You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/08/18 12:02:58 UTC

[Bug 65505] New: MimeHeaders setValue Order problem

https://bz.apache.org/bugzilla/show_bug.cgi?id=65505

            Bug ID: 65505
           Summary: MimeHeaders setValue Order problem
           Product: Tomcat 9
           Version: 9.0.43
          Hardware: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: liuzehang5@gmail.com
  Target Milestone: -----

If I use Shiro's rememberMe when COMPRESSION is enabled, it will cause
rememberMe's cookie to fail to work

import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.ResponseUtil;
import org.junit.Test;

public class TomcatMixHeadersTest {

    /***
     * === MimeHeaders ===
     * Vary = Origin
     * Vary = Access-Control-Request-Method
     * Vary = Access-Control-Request-Headers
     * Access-Control-Allow-Origin = https://xxxx
     * Access-Control-Allow-Credentials = true
     * Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue,
17-Aug-2021 11:19:04 GMT; SameSite=lax
     * Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000;
Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
     */
    @Test
    public void testMimeHeaders() {
        MimeHeaders responseHeaders = new MimeHeaders();
        responseHeaders.addValue("Vary").setString("Origin");
       
responseHeaders.addValue("Vary").setString("Access-Control-Request-Method");
       
responseHeaders.addValue("Vary").setString("Access-Control-Request-Headers");
       
responseHeaders.addValue("Access-Control-Allow-Origin").setString("https://xxxx");
       
responseHeaders.addValue("Access-Control-Allow-Credentials").setString("true");
        responseHeaders.addValue("Set-Cookie").setString("rememberMe=deleteMe;
Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021 11:19:04 GMT; SameSite=lax");
       
responseHeaders.addValue("Set-Cookie").setString("rememberMe=rememberMeData;
Path=/; Max-Age=1296000; Expires=Thu, 02-Sep-2021 11:19:04 GMT; HttpOnly;
SameSite=lax");

        System.out.println(responseHeaders);

        ResponseUtil.addVaryFieldName(responseHeaders, "accept-encoding");

        // same up code 
        //
responseHeaders.setValue("Vary").setString("origin,access-control-request-method,access-control-request-headers,accept-encoding");

        System.out.println(responseHeaders);
    }

}


The execution result is

=== MimeHeaders ===
Vary = Origin
Vary = Access-Control-Request-Method
Vary = Access-Control-Request-Headers
Access-Control-Allow-Origin = https://xxxx
Access-Control-Allow-Credentials = true
Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021
11:19:04 GMT; SameSite=lax
Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu,
02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax

=== MimeHeaders ===
Vary =
origin,access-control-request-method,access-control-request-headers,accept-encoding
Set-Cookie = rememberMe=rememberMeData; Path=/; Max-Age=1296000; Expires=Thu,
02-Sep-2021 11:19:04 GMT; HttpOnly; SameSite=lax
Set-Cookie = rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Tue, 17-Aug-2021
11:19:04 GMT; SameSite=lax
Access-Control-Allow-Origin = https://xxxx
Access-Control-Allow-Credentials = true

The order of the Header set-cookie was changed, 

The code source address is 

org/apache/tomcat/embed/tomcat-embed-core/9.0.43/tomcat-embed-core-9.0.43-sources.jar!/org/apache/coyote/CompressionConfig.java:280

org.apache.tomcat.util.http.ResponseUtil#addVaryFieldName(org.apache.tomcat.util.http.MimeHeaders,
java.lang.String)

org.apache.tomcat.util.http.MimeHeaders#setValue

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65505] MimeHeaders setValue Order problem

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65505

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report. The root cause was that the removeHeader method changed
the order.

Fixed in:
- 10.1.x for 10.1.0-M5 onwards
- 10.0.x for 10.0.11 onwards
- 9.0.x for 9.0.53 onwards
- 8.5.x for 8.5.71 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org