcessor domain validation errors

Posted by Mark Thomas <ma...@apache.org>.

On 25/08/2016 08:28, Svetlin Zarev wrote:
> Hello!
> 
> The new Rfc6265CookieProcessor fails to validate domains that start with a
> dot. According to rfc6265#5.2.3 [1]:
> 
> If the first character of the attribute-value string is %x2E ("."):
> 
>       Let cookie-domain be the attribute-value without the leading %x2E
>       (".") character.
> Otherwise:
>       Let cookie-domain be the entire attribute-value.
> 
> But Rfc6265CookieProcessor throws an IllegalStateException.
> 
> Steps to reproduce :
> https://gist.github.com/anonymous/d38cdc359ba4cf436b7e55a2757ae1a7
> 
> What do you think ? Is this a bug in the cookie processor or am I
> misunderstanding the RFC ?

This isn't a bug. You are misunderstanding the RFC.

Domain attributes are only sent from servers to user agents.

The general rule to keep in mind is:
"Be lenient in what you accept. Be strict in what you send."

Section 5.2.3 applies to User agents and it is informing them to be
lenient in what the accept since they can, unambiguously, ignore a
leading '.' if present on the domain.

Section 4.1.2.3 is referring to the same behaviour.

Tomcat is strict in what it will allow applications to send. The ABNF
for domain-av does not allow leading '.' so neither does Tomcat.

Tomcat could be lenient here and strip any leading '.' but generally,
Tomcat does not add code to work around application bugs. It expects
those bugs to be fixed in the applications. There are exceptions but
this is one of them and I don't see a compelling case to make it an
exception.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org