On 06/22/2011 08:44 PM, Mark Thomas wrote:
On 22/06/2011 17:43, jean-frederic clere wrote:
On 06/22/2011 03:56 PM, ma...@apache.org wrote:
Author: markt
Date: Wed Jun 22 13:56:05 2011
New Revision: 1138468
URL: http://svn.apache.org/viewvc?rev=1138468&view=rev
Log:
Vote
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1138468&r1=1138467&r2=1138468&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 22 13:56:05 2011
@@ -160,4 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
Based on https://issues.jboss.org/browse/JBWEB-196
http://people.apache.org/~jfclere/patches/patch.110622.txt
+1: jfclere
+ -1: markt Separators are defined by the HTTP specification and as
per section
+ 2.2 of RFC 2616 must be quoted to be used within a
parameter value.
If you look in org/apache/tomcat/util/http/CookieSupport.java
you will see:
private static final char[] V0_SEPARATORS = {',', ';', ' ', '\t'};
The switch is to be backward compatible with pre CVE-2007-5333
applications.
If I am reading the proposed patch correctly (I may have lost track of
an '!' along the way), it changes the current behaviour to prevent
switching to v1 by default.
If the purpose is to allow http separators in v0 cookies then why not
just back-port the ALLOW_HTTP_SEPARATORS_IN_V0 setting from Tomcat 7?
To be clear, I think:
- the default should remain as it is
- if a new option is introduced, it should be a port from Tomcat 7, not
an entirely new option
Ok I will propose another patch.
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
