-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 5/24/2011 5:28 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Subject: Re: Control character in cookie value or attribute
>
>> On 5/24/2011 5:09 PM
Hope you don't mind...I opened a ticket for this:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51260
Dan
On Tue, May 24, 2011 at 5:28 PM, Caldarale, Charles R
wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Subject: Re: Control character i
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Control character in cookie value or attribute
> On 5/24/2011 5:09 PM, Dan Checkoway wrote:
> > -} else if (CookieSupport.isHttpToken(value) &&
> > -!CookieSuppor
I wasn't gonna say anything about that, but I did consult my "operator
precedence" reference while looking at it... :-) +1 on parens!
Dan
On Tue, May 24, 2011 at 5:21 PM, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Dan,
>
> On 5/24/2011 5:09 PM, Dan Checkow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan,
On 5/24/2011 5:09 PM, Dan Checkoway wrote:
> -} else if (CookieSupport.isHttpToken(value) &&
> -!CookieSupport.ALLOW_HTTP_SEPARATORS_IN_V0 ||
> -CookieSupport.isV0Token(value) &&
> -CookieSu
Ah, thanks! I see now that setting ALLOW_HTTP_SEPARATORS_IN_V0=true
bypasses that check in a few spots. Probably what Chuck was alluding
to in his reply...
The one spot it wouldn't bypass is line 292 in ServerCookie.java. You
guys could switch the order of the logical checks in there, i.e.:
-
On 24/05/2011 21:25, Dan Checkoway wrote:
> This is super low priority, since I assume somebody is passing junk in a
> Set-Cookie header, but I'd love to get to the bottom of it (I'm of the "no
> request left behind" mindset), and I'm still in the dark about what Tomcat
> doesn't like about what it
This is super low priority, since I assume somebody is passing junk in a
Set-Cookie header, but I'd love to get to the bottom of it (I'm of the "no
request left behind" mindset), and I'm still in the dark about what Tomcat
doesn't like about what it's being passed.
Can you guys shed any light on w
Ah, thanks! To be honest I'm not sure which of those properties would work
around the "Control character in cookie value or attribute" exception.
Maybe org.apache.tomcat.util.http. ServerCookie.FWD_SLASH_IS_SEPARATOR? I
can't tell if "Control character" means a literal non-printable character
(i
> From: Dan Checkoway [mailto:dchecko...@gmail.com]
> Subject: Control character in cookie value or attribute
> I honestly have no idea if it's related to the tomcat version
> or some legitimately wacked out Set-Cookie header coming in.
Both, actually. Tomcat 7 is bit more picky about what it
10 matches
Mail list logo
