You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Svetlin Zarev <sv...@gmail.com> on 2019/01/30 12:31:44 UTC

HttpClient does not validate cookie's Path parameter

Hi,

HttpClientVersion 4.5.6/7 does not validate the cookie’s path attribute. Is
this intentional ?


With version 4.1.3 I have the following behavior:
1. Http clients makes a request with URI “…/actual-path”
2. Server sends a Set-Cookie header with path attribute “Path=/cookie-path”
3. Http client rejects the cookie with a warning:

Cookie rejected: "[version: 0][name: actual_path][value:
/actual-path][domain: localhost][path: /cookie-path][expiry: null]".
Illegal path attribute "/cookie-path". Path of origin: "/actual-path"


With version 4.5.6, the behaviour is different:
1. Http clients makes a request with URI “…/actual-path”
2. Server sends a Set-Cookie header with path attribute “Path=/cookie-path”
3. The cookie store now contains the cookie sent by the server.

I’ve managed to trace the root cause to
org.apache.http.impl.cookie.BasicPathHandler#validate

In version 4.1.3 it was validating the cookie path by calling
org.apache.http.impl.cookie.BasicPathHandler#match and if it returns false,
then validate() fails with an exception.

In version 4.5.6, validate() does not do anything.

Here is a MCVE: https://github.com/SvetlinZarev/org.example.mcve
Just git clone & run mvn clean test

Thanks and best regards,
Svetlin

Re: HttpClient does not validate cookie's Path parameter

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Wed, 2019-01-30 at 14:31 +0200, Svetlin Zarev wrote:
> Hi,
> 
> HttpClientVersion 4.5.6/7 does not validate the cookie’s path
> attribute. Is
> this intentional ?
> 

It depends on the _specific_ policy used by HttpClient and _specific_
version of the cookie being processed.

Oleg


> 
> With version 4.1.3 I have the following behavior:
> 1. Http clients makes a request with URI “…/actual-path”
> 2. Server sends a Set-Cookie header with path attribute
> “Path=/cookie-path”
> 3. Http client rejects the cookie with a warning:
> 
> Cookie rejected: "[version: 0][name: actual_path][value:
> /actual-path][domain: localhost][path: /cookie-path][expiry: null]".
> Illegal path attribute "/cookie-path". Path of origin: "/actual-path"
> 
> 
> With version 4.5.6, the behaviour is different:
> 1. Http clients makes a request with URI “…/actual-path”
> 2. Server sends a Set-Cookie header with path attribute
> “Path=/cookie-path”
> 3. The cookie store now contains the cookie sent by the server.
> 
> I’ve managed to trace the root cause to
> org.apache.http.impl.cookie.BasicPathHandler#validate
> 
> In version 4.1.3 it was validating the cookie path by calling
> org.apache.http.impl.cookie.BasicPathHandler#match and if it returns
> false,
> then validate() fails with an exception.
> 
> In version 4.5.6, validate() does not do anything.
> 
> Here is a MCVE: https://github.com/SvetlinZarev/org.example.mcve
> Just git clone & run mvn clean test
> 
> Thanks and best regards,
> Svetlin


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org