You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/30 09:41:57 UTC
svn commit: r1628366 - in /tomcat/trunk:
java/org/apache/tomcat/util/http/CookieSupport.java
java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
test/org/apache/tomcat/util/http/TestCookieParsing.java
webapps/docs/config/cookie-processor.xml
Author: markt
Date: Tue Sep 30 07:41:57 2014
New Revision: 1628366
URL: http://svn.apache.org/r1628366
Log:
Make FWD_SLASH_IS_SEPARATOR configurable per context
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java
tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
tomcat/trunk/webapps/docs/config/cookie-processor.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java Tue Sep 30 07:41:57 2014
@@ -53,7 +53,10 @@ public final class CookieSupport {
* If set to true, the <code>/</code> character will be treated as a
* separator. Default is usually false. If STRICT_SERVLET_COMPLIANCE==true
* then default is true. Explicitly setting always takes priority.
+ *
+ * @deprecated Will be removed in Tomcat 9.
*/
+ @Deprecated
public static final boolean FWD_SLASH_IS_SEPARATOR;
/**
@@ -174,7 +177,10 @@ public final class CookieSupport {
* spec, RFC2109.
* @throws IllegalArgumentException if a control character was supplied as
* input
+ *
+ * @deprecated Will be removed in Tomcat 9.
*/
+ @Deprecated
public static final boolean isHttpSeparator(final char c) {
if (c < 0x20 || c >= 0x7f) {
if (c != 0x09) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java Tue Sep 30 07:41:57 2014
@@ -44,6 +44,11 @@ public final class LegacyCookieProcessor
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.http");
+ // Excludes '/' since configuration controls whether or not to treat '/' as
+ // a separator
+ private static final char[] HTTP_SEPARATORS = new char[] {
+ '\t', ' ', '\"', '(', ')', ',', ':', ';', '<', '=', '>', '?', '@',
+ '[', '\\', ']', '{', '}' };
@SuppressWarnings("deprecation") // Default to false when deprecated code is removed
private boolean allowEqualsInValue = CookieSupport.ALLOW_EQUALS_IN_VALUE;
@@ -58,6 +63,20 @@ public final class LegacyCookieProcessor
// when deprecated code is removed
private boolean presserveCookieHeader = CookieSupport.PRESERVE_COOKIE_HEADER;
+ private boolean[] httpSeparatorFlags = new boolean[128];
+
+
+ public LegacyCookieProcessor() {
+ // Array elements will default to false
+ for (char c : HTTP_SEPARATORS) {
+ httpSeparatorFlags[c] = true;
+ }
+ @SuppressWarnings("deprecation") // Default to STRICT_SERVLET_COMPLIANCE
+ // when deprecated code is removed
+ boolean b = CookieSupport.FWD_SLASH_IS_SEPARATOR;
+ httpSeparatorFlags['/'] = b;
+ }
+
public boolean getAllowEqualsInValue() {
return allowEqualsInValue;
@@ -99,6 +118,16 @@ public final class LegacyCookieProcessor
}
+ public boolean getForwardSlashIsSeparator() {
+ return httpSeparatorFlags['/'];
+ }
+
+
+ public void setForwardSlashIsSeparator(boolean forwardSlashIsSeparator) {
+ httpSeparatorFlags['/'] = forwardSlashIsSeparator;
+ }
+
+
@Override
public Charset getCharset() {
return StandardCharsets.ISO_8859_1;
@@ -175,7 +204,7 @@ public final class LegacyCookieProcessor
// Skip whitespace and non-token characters (separators)
while (pos < end &&
- (CookieSupport.isHttpSeparator((char) bytes[pos]) &&
+ (httpSeparatorFlags[(char) bytes[pos]] &&
!getAllowHttpSepsInV0() ||
CookieSupport.isV0Separator((char) bytes[pos]) ||
isWhiteSpace(bytes[pos])))
@@ -244,7 +273,7 @@ public final class LegacyCookieProcessor
if (version == 0 &&
!CookieSupport.isV0Separator((char)bytes[pos]) &&
getAllowHttpSepsInV0() ||
- !CookieSupport.isHttpSeparator((char)bytes[pos]) ||
+ !httpSeparatorFlags[(char)bytes[pos]] ||
bytes[pos] == '=') {
// Token
valueStart = pos;
@@ -411,7 +440,7 @@ public final class LegacyCookieProcessor
int version, boolean isName){
int pos = off;
while (pos < end &&
- (!CookieSupport.isHttpSeparator((char)bytes[pos]) ||
+ (!httpSeparatorFlags[(char)bytes[pos]] ||
version == 0 && getAllowHttpSepsInV0() && bytes[pos] != '=' &&
!CookieSupport.isV0Separator((char)bytes[pos]) ||
!isName && bytes[pos] == '=' && getAllowEqualsInValue())) {
Modified: tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java Tue Sep 30 07:41:57 2014
@@ -44,7 +44,7 @@ public class TestCookieParsing extends T
private static final String COOKIES_WITH_NAME_ONLY_CONCAT = "bob=bob=";
private static final String[] COOKIES_WITH_SEPS = new String[] {
- "name=val(ue" };
+ "name=val/ue" };
private static final String COOKIES_WITH_SEPS_TRUNC = "name=val";
private static final String[] COOKIES_WITH_QUOTES = new String[] {
@@ -131,25 +131,38 @@ public class TestCookieParsing extends T
@Test
public void testLegacyWithSeps() throws Exception {
- doTestLegacySeps(true);
+ doTestLegacySeps(true, true);
}
@Test
public void testLegacyWithoutSeps() throws Exception {
- doTestLegacySeps(false);
+ doTestLegacySeps(false, true);
}
- private void doTestLegacySeps(boolean seps) throws Exception {
+ @Test
+ public void testLegacyWithFwdSlash() throws Exception {
+ doTestLegacySeps(true, false);
+ }
+
+
+ @Test
+ public void testLegacyWithoutFwdSlash() throws Exception {
+ doTestLegacySeps(false, false);
+ }
+
+
+ private void doTestLegacySeps(boolean seps, boolean fwdSlash) throws Exception {
LegacyCookieProcessor legacyCookieProcessor = new LegacyCookieProcessor();
legacyCookieProcessor.setAllowHttpSepsInV0(seps);
+ legacyCookieProcessor.setForwardSlashIsSeparator(fwdSlash);
String expected;
- if (seps) {
- expected = concat(COOKIES_WITH_SEPS);
- } else {
+ if (!seps && fwdSlash) {
expected = COOKIES_WITH_SEPS_TRUNC;
+ } else {
+ expected = concat(COOKIES_WITH_SEPS);
}
TestCookieParsingClient client = new TestCookieParsingClient(
legacyCookieProcessor, COOKIES_WITH_SEPS, expected);
Modified: tomcat/trunk/webapps/docs/config/cookie-processor.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/cookie-processor.xml?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/cookie-processor.xml (original)
+++ tomcat/trunk/webapps/docs/config/cookie-processor.xml Tue Sep 30 07:41:57 2014
@@ -147,6 +147,17 @@
<a href="systemprops.html">system property</a>.</p>
</attribute>
+ <attribute name="forwardSlashIsSeparator" required="false">
+ <p>If this is <code>true</code> Tomcat will treat the forward slash
+ character ('<code>/</code>') as an HTTP separator when processing cookie
+ headers. If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code>
+ is set to <code>true</code>, the default of this setting will be
+ <code>true</code>, else the default value will be <code>false</code>.
+ This default may be overridden by setting the
+ <code>org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR</code>
+ system property.</p>
+ </attribute>
+
<attribute name="preserveCookieHeader" required="false">
<p>If this is <code>true</code> Tomcat will ensure that cookie
processing does not modify cookie header returned by
@@ -179,7 +190,8 @@
cookie parser. In particular:</p>
<ul>
- <li>The '<code>=</code>' is always permitted in a cookie value.</li>
+ <li>The '<code>=</code>' and '<code>/</code>' characters are always
+ permitted in a cookie value.</li>
<li>Name only cookies are always permitted.</li>
<li>The cookie header is always preserved.</li>
</ul>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1628366 - in /tomcat/trunk: java/org/apache/tomcat/util/http/CookieSupport.java
java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
test/org/apache/tomcat/util/http/TestCookieParsing.java webapps/docs/config/cookie-processor.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-09-30 11:41 GMT+04:00 <ma...@apache.org>:
> Author: markt
> Date: Tue Sep 30 07:41:57 2014
> New Revision: 1628366
>
> URL: http://svn.apache.org/r1628366
> Log:
> Make FWD_SLASH_IS_SEPARATOR configurable per context
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java
> tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
> tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
> tomcat/trunk/webapps/docs/config/cookie-processor.xml
> Modified: tomcat/trunk/webapps/docs/config/cookie-processor.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/cookie-processor.xml?rev=1628366&r1=1628365&r2=1628366&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/cookie-processor.xml (original)
> +++ tomcat/trunk/webapps/docs/config/cookie-processor.xml Tue Sep 30 07:41:57 2014
> @@ -147,6 +147,17 @@
> <a href="systemprops.html">system property</a>.</p>
> </attribute>
>
> + <attribute name="forwardSlashIsSeparator" required="false">
> + <p>If this is <code>true</code> Tomcat will treat the forward slash
> + character ('<code>/</code>') as an HTTP separator when processing cookie
> + headers. If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code>
> + is set to <code>true</code>, the default of this setting will be
> + <code>true</code>, else the default value will be <code>false</code>.
> + This default may be overridden by setting the
> + <code>org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR</code>
> + system property.</p>
> + </attribute>
Maybe there is a way to rephrase the above description.
I think that for a casual reader "will treat the forward slash .. as
an HTTP separator" does not say much useful. I mean, what "treats as
HTTP separator" means here?
There is another attribute, "allowHttpSepsInV0" that says more on this
issue. Maybe at least add a reference to that attribute.
Best regards,
Konstantin Kolinko
> +
> <attribute name="preserveCookieHeader" required="false">
> <p>If this is <code>true</code> Tomcat will ensure that cookie
> processing does not modify cookie header returned by
> @@ -179,7 +190,8 @@
> cookie parser. In particular:</p>
>
> <ul>
> - <li>The '<code>=</code>' is always permitted in a cookie value.</li>
> + <li>The '<code>=</code>' and '<code>/</code>' characters are always
> + permitted in a cookie value.</li>
> <li>Name only cookies are always permitted.</li>
> <li>The cookie header is always preserved.</li>
> </ul>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org