On 22/06/2011 17:43, jean-frederic clere wrote: > On 06/22/2011 03:56 PM, ma...@apache.org wrote: >> Author: markt >> Date: Wed Jun 22 13:56:05 2011 >> New Revision: 1138468 >> >> URL: http://svn.apache.org/viewvc?rev=1138468&view=rev >> Log: >> Vote >> >> Modified: >> tomcat/tc6.0.x/trunk/STATUS.txt >> >> Modified: tomcat/tc6.0.x/trunk/STATUS.txt >> URL: >> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff >> >> ============================================================================== >> >> --- tomcat/tc6.0.x/trunk/STATUS.txt (original) >> +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011 >> @@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT: >> Based on https://issues.jboss.org/browse/JBWEB-196 >> http://people.apache.org/~jfclere/patches/patch.110622.txt >> +1: jfclere >> + -1: markt Separators are defined by the HTTP specification and as >> per section >> + 2.2 of RFC 2616 must be quoted to be used within a >> parameter value. > > If you look in org/apache/tomcat/util/http/CookieSupport.java > you will see: > private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'}; > > The switch is to be backward compatible with pre CVE-2007-5333 > applications.
If I am reading the proposed patch correctly (I may have lost track of an '!' along the way), it changes the current behaviour to prevent switching to v1 by default. If the purpose is to allow http separators in v0 cookies then why not just back-port the ALLOW_HTTP_SEPARATORS_IN_V0 setting from Tomcat 7? To be clear, I think: - the default should remain as it is - if a new option is introduced, it should be a port from Tomcat 7, not an entirely new option Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
