Author: markt
Date: Tue Sep 2 15:10:41 2014
New Revision: 1622031
URL: http://svn.apache.org/r1622031
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55917
The new cookie parser correctly handles 8-bit values.
Add the test cases from the proposed patch by Jeremy Boynes.
NOte RFC2616 does not treat any characters in the range 0x80 to 0xFF as control
characters.
Modified:
tomcat/trunk/test/org/apache/tomcat/util/http/TestCookies.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/test/org/apache/tomcat/util/http/TestCookies.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/TestCookies.java?rev=1622031&r1=1622030&r2=1622031&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/http/TestCookies.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/http/TestCookies.java Tue Sep 2
15:10:41 2014
@@ -29,6 +29,7 @@ import org.apache.tomcat.util.buf.Messag
public class TestCookies {
private final Cookie FOO = new Cookie("foo", "bar");
private final Cookie FOO_EMPTY = new Cookie("foo", "");
+ private final Cookie FOO_CONTROL = new Cookie("foo", "b\u00e1r");
private final Cookie BAR = new Cookie("bar", "rab");
private final Cookie BAR_EMPTY = new Cookie("bar", "");
private final Cookie A = new Cookie("a", "b");
@@ -387,6 +388,67 @@ public class TestCookies {
test(true, "$Version=0;foo=bar");
}
+ @Test
+ public void disallow8bitInName() {
+ // Bug 55917
+ test(true, "f\u00f6o=bar");
+ }
+
+ @Test
+ public void disallowControlInName() {
+ // Bug 55917
+ test(true, "f\010o=bar");
+ }
+
+ @Test
+ public void disallow8BitControlInName() {
+ // Bug 55917
+ test(true, "f\210o=bar");
+ }
+
+ @Test
+ public void allow8BitInV0Value() {
+ // Bug 55917
+ test(true, "foo=b\u00e1r", FOO_CONTROL);
+ }
+
+ @Test
+ public void disallow8bitInV1UnquotedValue() {
+ // Bug 55917
+ test(true, "$Version=1; foo=b\u00e1r");
+ }
+
+ @Test
+ public void allow8bitInV1QuotedValue() {
+ // Bug 55917
+ FOO_CONTROL.setVersion(1);
+ test(true, "$Version=1; foo=\"b\u00e1r\"", FOO_CONTROL);
+ }
+
+ @Test
+ public void disallowControlInV0Value() {
+ // Bug 55917
+ test(true, "foo=b\010r");
+ }
+
+ @Test
+ public void disallowControlInV1UnquotedValue() {
+ // Bug 55917
+ test(true, "$Version=1; foo=b\010r");
+ }
+
+ @Test
+ public void disallowControlInV1QuotedValue() {
+ // Bug 55917
+ test(true, "$Version=1; foo=\"b\010r\"");
+ }
+
+ @Test
+ public void disallow8BitControlInV1UnquotedValue() {
+ // Bug 55917
+ test(true, "$Version=1; foo=b\210r");
+ }
+
private void test(boolean useRfc6265, String header, Cookie... expected) {
MimeHeaders mimeHeaders = new MimeHeaders();
Cookies cookies = new Cookies(mimeHeaders);
@@ -401,6 +463,7 @@ public class TestCookies {
ServerCookie actual = cookies.getCookie(i);
Assert.assertEquals(cookie.getVersion(), actual.getVersion());
Assert.assertEquals(cookie.getName(), actual.getName().toString());
+
actual.getValue().getByteChunk().setCharset(StandardCharsets.UTF_8);
Assert.assertEquals(cookie.getValue(),
org.apache.tomcat.util.http.parser.Cookie.unescapeCookieValueRfc2109(
actual.getValue().toString()));
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1622031&r1=1622030&r2=1622031&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Sep 2 15:10:41 2014
@@ -48,6 +48,12 @@
<subsection name="Catalina">
<changelog>
<fix>
+ <bug>55917</bug>: Allow bytes in the range 0x80 to 0xFF to appear in
+ cookie values if the cookie is a V1 (RFC2109) cookie and the value is
+ correctly quoted. The new RFC6265 based cookie parser must be enabled
to
+ correctly handle these cookies. (markt)
+ </fix>
+ <fix>
<bug>56900</bug>: Fix some potential resource leaks when reading
property files reported by Coverity Scan. Based on patches provided by
Felix Schumacher. (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
