www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Zervas <cla...@uniplanet.com>
Subject mod_jserv/4721: Cookie values should NOT be URLDecoded when headers are parsed.
Date Mon, 12 Jul 1999 17:24:59 GMT

>Number:         4721
>Category:       mod_jserv
>Synopsis:       Cookie values should NOT be URLDecoded when headers are parsed.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jserv
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jul 12 10:30:01 PDT 1999
>Originator:     claude@uniplanet.com
>Release:        apache1.3.6 JServ1.0
JavaUtils.java line 172 -- the cookie value is url-decoded before a Cookie
is constructed.
This is icorrect since the cookie spec does not *require* cookie values
to be url-encoded, it just recommends it. A lot of older CGI apps do not
encode the cookie values so this breaks interopability.
A cookie value of "abc+++def" becomes "abc   def" this breaks things
if the '+' where part of a base64 encoding for example and the cookie
value was not url-encoded first (by another non-servlet app for example).
Sun's Java Web Server does not do this, by the way...
Remove the call to URLDecode() in JavaUtils.java line 172.
Users can always explicitly call URLDecode on the cookie value if
they want.
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message