Author: markt Date: Mon Sep 14 09:34:38 2015 New Revision: 1702884 URL: http://svn.apache.org/r1702884 Log: Switch the default cookie parser to the one based on RFC6265
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/config/cookie-processor.xml Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1702884&r1=1702883&r2=1702884&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Mon Sep 14 09:34:38 2015 @@ -129,7 +129,7 @@ import org.apache.tomcat.util.descriptor import org.apache.tomcat.util.descriptor.web.SecurityCollection; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; import org.apache.tomcat.util.http.CookieProcessor; -import org.apache.tomcat.util.http.LegacyCookieProcessor; +import org.apache.tomcat.util.http.Rfc6265CookieProcessor; import org.apache.tomcat.util.scan.StandardJarScanner; import org.apache.tomcat.util.security.PrivilegedGetTccl; import org.apache.tomcat.util.security.PrivilegedSetTccl; @@ -4981,7 +4981,7 @@ public class StandardContext extends Con // An explicit cookie processor hasn't been specified; use the default if (cookieProcessor == null) { - cookieProcessor = new LegacyCookieProcessor(); + cookieProcessor = new Rfc6265CookieProcessor(); } // Initialize character set mapper Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1702884&r1=1702883&r2=1702884&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Sep 14 09:34:38 2015 @@ -60,6 +60,14 @@ </update> </changelog> </subsection> + <subsection name="Catalina"> + <changelog> + <update> + The default HTTP cookie parser has been changed to + <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code>. (markt) + </update> + </changelog> + </subsection> <subsection name="Coyote"> <changelog> <update> Modified: tomcat/trunk/webapps/docs/config/cookie-processor.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/cookie-processor.xml?rev=1702884&r1=1702883&r2=1702884&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/cookie-processor.xml (original) +++ tomcat/trunk/webapps/docs/config/cookie-processor.xml Mon Sep 14 09:34:38 2015 @@ -45,34 +45,6 @@ <a href="context.html">Context</a> component. If it is not included, a default implementation will be created automatically.</p> - <p><strong>Note:</strong> <strong>CookieProcessor</strong> is a new - configuration element, introduced in Tomcat 8.0.15. - <strong>This is work in progress.</strong> - The goal is to review the current implementation of HTTP Cookie headers - processing in Tomcat to provide better compliance with RFC6265 specification. - The ideas are summarized on a - <a href="https://wiki.apache.org/tomcat/Cookies">Wiki page</a> and discussed - on <a href="http://tomcat.apache.org/lists.html">mailing lists</a>. - Notable points:</p> - - <ul> - <li><strong>CookieProcessor</strong> element allows to configure cookie - parsing separately in each web application, or globally in the default - <code>conf/context.xml</code> file. The legacy cookie parsing algorithm - supported only limited global configuration via several - <a href="systemprops.html#Specifications">system properties</a>. Those - system properties are still supported, but are going to be deprecated in - favor of this new configuration element. - </li> - <li>The new RFC6265-compliant (<em>work in progress</em>) implementation - is a stand-in replacement for the original legacy one. Until the new code - is stabilized, the legacy implementation remains the default one. - You can select the implementation by setting <code>className</code> - attribute on <strong>CookieProcessor</strong> element.</li> - <li>This is work in progress. Configuration attributes may change in a - future release.</li> - </ul> - </section> @@ -100,10 +72,34 @@ <subsection name="Standard Implementation"> <p>The standard implementation of <strong>CookieProcessor</strong> is - <code>org.apache.tomcat.util.http.LegacyCookieProcessor</code>. Note - that it is anticipated that this will change to - <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code> in a future - Tomcat 8 release.</p> + <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code>.</p> + + <p>This cookie processor is based on RFC6265 with the following changes to + support better interoperability:</p> + + <ul> + <li>Values 0x80 to 0xFF are permitted in cookie-octet to support the use + of UTF-8 in cookie values as used by HTML 5.</li> + <li>For cookies without a value, the '=' is not required after the name as + some browsers do not sent it.</li> + </ul> + + <p>The RFC 6265 cookie processor is generally more lenient than the legacy + cookie parser. In particular:</p> + + <ul> + <li>The '<code>=</code>' and '<code>/</code>' characters are always + permitted in a cookie value.</li> + <li>Name only cookies are always permitted.</li> + <li>The cookie header is always preserved.</li> + </ul> + + <p>No additional attributes are supported by the <strong>RFC 6265 Cookie + Processor</strong>.</p> + + </subsection> + + <subsection name="Legacy Cookie Processor - org.apache.tomcat.util.http.LegacyCookieProcessor"> <p>This is the legacy cookie parser based on RFC6265, RFC2109 and RFC2616. It implements a strict interpretation of the cookie specifications. Due to @@ -172,33 +168,6 @@ </subsection> - <subsection name="RFC 6265 Cookie Processor - org.apache.tomcat.util.http.Rfc6265CookieProcessor"> - - <p>This cookie processor is based on RFC6265 with the following changes to - support better interoperability:</p> - - <ul> - <li>Values 0x80 to 0xFF are permitted in cookie-octet to support the use - of UTF-8 in cookie values as used by HTML 5.</li> - <li>For cookies without a value, the '=' is not required after the name as - some browsers do not sent it.</li> - </ul> - - <p>The RFC 6265 cookie processor is generally more lenient than the legacy - cookie parser. In particular:</p> - - <ul> - <li>The '<code>=</code>' and '<code>/</code>' characters are always - permitted in a cookie value.</li> - <li>Name only cookies are always permitted.</li> - <li>The cookie header is always preserved.</li> - </ul> - - <p>No additional attributes are supported by the <strong>RFC 6265 Cookie - Processor</strong>.</p> - - </subsection> - </section> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org