Bug 59925 - LegacyCookieProcessor does not allow the Cookie header with the Path attribute including the leading slash under specific conditions
Summary: LegacyCookieProcessor does not allow the Cookie header with the Path attribut...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-02 09:27 UTC by Kyohei Nakamura
Modified: 2016-08-09 20:37 UTC (History)
0 users



Attachments
patch against trunk (726 bytes, patch)
2016-08-02 09:27 UTC, Kyohei Nakamura
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kyohei Nakamura 2016-08-02 09:27:33 UTC
Created attachment 34089 [details]
patch against trunk

If forwardSlashIsSeparator and allowHttpSepsInV0 set to true, the LegacyCookieProcessor should allow the Cookie header with the Path attribute including the leading slash.
However this is not allowed.

For example, if the LegacyCookieProcessor parses the following Cookie header,

    $Version=0;cname=cvalue;$Path=/example

Expected: The return value of ServerCookie.getPath is "/example".
Actual: The return value of ServerCookie.getPath is null.

Since the slash is not the version 0 separator, the LegacyCookieProcessor should allow "$Path=/example".

I think this issue was triggered by r1628368 that the exclamation mark for isV0Separator was removed accidentally.
I made the patch.
Comment 1 Mark Thomas 2016-08-09 20:37:53 UTC
Thanks for the report, the analysis (which was spot on) and the patch.

This has been fixed in:
9.0.x for 9.0.0.M10 onwards
8.5.x for 8.5.5 onwards
8.0.x for 8.0.37 onwards