Bug 57871 - LegacyCookieProcessor.setAllowHttpSepsInV0(false) affects all characters, not just separators
LegacyCookieProcessor.setAllowHttpSepsInV0(false) affects all characters, not...
Status: RESOLVED FIXED
Product: Tomcat 8
Classification: Unclassified
Component: Catalina
8.0.21
PC All
: P2 normal (vote)
: ----
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2015-04-29 06:01 UTC by Konstantin Kolinko
Modified: 2015-04-30 10:07 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2015-04-29 06:01:27 UTC
Reviewing code of LegacyCookieProcessor.setAllowHttpSepsInV0(boolean) of current Tomcat 8.

There is the following code:

        char[] seps = "()<>@:\\\"[]?={}\t".toCharArray();
        for (char sep : seps) {
            if (allowHttpSepsInV0) {
                allowedWithoutQuotes.set(sep);
            } else {
                allowedWithoutQuotes.clear();
            }
        }
        if (getForwardSlashIsSeparator() && !allowHttpSepsInV0) {
            allowedWithoutQuotes.set('/');
        } else {
            allowedWithoutQuotes.clear('/');
        }

Apparently it was supposed to do "clear(sep)" instead of just clear().
Comment 1 Mark Thomas 2015-04-30 10:07:09 UTC
Fixed in trunk and 8.0.x. Will be in 8.0.23 onwards.