STATUS.txt

jean-frederic clere Wed, 22 Jun 2011 09:43:53 -0700

On 06/22/2011 03:56 PM, ma...@apache.org wrote:

Author: markt
Date: Wed Jun 22 13:56:05 2011
New Revision: 1138468


URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
Log:
Vote

Modified:
     tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
@@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
    Based on https://issues.jboss.org/browse/JBWEB-196
    http://people.apache.org/~jfclere/patches/patch.110622.txt
    +1: jfclere
+  -1: markt Separators are defined by the HTTP specification and as per section
+            2.2 of RFC 2616 must be quoted to be used within a parameter value.


If you look in org/apache/tomcat/util/http/CookieSupport.java
you will see:
private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'};

The switch is to be backward compatible with pre CVE-2007-5333 applications.

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1138468 - /tomcat/tc6.0.x/trunk/STATUS.txt

Reply via email to