Author: markt
Date: Tue Sep 30 07:41:57 2014
New Revision: 1628366
URL: http://svn.apache.org/r1628366
Log:
Make FWD_SLASH_IS_SEPARATOR configurable per context
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java
tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
tomcat/trunk/webapps/docs/config/cookie-processor.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/CookieSupport.java Tue Sep 30
07:41:57 2014
@@ -53,7 +53,10 @@ public final class CookieSupport {
* If set to true, the <code>/</code> character will be treated as a
* separator. Default is usually false. If STRICT_SERVLET_COMPLIANCE==true
* then default is true. Explicitly setting always takes priority.
+ *
+ * @deprecated Will be removed in Tomcat 9.
*/
+ @Deprecated
public static final boolean FWD_SLASH_IS_SEPARATOR;
/**
@@ -174,7 +177,10 @@ public final class CookieSupport {
* spec, RFC2109.
* @throws IllegalArgumentException if a control character was supplied as
* input
+ *
+ * @deprecated Will be removed in Tomcat 9.
*/
+ @Deprecated
public static final boolean isHttpSeparator(final char c) {
if (c < 0x20 || c >= 0x7f) {
if (c != 0x09) {
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
Tue Sep 30 07:41:57 2014
@@ -44,6 +44,11 @@ public final class LegacyCookieProcessor
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.http");
+ // Excludes '/' since configuration controls whether or not to treat '/' as
+ // a separator
+ private static final char[] HTTP_SEPARATORS = new char[] {
+ '\t', ' ', '\"', '(', ')', ',', ':', ';', '<', '=', '>', '?', '@',
+ '[', '\\', ']', '{', '}' };
@SuppressWarnings("deprecation") // Default to false when deprecated code
is removed
private boolean allowEqualsInValue = CookieSupport.ALLOW_EQUALS_IN_VALUE;
@@ -58,6 +63,20 @@ public final class LegacyCookieProcessor
// when deprecated code is removed
private boolean presserveCookieHeader =
CookieSupport.PRESERVE_COOKIE_HEADER;
+ private boolean[] httpSeparatorFlags = new boolean[128];
+
+
+ public LegacyCookieProcessor() {
+ // Array elements will default to false
+ for (char c : HTTP_SEPARATORS) {
+ httpSeparatorFlags[c] = true;
+ }
+ @SuppressWarnings("deprecation") // Default to
STRICT_SERVLET_COMPLIANCE
+ // when deprecated code is removed
+ boolean b = CookieSupport.FWD_SLASH_IS_SEPARATOR;
+ httpSeparatorFlags['/'] = b;
+ }
+
public boolean getAllowEqualsInValue() {
return allowEqualsInValue;
@@ -99,6 +118,16 @@ public final class LegacyCookieProcessor
}
+ public boolean getForwardSlashIsSeparator() {
+ return httpSeparatorFlags['/'];
+ }
+
+
+ public void setForwardSlashIsSeparator(boolean forwardSlashIsSeparator) {
+ httpSeparatorFlags['/'] = forwardSlashIsSeparator;
+ }
+
+
@Override
public Charset getCharset() {
return StandardCharsets.ISO_8859_1;
@@ -175,7 +204,7 @@ public final class LegacyCookieProcessor
// Skip whitespace and non-token characters (separators)
while (pos < end &&
- (CookieSupport.isHttpSeparator((char) bytes[pos]) &&
+ (httpSeparatorFlags[(char) bytes[pos]] &&
!getAllowHttpSepsInV0() ||
CookieSupport.isV0Separator((char) bytes[pos]) ||
isWhiteSpace(bytes[pos])))
@@ -244,7 +273,7 @@ public final class LegacyCookieProcessor
if (version == 0 &&
!CookieSupport.isV0Separator((char)bytes[pos])
&&
getAllowHttpSepsInV0() ||
- !CookieSupport.isHttpSeparator((char)bytes[pos]) ||
+ !httpSeparatorFlags[(char)bytes[pos]] ||
bytes[pos] == '=') {
// Token
valueStart = pos;
@@ -411,7 +440,7 @@ public final class LegacyCookieProcessor
int version, boolean isName){
int pos = off;
while (pos < end &&
- (!CookieSupport.isHttpSeparator((char)bytes[pos]) ||
+ (!httpSeparatorFlags[(char)bytes[pos]] ||
version == 0 && getAllowHttpSepsInV0() && bytes[pos] != '=' &&
!CookieSupport.isV0Separator((char)bytes[pos]) ||
!isName && bytes[pos] == '=' && getAllowEqualsInValue())) {
Modified: tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java Tue
Sep 30 07:41:57 2014
@@ -44,7 +44,7 @@ public class TestCookieParsing extends T
private static final String COOKIES_WITH_NAME_ONLY_CONCAT = "bob=bob=";
private static final String[] COOKIES_WITH_SEPS = new String[] {
- "name=val(ue" };
+ "name=val/ue" };
private static final String COOKIES_WITH_SEPS_TRUNC = "name=val";
private static final String[] COOKIES_WITH_QUOTES = new String[] {
@@ -131,25 +131,38 @@ public class TestCookieParsing extends T
@Test
public void testLegacyWithSeps() throws Exception {
- doTestLegacySeps(true);
+ doTestLegacySeps(true, true);
}
@Test
public void testLegacyWithoutSeps() throws Exception {
- doTestLegacySeps(false);
+ doTestLegacySeps(false, true);
}
- private void doTestLegacySeps(boolean seps) throws Exception {
+ @Test
+ public void testLegacyWithFwdSlash() throws Exception {
+ doTestLegacySeps(true, false);
+ }
+
+
+ @Test
+ public void testLegacyWithoutFwdSlash() throws Exception {
+ doTestLegacySeps(false, false);
+ }
+
+
+ private void doTestLegacySeps(boolean seps, boolean fwdSlash) throws
Exception {
LegacyCookieProcessor legacyCookieProcessor = new
LegacyCookieProcessor();
legacyCookieProcessor.setAllowHttpSepsInV0(seps);
+ legacyCookieProcessor.setForwardSlashIsSeparator(fwdSlash);
String expected;
- if (seps) {
- expected = concat(COOKIES_WITH_SEPS);
- } else {
+ if (!seps && fwdSlash) {
expected = COOKIES_WITH_SEPS_TRUNC;
+ } else {
+ expected = concat(COOKIES_WITH_SEPS);
}
TestCookieParsingClient client = new TestCookieParsingClient(
legacyCookieProcessor, COOKIES_WITH_SEPS, expected);
Modified: tomcat/trunk/webapps/docs/config/cookie-processor.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/cookie-processor.xml?rev=1628366&r1=1628365&r2=1628366&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/cookie-processor.xml (original)
+++ tomcat/trunk/webapps/docs/config/cookie-processor.xml Tue Sep 30 07:41:57
2014
@@ -147,6 +147,17 @@
<a href="systemprops.html">system property</a>.</p>
</attribute>
+ <attribute name="forwardSlashIsSeparator" required="false">
+ <p>If this is <code>true</code> Tomcat will treat the forward slash
+ character ('<code>/</code>') as an HTTP separator when processing
cookie
+ headers. If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code>
+ is set to <code>true</code>, the default of this setting will be
+ <code>true</code>, else the default value will be <code>false</code>.
+ This default may be overridden by setting the
+
<code>org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR</code>
+ system property.</p>
+ </attribute>
+
<attribute name="preserveCookieHeader" required="false">
<p>If this is <code>true</code> Tomcat will ensure that cookie
processing does not modify cookie header returned by
@@ -179,7 +190,8 @@
cookie parser. In particular:</p>
<ul>
- <li>The '<code>=</code>' is always permitted in a cookie value.</li>
+ <li>The '<code>=</code>' and '<code>/</code>' characters are always
+ permitted in a cookie value.</li>
<li>Name only cookies are always permitted.</li>
<li>The cookie header is always preserved.</li>
</ul>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
