Bug 57871

Summary: LegacyCookieProcessor.setAllowHttpSepsInV0(false) affects all characters, not just separators
Product: Tomcat 8 Reporter: Konstantin Kolinko <knst.kolinko>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.0.21   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description Konstantin Kolinko 2015-04-29 06:01:27 UTC 
Reviewing code of LegacyCookieProcessor.setAllowHttpSepsInV0(boolean) of current Tomcat 8.

There is the following code:

        char[] seps = "()<>@:\\\"[]?={}\t".toCharArray();
        for (char sep : seps) {
            if (allowHttpSepsInV0) {
                allowedWithoutQuotes.set(sep);
            } else {
                allowedWithoutQuotes.clear();
            }
        }
        if (getForwardSlashIsSeparator() && !allowHttpSepsInV0) {
            allowedWithoutQuotes.set('/');
        } else {
            allowedWithoutQuotes.clear('/');
        }

Apparently it was supposed to do "clear(sep)" instead of just clear().
Comment 1 Mark Thomas 2015-04-30 10:07:09 UTC 
Fixed in trunk and 8.0.x. Will be in 8.0.23 onwards.