Request to backport 6644726

[Florian Weimer]

This change:

# User jccollet
# Date 1208423133 -7200
# Node ID d44e3bf49ffbcbc5c6ce9a8fa4113153f8368a60
# Parent  a954a6f3be6fa69014f00488f52b2da12e6634bf
6644726: Cookie management issues
Summary: Many changes to accomodate RFC 2965 and old Netscape specs
Reviewed-by: chegar

diff -r a954a6f3be6f -r d44e3bf49ffb src/share/classes/java/net/CookieManager.java
--- a/src/share/classes/java/net/CookieManager.java     Wed Apr 16 14:17:54 2008 +0100
+++ b/src/share/classes/java/net/CookieManager.java     Thu Apr 17 11:05:33 2008 +0200
@@ -205,11 +205,31 @@
         if (cookieJar == null)
             return Collections.unmodifiableMap(cookieMap);
 
+        boolean secureLink = "https".equalsIgnoreCase(uri.getScheme());
         List<HttpCookie> cookies = new java.util.ArrayList<HttpCookie>();
+        String path = uri.getPath();
+        if (path == null || path.isEmpty()) {
+            path = "/";
+        }
         for (HttpCookie cookie : cookieJar.get(uri)) {
             // apply path-matches rule (RFC 2965 sec. 3.3.4)
-            if (pathMatches(uri.getPath(), cookie.getPath())) {
-                cookies.add(cookie);
+            // and check for the possible "secure" tag (i.e. don't send
+            // 'secure' cookies over unsecure links)
+            if (pathMatches(path, cookie.getPath()) &&
+                    (secureLink || !cookie.getSecure())) {
[...]

is arguably a security fix (sending HTTPS-only cookies over HTTP is a
problem).  The whole patch seems to be quite important for
interoperability.  (Further changes from JDK 7 and maybe even new
development may be required to get cookie support working; I will
check that if backporting such changes is fine in principle.)

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99