Validate cookie name and value characters #3754

slandelle · 2015-05-07T09:13:47Z

Motivation:

RFC6265 specifies which characters are allowed in a cookie name and value.

Netty is currently too lax, which can used for HttpOnly escaping.

Modification:

Backport new RFC6265 compliant Cookie parsers in cookie subpackage.
Deprecate old Cookie encoders and decoders that will be dropped in 5.0.

Result:

The problem described in the motivation section is fixed.

slandelle · 2015-05-07T09:14:07Z

@normanmaurer Ping. Went smoothier than expected :)

Motivation: RFC6265 specifies which characters are allowed in a cookie name and value. Netty is currently too lax, which can used for HttpOnly escaping. Modification: Backport new RFC6265 compliant Cookie parsers in cookie subpackage. Deprecate old Cookie encoders and decoders that will be dropped in 5.0. Result: The problem described in the motivation section is fixed.

normanmaurer · 2015-05-08T09:21:21Z

Cherry-picked

normanmaurer modified the milestones: 3.10.3.Final, 3.10.2.Final May 8, 2015

normanmaurer self-assigned this May 8, 2015

normanmaurer modified the milestones: 3.9.7.Final, 3.10.2.Final May 8, 2015

normanmaurer added defect security labels May 8, 2015

normanmaurer closed this May 8, 2015

normanmaurer modified the milestones: 3.9.7.Final, 3.9.8.Final May 8, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate cookie name and value characters #3754

Validate cookie name and value characters #3754

slandelle commented May 7, 2015

slandelle commented May 7, 2015

normanmaurer commented May 8, 2015

Validate cookie name and value characters #3754

Validate cookie name and value characters #3754

Conversation

slandelle commented May 7, 2015

slandelle commented May 7, 2015

normanmaurer commented May 8, 2015