You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Svetlin Zarev <sv...@gmail.com> on 2019/01/30 12:31:44 UTC
HttpClient does not validate cookie's Path parameter
Hi,
HttpClientVersion 4.5.6/7 does not validate the cookie’s path attribute. Is
this intentional ?
With version 4.1.3 I have the following behavior:
1. Http clients makes a request with URI “…/actual-path”
2. Server sends a Set-Cookie header with path attribute “Path=/cookie-path”
3. Http client rejects the cookie with a warning:
Cookie rejected: "[version: 0][name: actual_path][value:
/actual-path][domain: localhost][path: /cookie-path][expiry: null]".
Illegal path attribute "/cookie-path". Path of origin: "/actual-path"
With version 4.5.6, the behaviour is different:
1. Http clients makes a request with URI “…/actual-path”
2. Server sends a Set-Cookie header with path attribute “Path=/cookie-path”
3. The cookie store now contains the cookie sent by the server.
I’ve managed to trace the root cause to
org.apache.http.impl.cookie.BasicPathHandler#validate
In version 4.1.3 it was validating the cookie path by calling
org.apache.http.impl.cookie.BasicPathHandler#match and if it returns false,
then validate() fails with an exception.
In version 4.5.6, validate() does not do anything.
Here is a MCVE: https://github.com/SvetlinZarev/org.example.mcve
Just git clone & run mvn clean test
Thanks and best regards,
Svetlin
Re: HttpClient does not validate cookie's Path parameter
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2019-01-30 at 14:31 +0200, Svetlin Zarev wrote:
> Hi,
>
> HttpClientVersion 4.5.6/7 does not validate the cookie’s path
> attribute. Is
> this intentional ?
>
It depends on the _specific_ policy used by HttpClient and _specific_
version of the cookie being processed.
Oleg
>
> With version 4.1.3 I have the following behavior:
> 1. Http clients makes a request with URI “…/actual-path”
> 2. Server sends a Set-Cookie header with path attribute
> “Path=/cookie-path”
> 3. Http client rejects the cookie with a warning:
>
> Cookie rejected: "[version: 0][name: actual_path][value:
> /actual-path][domain: localhost][path: /cookie-path][expiry: null]".
> Illegal path attribute "/cookie-path". Path of origin: "/actual-path"
>
>
> With version 4.5.6, the behaviour is different:
> 1. Http clients makes a request with URI “…/actual-path”
> 2. Server sends a Set-Cookie header with path attribute
> “Path=/cookie-path”
> 3. The cookie store now contains the cookie sent by the server.
>
> I’ve managed to trace the root cause to
> org.apache.http.impl.cookie.BasicPathHandler#validate
>
> In version 4.1.3 it was validating the cookie path by calling
> org.apache.http.impl.cookie.BasicPathHandler#match and if it returns
> false,
> then validate() fails with an exception.
>
> In version 4.5.6, validate() does not do anything.
>
> Here is a MCVE: https://github.com/SvetlinZarev/org.example.mcve
> Just git clone & run mvn clean test
>
> Thanks and best regards,
> Svetlin
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org