(tomcat) branch main updated: Fix BZ 69478 setHttpOnly() and setSecure() ignored passed parameter

Wed, 27 Nov 2024 04:16:19 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new c324245fb6 Fix BZ 69478 setHttpOnly() and setSecure() ignored passed 
parameter
c324245fb6 is described below

commit c324245fb60c6549e57473cb1d0d29a28a287deb
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 27 12:16:07 2024 +0000

    Fix BZ 69478 setHttpOnly() and setSecure() ignored passed parameter
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=69478
---
 java/jakarta/servlet/http/Cookie.java | 16 ++++++++++++----
 webapps/docs/changelog.xml            |  6 ++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/java/jakarta/servlet/http/Cookie.java 
b/java/jakarta/servlet/http/Cookie.java
index 71144499a9..20ec7a741b 100644
--- a/java/jakarta/servlet/http/Cookie.java
+++ b/java/jakarta/servlet/http/Cookie.java
@@ -234,13 +234,17 @@ public class Cookie implements Cloneable, Serializable {
      * <p>
      * The default value is <code>false</code>.
      *
-     * @param flag if <code>true</code>, sends the cookie from the browser to 
the server only when using a secure
+     * @param secure if <code>true</code>, sends the cookie from the browser 
to the server only when using a secure
      *                 protocol; if <code>false</code>, sent on any protocol
      *
      * @see #getSecure
      */
-    public void setSecure(boolean flag) {
-        setAttributeInternal(SECURE, EMPTY_STRING);
+    public void setSecure(boolean secure) {
+        if (secure) {
+            setAttributeInternal(SECURE, EMPTY_STRING);
+        } else {
+            setAttributeInternal(SECURE, null);
+        }
     }
 
 
@@ -349,7 +353,11 @@ public class Cookie implements Cloneable, Serializable {
      * @since Servlet 3.0
      */
     public void setHttpOnly(boolean httpOnly) {
-        setAttributeInternal(HTTP_ONLY, EMPTY_STRING);
+        if (httpOnly) {
+            setAttributeInternal(HTTP_ONLY, EMPTY_STRING);
+        } else {
+            setAttributeInternal(HTTP_ONLY, null);
+        }
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9198a16333..097b79fa50 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -201,6 +201,12 @@
         header fields for HTTP (draft)</a> in the <code>RateLimitFilter</code>.
         Based on pull request <pr>775</pr> provided by Chenjp. (markt)
       </add>
+      <fix>
+        <bug>69478</bug>: Correct a regression introduced in 11.0.0-M19 that
+        meant when calling <code>setHttpOnly(boolean)</code> or
+        <code>setSecure(boolean)</code> for a cookie, the respective flags were
+        set regardless of the value passed to the method. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to