You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2011/06/22 15:56:05 UTC

svn commit: r1138468 - /tomcat/tc6.0.x/trunk/STATUS.txt

Author: markt
Date: Wed Jun 22 13:56:05 2011
New Revision: 1138468

URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
Log:
Vote

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
@@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
   Based on https://issues.jboss.org/browse/JBWEB-196
   http://people.apache.org/~jfclere/patches/patch.110622.txt
   +1: jfclere
+  -1: markt Separators are defined by the HTTP specification and as per section
+            2.2 of RFC 2616 must be quoted to be used within a parameter value.
   -1



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1138468 - /tomcat/tc6.0.x/trunk/STATUS.txt

Posted by jean-frederic clere <jf...@gmail.com>.

On 06/22/2011 08:44 PM, Mark Thomas wrote:
> On 22/06/2011 17:43, jean-frederic clere wrote:
>> On 06/22/2011 03:56 PM, markt@apache.org wrote:
>>> Author: markt
>>> Date: Wed Jun 22 13:56:05 2011
>>> New Revision: 1138468
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
>>> Log:
>>> Vote
>>>
>>> Modified:
>>>       tomcat/tc6.0.x/trunk/STATUS.txt
>>>
>>> Modified: tomcat/tc6.0.x/trunk/STATUS.txt
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
>>>
>>> ==============================================================================
>>>
>>> --- tomcat/tc6.0.x/trunk/STATUS.txt (original)
>>> +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
>>> @@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
>>>      Based on https://issues.jboss.org/browse/JBWEB-196
>>>      http://people.apache.org/~jfclere/patches/patch.110622.txt
>>>      +1: jfclere
>>> +  -1: markt Separators are defined by the HTTP specification and as
>>> per section
>>> +            2.2 of RFC 2616 must be quoted to be used within a
>>> parameter value.
>>
>> If you look in org/apache/tomcat/util/http/CookieSupport.java
>> you will see:
>> private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'};
>>
>> The switch is to be backward compatible with pre CVE-2007-5333
>> applications.
>
> If I am reading the proposed patch correctly (I may have lost track of
> an '!' along the way), it changes the current behaviour to prevent
> switching to v1 by default.
>
> If the purpose is to allow http separators in v0 cookies then why not
> just back-port the ALLOW_HTTP_SEPARATORS_IN_V0 setting from Tomcat 7?
>
> To be clear, I think:
> - the default should remain as it is
> - if a new option is introduced, it should be a port from Tomcat 7, not
> an entirely new option

Ok I will propose another patch.

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1138468 - /tomcat/tc6.0.x/trunk/STATUS.txt

Posted by Mark Thomas <ma...@apache.org>.

On 22/06/2011 17:43, jean-frederic clere wrote:
> On 06/22/2011 03:56 PM, markt@apache.org wrote:
>> Author: markt
>> Date: Wed Jun 22 13:56:05 2011
>> New Revision: 1138468
>>
>> URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
>> Log:
>> Vote
>>
>> Modified:
>>      tomcat/tc6.0.x/trunk/STATUS.txt
>>
>> Modified: tomcat/tc6.0.x/trunk/STATUS.txt
>> URL:
>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/tc6.0.x/trunk/STATUS.txt (original)
>> +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
>> @@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
>>     Based on https://issues.jboss.org/browse/JBWEB-196
>>     http://people.apache.org/~jfclere/patches/patch.110622.txt
>>     +1: jfclere
>> +  -1: markt Separators are defined by the HTTP specification and as
>> per section
>> +            2.2 of RFC 2616 must be quoted to be used within a
>> parameter value.
> 
> If you look in org/apache/tomcat/util/http/CookieSupport.java
> you will see:
> private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'};
> 
> The switch is to be backward compatible with pre CVE-2007-5333
> applications.

If I am reading the proposed patch correctly (I may have lost track of
an '!' along the way), it changes the current behaviour to prevent
switching to v1 by default.

If the purpose is to allow http separators in v0 cookies then why not
just back-port the ALLOW_HTTP_SEPARATORS_IN_V0 setting from Tomcat 7?

To be clear, I think:
- the default should remain as it is
- if a new option is introduced, it should be a port from Tomcat 7, not
an entirely new option

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1138468 - /tomcat/tc6.0.x/trunk/STATUS.txt

Posted by jean-frederic clere <jf...@gmail.com>.

On 06/22/2011 03:56 PM, markt@apache.org wrote:
> Author: markt
> Date: Wed Jun 22 13:56:05 2011
> New Revision: 1138468
>
> URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
> Log:
> Vote
>
> Modified:
>      tomcat/tc6.0.x/trunk/STATUS.txt
>
> Modified: tomcat/tc6.0.x/trunk/STATUS.txt
> URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
> ==============================================================================
> --- tomcat/tc6.0.x/trunk/STATUS.txt (original)
> +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
> @@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
>     Based on https://issues.jboss.org/browse/JBWEB-196
>     http://people.apache.org/~jfclere/patches/patch.110622.txt
>     +1: jfclere
> +  -1: markt Separators are defined by the HTTP specification and as per section
> +            2.2 of RFC 2616 must be quoted to be used within a parameter value.

If you look in org/apache/tomcat/util/http/CookieSupport.java
you will see:
private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'};

The switch is to be backward compatible with pre CVE-2007-5333 applications.

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org