[
https://issues.apache.org/jira/browse/CONNECTORS-119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501969#comment-13501969
]
Karl Wright commented on CONNECTORS-119:
----------------------------------------
Looked into cookie policy implementations in httpcomponents.
The validate function in effect for 4.2.2 for BROWSER_COMPATIBILITY is as
follows:
{code}
public void validate(final Cookie cookie, final CookieOrigin origin)
throws MalformedCookieException {
if (cookie == null) {
throw new IllegalArgumentException("Cookie may not be null");
}
if (origin == null) {
throw new IllegalArgumentException("Cookie origin may not be null");
}
for (CookieAttributeHandler handler: getAttribHandlers()) {
handler.validate(cookie, origin);
}
}
{code}
The code we *don't* want in there is:
{code}
// another security check... we musn't allow the server to give us a
// cookie that doesn't match this path
if (!path.startsWith(cookie.getPath())) {
throw new MalformedCookieException(
"Illegal path attribute \"" + cookie.getPath()
+ "\". Path of origin: \"" + path + "\"");
}
{code}
The compatibility spec registers the following handler for path:
{code}
registerAttribHandler(ClientCookie.PATH_ATTR, new BasicPathHandler());
{code}
... which, unfortunately, does exactly the check I don't want done:
{code}
public void validate(final Cookie cookie, final CookieOrigin origin)
throws MalformedCookieException {
if (!match(cookie, origin)) {
throw new CookieRestrictionViolationException(
"Illegal path attribute \"" + cookie.getPath()
+ "\". Path of origin: \"" + origin.getPath() + "\"");
}
}
{code}
So it looks like we need to request an enhancement/patch from the
httpcomponents people for this one. Wish I could remember the site(s) that had
this issue...
> Submit patch requests for all remaining httpclient customizations
> -----------------------------------------------------------------
>
> Key: CONNECTORS-119
> URL: https://issues.apache.org/jira/browse/CONNECTORS-119
> Project: ManifoldCF
> Issue Type: Task
> Components: Framework core
> Affects Versions: ManifoldCF 0.1, ManifoldCF 0.2
> Reporter: Karl Wright
> Fix For: ManifoldCF next
>
>
> Now that commons-httpclient has accepted the NTLM patch, we can in theory
> start to use httpclient 4.x plain-vanilla as a replacement for our customized
> 3.1 httpclient. But first we should submit any remaining differences as
> patch requests. Specifically, the cross-path cookie allowance should be
> submitted.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
