>Number: 4721 >Category: mod_jserv >Synopsis: Cookie values should NOT be URLDecoded when headers are parsed. >Confidential: no >Severity: serious >Priority: medium >Responsible: jserv >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jul 12 10:30:01 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: apache1.3.6 JServ1.0 >Environment: Solaris2.6,NT4.0,JDK1.1.7,JDK1.2 >Description: JavaUtils.java line 172 -- the cookie value is url-decoded before a Cookie is constructed. This is icorrect since the cookie spec does not *require* cookie values to be url-encoded, it just recommends it. A lot of older CGI apps do not encode the cookie values so this breaks interopability. >How-To-Repeat: A cookie value of "abc+++def" becomes "abc def" this breaks things if the '+' where part of a base64 encoding for example and the cookie value was not url-encoded first (by another non-servlet app for example). Sun's Java Web Server does not do this, by the way... >Fix: Remove the call to URLDecode() in JavaUtils.java line 172. Users can always explicitly call URLDecode on the cookie value if they want. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
