[
https://issues.apache.org/jira/browse/HTTPCLIENT-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13206054#comment-13206054
]
Liang Sun commented on HTTPCLIENT-1006:
---------------------------------------
Yes, you can do the strip most times, but in some circumstances, you can not.
Here is an example:
session="abc\075"
If you strip out the quotes, this will be
session=abc\075
The above cookie value will be parsed as
session=abc
because according to RFC 2109:
value = word
word = token | quoted-string
and RFC 2068
token = 1*<any CHAR except CTLs or tspecials>
tspecials = "(" | ")" | "" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
That means a token (value without quoted-string) should not contain a character
"\" (it's a tspecial)
But in above example, you strip out the quoted-string to make it a token, which
contains a character "\".
> BrowserCompatSpec: don't trim " around cookie value
> ---------------------------------------------------
>
> Key: HTTPCLIENT-1006
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1006
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpCookie
> Affects Versions: 4.0.2
> Reporter: Marc Guillemot
>
> If the server sends a cookie header like:
> Set-Cookie: first="hello world"
> then HttpClient parses it as cookie with value >hello world<, wrongly
> removing the leading and trailing quotes. The incorrect quote removal occurs
> in BasicHeaderValueParser.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
