Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57896

Document org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER option that was introduced in r1675821 Merged r1678178 from tomcat/tc8.0.x/trunk. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1678180 13f79535-47bb-0310-9956-ffa450edef68
apache · May 7, 2015 · 40f83ec · 40f83ec
1 parent adac01c
commit 40f83ec
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -108,6 +108,13 @@
         <code>RemoteIpFilter</code> also affect
         <code>HttpServletResponse.sendRedirect()</code>. (markt)
       </fix>
+      <fix>
+        <bug>57896</bug>: Support defensive copying of "cookie" header so that
+        unescaping double quotes in a cookie value does not corrupt original
+        value of "cookie" header. This is an opt-in feature, enabled by
+        <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code>
+        system property. (kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

diff --git a/webapps/docs/config/systemprops.xml b/webapps/docs/config/systemprops.xml
@@ -286,6 +286,7 @@
       <li><code>org.apache.catalina.session.<br/>StandardSession.LAST_ACCESS_AT_START</code></li>
       <li><code>org.apache.tomcat.util.http.<br/>ServerCookie.ALWAYS_ADD_EXPIRES</code></li>
       <li><code>org.apache.tomcat.util.http.<br/>ServerCookie.FWD_SLASH_IS_SEPARATOR</code></li>
+      <li><code>org.apache.tomcat.util.http.<br/>ServerCookie.PRESERVE_COOKIE_HEADER</code></li>
       <li><code>org.apache.tomcat.util.http.<br/>ServerCookie.STRICT_NAMING</code></li>
       <li>The <code>resourceOnlyServlets</code> attribute of any
           <a href="context.html">Context</a> element.</li>
@@ -389,6 +390,15 @@
       else the default value will be <code>false</code>.</p>
     </property>
 
+    <property name="org.apache.tomcat.util.http. ServerCookie.PRESERVE_COOKIE_HEADER">
+      <p>If this is <code>true</code> Tomcat will ensure that cookie
+      processing does not modify cookie header returned by
+      <code>HttpServletRequest.getHeader()</code>.</p>
+      <p>If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> is set to
+      <code>true</code>, the default of this setting will be <code>true</code>,
+      else the default value will be <code>false</code>.</p>
+    </property>
+
     <property name="org.apache.tomcat.util.http. ServerCookie.STRICT_NAMING">
       <p> If this is true then the requirements of the Servlet specification
       that Cookie names must adhere to RFC2109 (no use of separators) will be