You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/08/18 12:02:58 UTC
[Bug 65505] New: MimeHeaders setValue Order problem
https://bz.apache.org/bugzilla/show_bug.cgi?id=65505
Bug ID: 65505
Summary: MimeHeaders setValue Order problem
Product: Tomcat 9
Version: 9.0.43
Hardware: All
Status: NEW
Severity: normal
Priority: P2
Component: Util
Assignee: dev@tomcat.apache.org
Reporter: liuzehang5@gmail.com
Target Milestone: -----
If I use Shiro's rememberMe when COMPRESSION is enabled, it will cause
rememberMe's cookie to fail to work
import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.ResponseUtil;
import org.junit.Test;
public class TomcatMixHeadersTest {
/***
* === MimeHeaders ===
* Vary = Origin
* Vary = Access-Control-Request-Method
* Vary = Access-Control-Request-Headers
* Access-Control-Allow-Origin = https://xxxx
* Access-Control-Allow-Credentials = true
* Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue,
17-Aug-2021 11:19:04 GMT; SameSite=lax
* Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000;
Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
*/
@Test
public void testMimeHeaders() {
MimeHeaders responseHeaders = new MimeHeaders();
responseHeaders.addValue("Vary").setString("Origin");
responseHeaders.addValue("Vary").setString("Access-Control-Request-Method");
responseHeaders.addValue("Vary").setString("Access-Control-Request-Headers");
responseHeaders.addValue("Access-Control-Allow-Origin").setString("https://xxxx");
responseHeaders.addValue("Access-Control-Allow-Credentials").setString("true");
responseHeaders.addValue("Set-Cookie").setString("rememberMe=deleteMe;
Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax");
responseHeaders.addValue("Set-Cookie").setString("rememberMe=rememberMeData;
Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly;
SameSite=lax");
System.out.println(responseHeaders);
ResponseUtil.addVaryFieldName(responseHeaders, "accept-encoding");
// same up code
//
responseHeaders.setValue("Vary").setString("origin,access-control-request-method,access-control-request-headers,accept-encoding");
System.out.println(responseHeaders);
}
}
The execution result is
=== MimeHeaders ===
Vary = Origin
Vary = Access-Control-Request-Method
Vary = Access-Control-Request-Headers
Access-Control-Allow-Origin = https://xxxx
Access-Control-Allow-Credentials = true
Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021
11:19:04 GMT; SameSite=lax
Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu,
02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
=== MimeHeaders ===
Vary =
origin,access-control-request-method,access-control-request-headers,accept-encoding
Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu,
02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021
11:19:04 GMT; SameSite=lax
Access-Control-Allow-Origin = https://xxxx
Access-Control-Allow-Credentials = true
The order of the Header set-cookie was changed,
The code source address is
org/apache/tomcat/embed/tomcat-embed-core/9.0.43/tomcat-embed-core-9.0.43-sources.jar!/org/apache/coyote/CompressionConfig.java:280
org.apache.tomcat.util.http.ResponseUtil#addVaryFieldName(org.apache.tomcat.util.http.MimeHeaders,
java.lang.String)
org.apache.tomcat.util.http.MimeHeaders#setValue
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65505] MimeHeaders setValue Order problem
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65505
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
OS| |All
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report. The root cause was that the removeHeader method changed
the order.
Fixed in:
- 10.1.x for 10.1.0-M5 onwards
- 10.0.x for 10.0.11 onwards
- 9.0.x for 9.0.53 onwards
- 8.5.x for 8.5.71 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org