Re: [VOTE] Release build 6.0.15

[Filip Hanik - Dev Lists]

Filip Hanik - Dev Lists wrote:
Mark Thomas wrote:
Filip Hanik - Dev Lists wrote:
 
Mark Thomas wrote:
   
Filip Hanik - Dev Lists wrote:
 
     
Mark Thomas wrote:
          
jean-frederic clere wrote:
              
and we are re escaping already escaped strings.
                        
The spec isn't 100% clear on who is responsible for escaping the
values if
required.
<spec-quote section=SRV.16.1.1.1>
... The value can be anything the server chooses to send. ...
</spec-quote>
<spec-quote section=SRV.16.1.1.2>
...
setValue(String)
                  
what j-f-c is saying here, is that if there is a value of
Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;

when it is being parsed, it double escapes it
Path="\\"/foo/bar\\""
            
I get that ;)

What I was trying (not very well) to say was I don't think the spec is
clear whether we should escape everything, regardless of if it 
looks like
it is already escaped. I am in favour of the current behaviour 
because:
a) the spec isn't clear but I think it is leaning in the escape
everything
direction

b) I don't like the complexity of adding an "is this value already
escaped"
function. I think we would be setting ourselves up for another 
round of
cookie handling bugs.
        
the spec says

  A string of text is parsed as a single word if it is quoted using
  double-quote marks.

      quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
      qdtext         = <any TEXT except <">>

  The backslash character ("\") MAY be used as a single-character
  quoting mechanism only within quoted-string and comment constructs.

      quoted-pair    = "\" CHAR

now I have to digest that :) and will comment some more.
    

Isn't that the http spec rather than the servlet spec?
  
absolutely. there is no syntax definition for HTTP header (and cookies 
being such) in the servlet spec
to be more specific, it might still be broken.


Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
results in
Set-Cookie: C1=C1; Version=1; Domain=d1; Path="\\"/foo/bar\\""

this is invalid syntax, cause \ only escapes one character, and " is not 
allowed within "...." value


with 6.0.15
Cookie: $Version=1; C1=C1;$Path="\"/foo/bar\"";$Domain=d1;
results in
Set-Cookie: C1=C1; Domain=d1; Path=\"/foo/bar\"

This is also invalid, since we parsed it wrong. the actual value for 
path is "/foo/bar" with the quotes,

btw, all my test JSP is doing is response.addCookie for each cookie 
found in request.getCookies, without modifying them

Filip




Filip
Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



  


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]