Bug 57871 - LegacyCookieProcessor.setAllowHttpSepsInV0(false) affects all characters, not just separators
Summary: LegacyCookieProcessor.setAllowHttpSepsInV0(false) affects all characters, not...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.21
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-29 06:01 UTC by Konstantin Kolinko
Modified: 2015-04-30 10:07 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2015-04-29 06:01:27 UTC 
Reviewing code of LegacyCookieProcessor.setAllowHttpSepsInV0(boolean) of current Tomcat 8.

There is the following code:

        char[] seps = "()<>@:\\\"[]?={}\t".toCharArray();
        for (char sep : seps) {
            if (allowHttpSepsInV0) {
                allowedWithoutQuotes.set(sep);
            } else {
                allowedWithoutQuotes.clear();
            }
        }
        if (getForwardSlashIsSeparator() && !allowHttpSepsInV0) {
            allowedWithoutQuotes.set('/');
        } else {
            allowedWithoutQuotes.clear('/');
        }

Apparently it was supposed to do "clear(sep)" instead of just clear().
Comment 1 Mark Thomas 2015-04-30 10:07:09 UTC 
Fixed in trunk and 8.0.x. Will be in 8.0.23 onwards.