svn commit: r1763518 - in /tomcat/trunk: java/javax/servlet/http/Cookie.java webapps/docs/changelog.xml

Thu, 06 Oct 2016 01:45:07 -0700 

Author: markt
Date: Thu Oct  6 08:44:44 2016
New Revision: 1763518

URL: http://svn.apache.org/viewvc?rev=1763518&view=rev
Log:
When using RFC6265 compliant cookies, the / character should not be allowed in 
a cookie name since the RFC6265 will drop such cookies as invalid.

Modified:
    tomcat/trunk/java/javax/servlet/http/Cookie.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/javax/servlet/http/Cookie.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Cookie.java?rev=1763518&r1=1763517&r2=1763518&view=diff
==============================================================================
--- tomcat/trunk/java/javax/servlet/http/Cookie.java (original)
+++ tomcat/trunk/java/javax/servlet/http/Cookie.java Thu Oct  6 08:44:44 2016
@@ -424,7 +424,11 @@ class RFC6265Validator extends CookieNam
 
     RFC6265Validator() {
         super(RFC2616_SEPARATORS);
+    }
+}
 
+class RFC2109Validator extends RFC6265Validator {
+    RFC2109Validator() {
         // special treatment to allow for FWD_SLASH_IS_SEPARATOR property
         boolean allowSlash;
         String prop = 
System.getProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
@@ -437,11 +441,6 @@ class RFC6265Validator extends CookieNam
             allowed.set('/');
         }
     }
-}
-
-class RFC2109Validator extends RFC6265Validator {
-    RFC2109Validator() {
-    }
 
     @Override
     void validate(String name) {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1763518&r1=1763517&r2=1763518&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct  6 08:44:44 2016
@@ -125,6 +125,11 @@
         <bug>60199</bug>: Log a warning if deserialization issues prevent a
         session attribute from being loaded. (markt)
       </fix>
+      <fix>
+        <bug>60298</bug>: When using RFC6265 compliant cookies, the
+        <code>/</code> character should not be allowed in a cookie name since
+        the RFC6265 will drop such cookies as invalid. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to