-
Bug
-
Resolution: Fixed
-
P3
-
6, 6u3
1) HttpCookie.domainMatches(String domain, String host) seems broken.
Specifically it returns 'false' when domain is ".yahoo.com" and host is "cm.my.yahoo.com"
The error is in the following code:
else if (lengthDiff > 0) {
// need to check H & D component
String H = host.substring(0, lengthDiff);
String D = host.substring(lengthDiff);
return (H.indexOf('.') == -1 && D.equalsIgnoreCase(domain));
}
In here lengthDiff is the length difference between host and domain. So H becomes "cm.my" and D becomes ".yahoo.com" which is OK.
Except for the following line where it specifically test for an absence of '.' in H, which is wrong.
2) InMemoryCookieStore uses the full URI as a search index , including the scheme. So cookies don't cross over from http://foo.com to https://foo.com and vice versa. It also uses the port number. Both are in contradiction with the RFC.
3) CookieManager/InMemoryCookieStore don't take into account the "Secure" tag of cookies. When a cookie is tagged "Secure" it should only be sent if the scheme is https. Right now, this is ignored when returning cookies.
4) The "expires" field is parsed a bit too strictly. It expects the date to be in the "EEE, dd-MMM-yyyy HH:mm:ss GMT", therefore rejects cookies set with a slightly different format (e.g. from Yahoo: 'FPS=ds;expires=Wed, 19 Aug 2015 16:00:00 GMT;path=/;domain=www.yahoo.com', notice the absence of '-').
5) The CookieManager doesn't attribute a default path to the cookies. When no 'path' is explicitely specified, specs say the path should be the directory of the document. E.G. for a cookie whose doc URI is 'http://www.foo.bar/dir/page/doc.html' the default path should be '/dir/page'.
6) If CookieManager.get() is called with an URI that does not contain a path, e.g "http://www.sun.com" instead of "http://www.sun.com/", it does not return any cookies, even if CookieManager contains cookies for the URI.
The relevant code is:
/*
* path-matches algorithm, as defined by RFC 2965
*/
private boolean pathMatches(String path, String pathToMatchWith) {
if (path == pathToMatchWith)
return true;
if (path == null || pathToMatchWith == null)
return false;
if (path.startsWith(pathToMatchWith))
return true;
return false;
}
That needs to cater for the case where path is the empty string.
7) the 'Port' optional attribute is not enforced by the CookieManager. It should be checked before sending cookies with a HTTP request. See RFC 2965 sections 3.2.2, 3.3.1 and 3.3.2.
Specifically it returns 'false' when domain is ".yahoo.com" and host is "cm.my.yahoo.com"
The error is in the following code:
else if (lengthDiff > 0) {
// need to check H & D component
String H = host.substring(0, lengthDiff);
String D = host.substring(lengthDiff);
return (H.indexOf('.') == -1 && D.equalsIgnoreCase(domain));
}
In here lengthDiff is the length difference between host and domain. So H becomes "cm.my" and D becomes ".yahoo.com" which is OK.
Except for the following line where it specifically test for an absence of '.' in H, which is wrong.
2) InMemoryCookieStore uses the full URI as a search index , including the scheme. So cookies don't cross over from http://foo.com to https://foo.com and vice versa. It also uses the port number. Both are in contradiction with the RFC.
3) CookieManager/InMemoryCookieStore don't take into account the "Secure" tag of cookies. When a cookie is tagged "Secure" it should only be sent if the scheme is https. Right now, this is ignored when returning cookies.
4) The "expires" field is parsed a bit too strictly. It expects the date to be in the "EEE, dd-MMM-yyyy HH:mm:ss GMT", therefore rejects cookies set with a slightly different format (e.g. from Yahoo: 'FPS=ds;expires=Wed, 19 Aug 2015 16:00:00 GMT;path=/;domain=www.yahoo.com', notice the absence of '-').
5) The CookieManager doesn't attribute a default path to the cookies. When no 'path' is explicitely specified, specs say the path should be the directory of the document. E.G. for a cookie whose doc URI is 'http://www.foo.bar/dir/page/doc.html' the default path should be '/dir/page'.
6) If CookieManager.get() is called with an URI that does not contain a path, e.g "http://www.sun.com" instead of "http://www.sun.com/", it does not return any cookies, even if CookieManager contains cookies for the URI.
The relevant code is:
/*
* path-matches algorithm, as defined by RFC 2965
*/
private boolean pathMatches(String path, String pathToMatchWith) {
if (path == pathToMatchWith)
return true;
if (path == null || pathToMatchWith == null)
return false;
if (path.startsWith(pathToMatchWith))
return true;
return false;
}
That needs to cater for the case where path is the empty string.
7) the 'Port' optional attribute is not enforced by the CookieManager. It should be checked before sending cookies with a HTTP request. See RFC 2965 sections 3.2.2, 3.3.1 and 3.3.2.
- duplicates
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-