Author: markt
Date: Fri May 23 08:14:50 2014
New Revision: 1597029
URL: http://svn.apache.org/r1597029
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55975
Apply consistent escaping for " and \
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/SetCookieSupport.java
tomcat/trunk/test/org/apache/tomcat/util/http/TestSetCookieSupport.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/SetCookieSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/SetCookieSupport.java?rev=1597029&r1=1597028&r2=1597029&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/SetCookieSupport.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/SetCookieSupport.java Fri May
23 08:14:50 2014
@@ -48,8 +48,8 @@ public class SetCookieSupport {
private static final BitSet ALLOWED_WITHOUT_QUOTES;
static {
- boolean allowSeparatorsInV0 =
-
Boolean.getBoolean("org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0");
+ boolean allowSeparatorsInV0 = Boolean.getBoolean(
+
"org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0");
String separators;
if (allowSeparatorsInV0) {
// comma, semi-colon and space as defined by netscape
@@ -218,8 +218,7 @@ public class SetCookieSupport {
}
private static void escapeDoubleQuotes(StringBuffer b, String s, int
beginIndex, int endIndex) {
- // TODO: bug55975: this checks for '"' but not for '\' which also
needs escaping
- if (s.indexOf('"') == -1) {
+ if (s.indexOf('"') == -1 && s.indexOf('\\') == -1) {
b.append(s);
return;
}
@@ -227,12 +226,7 @@ public class SetCookieSupport {
for (int i = beginIndex; i < endIndex; i++) {
char c = s.charAt(i);
if (c == '\\' ) {
- b.append(c);
- //ignore the character after an escape, just append it
- if (++i>=endIndex) {
- throw new IllegalArgumentException("Invalid escape
character in cookie value.");
- }
- b.append(s.charAt(i));
+ b.append('\\').append('\\');
} else if (c == '"') {
b.append('\\').append('"');
} else {
@@ -257,7 +251,8 @@ public class SetCookieSupport {
for (; i < len; i++) {
char c = value.charAt(i);
if ((c < 0x20 && c != '\t') || c >= 0x7f) {
- throw new IllegalArgumentException("Control character in
cookie value or attribute.");
+ throw new IllegalArgumentException(
+ "Control character in cookie value or attribute.");
}
if (!ALLOWED_WITHOUT_QUOTES.get(c)) {
return true;
Modified:
tomcat/trunk/test/org/apache/tomcat/util/http/TestSetCookieSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/TestSetCookieSupport.java?rev=1597029&r1=1597028&r2=1597029&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/http/TestSetCookieSupport.java
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/http/TestSetCookieSupport.java Fri
May 23 08:14:50 2014
@@ -19,7 +19,6 @@ package org.apache.tomcat.util.http;
import javax.servlet.http.Cookie;
import org.junit.Assert;
-import org.junit.Ignore;
import org.junit.Test;
public class TestSetCookieSupport {
@@ -78,15 +77,13 @@ public class TestSetCookieSupport {
Assert.assertEquals("foo=\"a\\\"b\"; Version=1",
SetCookieSupport.generateHeader(cookie));
}
- @Ignore("bug 55975")
@Test
public void v0ValueContainsNonV0Separator() {
Cookie cookie = new Cookie("foo", "a()<>@:\\\"/[]?={}b");
// Assert.assertEquals("foo=a()<>@:\\\"/[]?{}=b",
SetCookieSupport.generateHeader(cookie));
- Assert.assertEquals("foo=\"a()<>@,;:\\\\\\\"/[]?={}b\"; Version=1",
SetCookieSupport.generateHeader(cookie));
+ Assert.assertEquals("foo=\"a()<>@:\\\\\\\"/[]?={}b\"; Version=1",
SetCookieSupport.generateHeader(cookie));
}
- @Ignore("bug 55975")
@Test
public void v0ValueContainsBackslash() {
Cookie cookie = new Cookie("foo", "a\\b");
@@ -95,7 +92,6 @@ public class TestSetCookieSupport {
}
- @Ignore("bug 55975")
@Test
public void v0ValueContainsBackslashAtEnd() {
Cookie cookie = new Cookie("foo", "a\\");
@@ -103,7 +99,6 @@ public class TestSetCookieSupport {
Assert.assertEquals("foo=\"a\\\\\"; Version=1",
SetCookieSupport.generateHeader(cookie));
}
- @Ignore("bug 55975")
@Test
public void v0ValueContainsBackslashAndQuote() {
Cookie cookie = new Cookie("foo", "a\"b\\c");
@@ -174,7 +169,6 @@ public class TestSetCookieSupport {
Assert.assertEquals("foo=\"a\\\"b\"; Version=1",
SetCookieSupport.generateHeader(cookie));
}
- @Ignore("bug 55975")
@Test
public void v1ValueContainsNonV0Separator() {
Cookie cookie = new Cookie("foo", "a()<>@,;:\\\"/[]?={}b");
@@ -183,7 +177,6 @@ public class TestSetCookieSupport {
Assert.assertEquals("foo=\"a()<>@,;:\\\\\\\"/[]?={}b\"; Version=1",
SetCookieSupport.generateHeader(cookie));
}
- @Ignore("bug 55975")
@Test
public void v1ValueContainsBackslash() {
Cookie cookie = new Cookie("foo", "a\\b");
@@ -193,7 +186,6 @@ public class TestSetCookieSupport {
}
- @Ignore("bug 55975")
@Test
public void v1ValueContainsBackslashAndQuote() {
Cookie cookie = new Cookie("foo", "a\"b\\c");
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1597029&r1=1597028&r2=1597029&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri May 23 08:14:50 2014
@@ -47,6 +47,10 @@
<section name="Tomcat 8.0.9 (markt)">
<subsection name="Catalina">
<changelog>
+ <fix>
+ <bug>55975</bug>: Apply consistent escaping for double quote and
+ backslash characters when escaping cookie values. (markt)
+ </fix>
<scode>
<bug>56387</bug>: Improve the code that handles an attempt to load a
class after a web application has been stopped. Use common code to
handle
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
