Deprecated old non-thread safe public suffix domain filter in favor of new thread safe implementation

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1621183 13f79535-47bb-0310-9956-ffa450edef68

httpclient/src/main/java-deprecated/org/apache/http/impl/cookie/PublicSuffixFilter.java

@@ -43,8 +43,11 @@ import org.apache.http.cookie.SetCookie;
  * An uptodate list of suffixes can be obtained from
  * <a href="http://publicsuffix.org/">publicsuffix.org</a>
  *
+ * @deprecated (4.4) use {@link org.apache.http.impl.cookie.PublicSuffixDomainFilter}
+ *
  * @since 4.0
  */
+@Deprecated
 public class PublicSuffixFilter implements CookieAttributeHandler {
     private final CookieAttributeHandler wrapped;
     private Collection<String> exceptions;

httpclient/src/main/java-deprecated/org/apache/http/impl/cookie/PublicSuffixListParser.java

@@ -41,6 +41,7 @@ import org.apache.http.conn.util.PublicSuffixList;
  * @since 4.0
  */
 @Immutable
+@Deprecated
 public class PublicSuffixListParser {
 
     private final PublicSuffixFilter filter;

httpclient/src/main/java/org/apache/http/impl/cookie/PublicSuffixDomainFilter.java

@@ -0,0 +1,95 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.impl.cookie;
+
+import org.apache.http.annotation.Immutable;
+import org.apache.http.conn.util.PublicSuffixList;
+import org.apache.http.conn.util.PublicSuffixMatcher;
+import org.apache.http.cookie.CommonCookieAttributeHandler;
+import org.apache.http.cookie.Cookie;
+import org.apache.http.cookie.CookieOrigin;
+import org.apache.http.cookie.MalformedCookieException;
+import org.apache.http.cookie.SetCookie;
+import org.apache.http.util.Args;
+
+/**
+ * Wraps a {@link org.apache.http.cookie.CookieAttributeHandler} and leverages its match method
+ * to never match a suffix from a black list. May be used to provide additional security for
+ * cross-site attack types by preventing cookies from apparent domains that are not publicly
+ * available.
+ *
+ *  @see org.apache.http.conn.util.PublicSuffixList
+ *  @see org.apache.http.conn.util.PublicSuffixMatcher
+ *
+ * @since 4.4
+ */
+@Immutable // dependencies are expected to be immutable or thread-safe
+public class PublicSuffixDomainFilter implements CommonCookieAttributeHandler {
+
+    private final CommonCookieAttributeHandler handler;
+    private final PublicSuffixMatcher matcher;
+
+    public PublicSuffixDomainFilter(final CommonCookieAttributeHandler handler, final PublicSuffixMatcher matcher) {
+        this.handler = Args.notNull(handler, "Cookie handler");
+        this.matcher = Args.notNull(matcher, "Public suffix matcher");
+    }
+
+    public PublicSuffixDomainFilter(final CommonCookieAttributeHandler handler, final PublicSuffixList suffixList) {
+        Args.notNull(handler, "Cookie handler");
+        Args.notNull(suffixList, "Public suffix list");
+        this.handler = handler;
+        this.matcher = new PublicSuffixMatcher(suffixList.getRules(), suffixList.getExceptions());
+    }
+
+    /**
+     * Never matches if the cookie's domain is from the blacklist.
+     */
+    @Override
+    public boolean match(final Cookie cookie, final CookieOrigin origin) {
+        if (matcher.match(cookie.getDomain())) {
+            return false;
+        } else {
+            return handler.match(cookie, origin);
+        }
+    }
+
+    @Override
+    public void parse(final SetCookie cookie, final String value) throws MalformedCookieException {
+        handler.parse(cookie, value);
+    }
+
+    @Override
+    public void validate(final Cookie cookie, final CookieOrigin origin) throws MalformedCookieException {
+        handler.validate(cookie, origin);
+    }
+
+    @Override
+    public String getAttributeName() {
+        return handler.getAttributeName();
+    }
+
+}

httpclient/src/test/java/org/apache/http/impl/cookie/TestBasicCookieAttribHandlers.java

@@ -34,6 +34,7 @@ import java.util.Date;
 import java.util.Locale;
 
 import org.apache.http.client.utils.DateUtils;
+import org.apache.http.conn.util.PublicSuffixMatcher;
 import org.apache.http.cookie.CookieAttributeHandler;
 import org.apache.http.cookie.CookieOrigin;
 import org.apache.http.cookie.MalformedCookieException;
@@ -472,8 +473,8 @@ public class TestBasicCookieAttribHandlers {
     public void testPublicSuffixFilter() throws Exception {
         final BasicClientCookie cookie = new BasicClientCookie("name", "value");
 
-        final PublicSuffixFilter h = new PublicSuffixFilter(new RFC2109DomainHandler());
-        h.setPublicSuffixes(Arrays.asList(new String[] { "co.uk", "com" }));
+        final PublicSuffixMatcher matcher = new PublicSuffixMatcher(Arrays.asList("co.uk", "com"), null);
+        final PublicSuffixDomainFilter h = new PublicSuffixDomainFilter(new RFC2109DomainHandler(), matcher);
 
         cookie.setDomain(".co.uk");
         Assert.assertFalse(h.match(cookie, new CookieOrigin("apache.co.uk", 80, "/stuff", false)));

httpclient/src/test/java/org/apache/http/impl/cookie/TestPublicSuffixListParser.java

@@ -27,24 +27,37 @@
 
 package org.apache.http.impl.cookie;
 
+import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.io.Reader;
 
+import org.apache.http.Consts;
+import org.apache.http.conn.util.PublicSuffixList;
+import org.apache.http.conn.util.PublicSuffixMatcher;
 import org.apache.http.cookie.CookieOrigin;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
 public class TestPublicSuffixListParser {
-    private static final String LIST_FILE = "/suffixlist.txt";
-    private PublicSuffixFilter filter;
+
+    private static final String SOURCE_FILE = "suffixlist.txt";
+
+    private PublicSuffixDomainFilter filter;
 
     @Before
     public void setUp() throws Exception {
-        final Reader r = new InputStreamReader(getClass().getResourceAsStream(LIST_FILE), "UTF-8");
-        filter = new PublicSuffixFilter(new RFC2109DomainHandler());
-        final PublicSuffixListParser parser = new PublicSuffixListParser(filter);
-        parser.parse(r);
+        final ClassLoader classLoader = getClass().getClassLoader();
+        final InputStream in = classLoader.getResourceAsStream(SOURCE_FILE);
+        Assert.assertNotNull(in);
+        final PublicSuffixList suffixList;
+        try {
+            final org.apache.http.conn.util.PublicSuffixListParser parser = new org.apache.http.conn.util.PublicSuffixListParser();
+            suffixList = parser.parse(new InputStreamReader(in, Consts.UTF_8));
+        } finally {
+            in.close();
+        }
+        final PublicSuffixMatcher matcher = new PublicSuffixMatcher(suffixList.getRules(), suffixList.getExceptions());
+        this.filter = new PublicSuffixDomainFilter(new RFC2109DomainHandler(), matcher);
     }
 
     @Test