svn commit: r1710457 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/http/Cookies.java webapps/docs/changelog.xml webapps/docs/config/systemprops.xml

Sun, 25 Oct 2015 09:02:31 -0700 

Author: kkolinko
Date: Sun Oct 25 16:02:03 2015
New Revision: 1710457

URL: http://svn.apache.org/viewvc?rev=1710457&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57896
Backport org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER option

This is backport of r1675821 and r1678180 from Tomcat 7.

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Oct 25 16:02:03 2015
@@ -28,22 +28,6 @@ None
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57896
-  Backport org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER 
option
-
-  Like in Tomcat 7, the fix is to be applied to the call to
-  Cookies.processCookieHeader(byte[], int, int)
-
-  In Tomcat 6 there is also a call to Cookies.processCookieHeader(String) when
-  header value is already a String, but that call does not need this fix, as
-  String is immutable, and that method does not perform decoding of embedded 
'\"'.
-  It only strips surrounding '"'s in a value.
-
-  http://svn.apache.org/r1675821  (fix)
-  http://svn.apache.org/r1678180  (documentation)
-  +1: kkolinko, markt, remm
-  -1:
-
 * Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57943
   Prevent the same socket being added to the cache twice. Patch based on
   analysis by Ian Luo / Sun Qi.

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java Sun Oct 
25 16:02:03 2015
@@ -52,6 +52,12 @@ public final class Cookies { // extends
      */
     public static final boolean ALLOW_EQUALS_IN_VALUE;
 
+    /**
+     * If set to true, the cookie header will be preserved. In most cases 
+     * except debugging, this is not useful.
+     */
+    public static final boolean PRESERVE_COOKIE_HEADER;
+
     /*
     List of Separator Characters (see isSeparator())
     Excluding the '/' char violates the RFC, but
@@ -75,6 +81,15 @@ public final class Cookies { // extends
         ALLOW_EQUALS_IN_VALUE = Boolean.valueOf(System.getProperty(
                 
"org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE",
                 "false")).booleanValue();
+
+        String preserveCookieHeader = System.getProperty(
+                
"org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER");
+        if (preserveCookieHeader == null) {
+            PRESERVE_COOKIE_HEADER = ServerCookie.STRICT_SERVLET_COMPLIANCE;
+        } else {
+            PRESERVE_COOKIE_HEADER =
+                Boolean.valueOf(preserveCookieHeader).booleanValue();
+        }
     }
 
     /**
@@ -201,10 +216,18 @@ public final class Cookies { // extends
             // Uncomment to test the new parsing code
             if( cookieValue.getType() == MessageBytes.T_BYTES ) {
                 if( dbg>0 ) log( "Parsing b[]: " + cookieValue.toString());
-                ByteChunk bc=cookieValue.getByteChunk();
-                processCookieHeader( bc.getBytes(),
-                                     bc.getOffset(),
-                                     bc.getLength());
+                ByteChunk bc = cookieValue.getByteChunk();
+                if (PRESERVE_COOKIE_HEADER) {
+                    int len = bc.getLength();
+                    if (len > 0) {
+                        byte[] buf = new byte[len];
+                        System.arraycopy(bc.getBytes(), bc.getOffset(), buf, 
0, len);
+                        processCookieHeader(buf, 0, len);
+                    }
+                } else {
+                    processCookieHeader(bc.getBytes(), bc.getOffset(),
+                            bc.getLength());
+                }
             } else {
                 if( dbg>0 ) log( "Parsing S: " + cookieValue.toString());
                 processCookieHeader( cookieValue.toString() );

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Oct 25 16:02:03 2015
@@ -51,6 +51,14 @@
         including the fix for <bug>57021</bug> that improves logging when the
         Tomcat-Native DLL fails to load. (markt)
       </fix>
+      <fix>
+        <bug>57896</bug>: Support defensive copying of "cookie" header so that
+        unescaping double quotes in a cookie value does not corrupt original
+        value of "cookie" header. This is an opt-in feature, enabled by
+        
<code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code>
+        or <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code>
+        system property. (kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=1710457&r1=1710456&r2=1710457&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Sun Oct 25 
16:02:03 2015
@@ -298,6 +298,7 @@
       <p>If this is <code>true</code> the default value will be changed for:
       <ul>
       <li><code>org.apache.catalina.connector.Request. 
ALLOW_EMPTY_QUERY_STRING</code> property</li>
+      <li><code>org.apache.tomcat.util.http.ServerCookie. 
PRESERVE_COOKIE_HEADER</code> property</li>
       <li>The <code>webXmlValidation</code> attribute of any
           <a href="context.html">Context</a> element.</li>
       <li>The <code>webXmlNamespaceAware</code> attribute of any
@@ -349,6 +350,16 @@
       <p>If not specified, the default value of <code>true</code> will be 
used.</p>
     </property>
 
+    <property
+    name="org.apache.tomcat.util.http. ServerCookie.PRESERVE_COOKIE_HEADER">
+      <p>If this is <code>true</code> Tomcat will ensure that cookie
+      processing does not modify cookie header returned by
+      <code>HttpServletRequest.getHeader()</code>.</p>
+      <p>If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> is set 
to
+      <code>true</code>, the default of this setting will be <code>true</code>,
+      else the default value will be <code>false</code>.</p>
+    </property>
+
   </properties>
 
 </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to