From 89f927ad0f60aa113ad1c2cfbacc64827ec679b0 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Thu, 15 Aug 2013 09:11:41 +1000 Subject: [PATCH] 414898 Only upgrade v0 to v1 cookies on dquote , ; backslash space and tab in the value --- .../org/eclipse/jetty/http/HttpFields.java | 33 ++----------------- .../eclipse/jetty/http/HttpFieldsTest.java | 4 +-- 2 files changed, 5 insertions(+), 32 deletions(-) diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpFields.java b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpFields.java index 0df296425e6..c6b6762aa07 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpFields.java +++ b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpFields.java @@ -69,8 +69,7 @@ public class HttpFields implements Iterable public static final TimeZone __GMT = TimeZone.getTimeZone("GMT"); public static final DateCache __dateCache = new DateCache("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US); - public static final String __COOKIE_DELIM_PATH="\"\\\t%+ :;,@?=()<>{}[]"; - public static final String __COOKIE_DELIM=__COOKIE_DELIM_PATH+"/"; + public static final String __COOKIE_DELIM="\",;\\ \t"; static { @@ -822,7 +821,7 @@ public class HttpFields implements Iterable // Format value and params StringBuilder buf = new StringBuilder(128); - // Name is checked by servlet spec, but can also be passed directly so check again + // Name is checked for legality by servlet spec, but can also be passed directly so check again for quoting boolean quote_name=isQuoteNeededForCookie(name); quoteOnlyOrAppend(buf,name,quote_name); @@ -839,7 +838,7 @@ public class HttpFields implements Iterable boolean has_domain = domain!=null && domain.length()>0; boolean quote_domain = has_domain && isQuoteNeededForCookie(domain); boolean has_path = path!=null && path.length()>0; - boolean quote_path = has_path && isQuoteNeededForCookiePath(path); + boolean quote_path = has_path && isQuoteNeededForCookie(path); // Upgrade the version if we have a comment or we need to quote value/path/domain or if they were already quoted if (version==0 && ( comment!=null || quote_name || quote_value || quote_domain || quote_path || isQuoted(name) || isQuoted(value) || isQuoted(path) || isQuoted(domain))) @@ -1177,32 +1176,6 @@ public class HttpFields implements Iterable return false; } - /* ------------------------------------------------------------ */ - /** Does a cookie path need to be quoted? - * @param s value string - * @return true if quoted; - * @throws IllegalArgumentException If there a control characters in the string - */ - public static boolean isQuoteNeededForCookiePath(String s) - { - if (s==null || s.length()==0) - return true; - - if (QuotedStringTokenizer.isQuoted(s)) - return false; - - for (int i=0;i=0) - return true; - - if (c<0x20 || c>=0x7f) - throw new IllegalArgumentException("Illegal character in cookie value"); - } - - return false; - } private static void quoteOnlyOrAppend(StringBuilder buf, String s, boolean quote) { diff --git a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpFieldsTest.java b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpFieldsTest.java index d1674aa7430..a55b34f3893 100644 --- a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpFieldsTest.java +++ b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpFieldsTest.java @@ -374,9 +374,9 @@ public class HttpFieldsTest assertEquals("foo=bob;Domain=domain",e.nextElement()); fields=new HttpFields(); - fields.addSetCookie("name","value==",null,null,-1,null,false,false,0); + fields.addSetCookie("name","value%=",null,null,-1,null,false,false,0); setCookie=fields.getStringField("Set-Cookie"); - assertEquals("name=\"value==\";Version=1",setCookie); + assertEquals("name=value%=",setCookie); }