You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/03/05 11:41:47 UTC

svn commit: r919364 - in /tomcat/tc5.5.x/trunk: STATUS.txt connectors/util/java/org/apache/tomcat/util/http/Cookies.java container/webapps/docs/changelog.xml container/webapps/docs/config/systemprops.xml

Author: markt
Date: Fri Mar  5 10:41:46 2010
New Revision: 919364

URL: http://svn.apache.org/viewvc?rev=919364&view=rev
Log:
Provide new option to allow = in cookie values

Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/http/Cookies.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
    tomcat/tc5.5.x/trunk/container/webapps/docs/config/systemprops.xml

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=919364&r1=919363&r2=919364&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Mar  5 10:41:46 2010
@@ -67,13 +67,6 @@
      kkolinko - Just a note: This issue won't affect configurations where Jasper
      runs with development=false.
 
-* Provide new option to allow = in cookie values
-  http://people.apache.org/~markt/patches/2009-11-17-cookie-allow-equals.patch
-  +1: markt, kkolinko, rjung
-  -1: 
-  rjung: it might be more reader friendly to explicitely add parentheses when
-  having || and && mixed in the same logical expression (see the "while" loop).
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47997
   Process changes for all naming contexts, not just the global one
   http://svn.apache.org/viewvc?rev=883134&view=rev

Modified: tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/http/Cookies.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/http/Cookies.java?rev=919364&r1=919363&r2=919364&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/http/Cookies.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/http/Cookies.java Fri Mar  5 10:41:46 2010
@@ -46,6 +46,12 @@
 
     MimeHeaders headers;
 
+    /**
+     * If true, cookie values are allowed to contain an equals character without
+     * being quoted.
+     */
+    public static final boolean ALLOW_EQUALS_IN_VALUE;
+    
     /*
     List of Separator Characters (see isSeparator())
     Excluding the '/' char violates the RFC, but 
@@ -65,6 +71,10 @@
         for (int i = 0; i < SEPARATORS.length; i++) {
             separators[SEPARATORS[i]] = true;
         }
+        
+        ALLOW_EQUALS_IN_VALUE = Boolean.valueOf(System.getProperty(
+                "org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE",
+                "false")).booleanValue();
     }
     
     /**
@@ -364,7 +374,7 @@
 
             // Get the cookie name. This must be a token            
             valueEnd = valueStart = nameStart = pos; 
-            pos = nameEnd = getTokenEndPosition(bytes,pos,end);
+            pos = nameEnd = getTokenEndPosition(bytes,pos,end,true);
 
             // Skip whitespace
             while (pos < end && isWhiteSpace(bytes[pos])) {pos++; }; 
@@ -411,12 +421,14 @@
                     // The position is OK (On a delimiter)
                     break;
                 default:;
-                    if (!isSeparator(bytes[pos])) {
+                    if (!isSeparator(bytes[pos]) ||
+                            bytes[pos] == '=' && ALLOW_EQUALS_IN_VALUE) {
                         // Token
                         valueStart=pos;
                         // getToken returns the position at the delimeter
                         // or other non-token character
-                        valueEnd=getTokenEndPosition(bytes, valueStart, end);
+                        valueEnd = getTokenEndPosition(bytes, valueStart, end,
+                                false);
                         // We need pos to advance
                         pos = valueEnd;
                     } else  {
@@ -548,13 +560,26 @@
     }
 
     /**
+     * @deprecated - Use private method
+     * {@link #getTokenEndPosition(byte[], int, int, boolean)} instead
+     */
+    public static final int getTokenEndPosition(byte bytes[], int off, int end){
+        return getTokenEndPosition(bytes, off, end, true);
+    }
+    
+    /**
      * Given the starting position of a token, this gets the end of the
      * token, with no separator characters in between.
      * JVK
      */
-    public static final int getTokenEndPosition(byte bytes[], int off, int end){
+    private static final int getTokenEndPosition(byte bytes[], int off, int end,
+            boolean isName) {
         int pos = off;
-        while (pos < end && !isSeparator(bytes[pos])) {pos++; };
+        while (pos < end && 
+                (!isSeparator(bytes[pos]) ||
+                 bytes[pos]=='=' && ALLOW_EQUALS_IN_VALUE && !isName)) {
+            pos++;
+        }
         
         if (pos > end)
             return end;

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=919364&r1=919363&r2=919364&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Mar  5 10:41:46 2010
@@ -147,6 +147,10 @@
         <bug>48322</bug>: Single quote characters are not HTTP separators and
         should not be treated as such in the cookie handling. (markt)
       </fix>
+      <add>
+        Provide an option to allow the use of equals characters in cookie
+        values. (markt)
+      </add>
       <fix>
         <bug>48516</bug>: Prevent NPE in JNDIRealm if requested user does not
         exist. Patch provided by Kevin Conaway. (markt)

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/config/systemprops.xml?rev=919364&r1=919363&r2=919364&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/config/systemprops.xml Fri Mar  5 10:41:46 2010
@@ -119,6 +119,16 @@
     </property>
 
     <property
+    name="org.apache.tomcat.util.http. ServerCookie.ALLOW_EQUALS_IN_VALUE">
+      <p>If this is <code>true</code> Tomcat will allow <code>=</code>
+      characters when parsing unquoted cookie values. If <code>false</code>,
+      cookie values containing <code>=</code> will be terminated when the
+      <code>=</code> is encountered and the remainder of the cookie value will
+      be dropped. If not specified, the default specification compliant value of
+      <code>false</code> will be used.</p>
+    </property>
+    
+    <property
     name="org.apache.tomcat.util.http. ServerCookie.ALWAYS_ADD_EXPIRES">
       <p>If this is <code>true</code> Tomcat will always add an expires
       parameter to a SetCookie header even for cookies with version greater than



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org