Request to backport 6644726
Joe Darcy
joe.darcy at oracle.com
Fri Feb 11 11:35:05 PST 2011
Networking team,
Any comments on backporting this change to OpenJDK 6? My inclination is
to approve the backport, but I want your input on the issue.
-Joe
On 2/8/2011 1:19 AM, Florian Weimer wrote:
> This change:
>
> # User jccollet
> # Date 1208423133 -7200
> # Node ID d44e3bf49ffbcbc5c6ce9a8fa4113153f8368a60
> # Parent a954a6f3be6fa69014f00488f52b2da12e6634bf
> 6644726: Cookie management issues
> Summary: Many changes to accomodate RFC 2965 and old Netscape specs
> Reviewed-by: chegar
>
> diff -r a954a6f3be6f -r d44e3bf49ffb src/share/classes/java/net/CookieManager.java
> --- a/src/share/classes/java/net/CookieManager.java Wed Apr 16 14:17:54 2008 +0100
> +++ b/src/share/classes/java/net/CookieManager.java Thu Apr 17 11:05:33 2008 +0200
> @@ -205,11 +205,31 @@
> if (cookieJar == null)
> return Collections.unmodifiableMap(cookieMap);
>
> + boolean secureLink = "https".equalsIgnoreCase(uri.getScheme());
> List<HttpCookie> cookies = new java.util.ArrayList<HttpCookie>();
> + String path = uri.getPath();
> + if (path == null || path.isEmpty()) {
> + path = "/";
> + }
> for (HttpCookie cookie : cookieJar.get(uri)) {
> // apply path-matches rule (RFC 2965 sec. 3.3.4)
> - if (pathMatches(uri.getPath(), cookie.getPath())) {
> - cookies.add(cookie);
> + // and check for the possible "secure" tag (i.e. don't send
> + // 'secure' cookies over unsecure links)
> + if (pathMatches(path, cookie.getPath())&&
> + (secureLink || !cookie.getSecure())) {
> [...]
>
> is arguably a security fix (sending HTTPS-only cookies over HTTP is a
> problem). The whole patch seems to be quite important for
> interoperability. (Further changes from JDK 7 and maybe even new
> development may be required to get cookie support working; I will
> check that if backporting such changes is fine in principle.)
>
More information about the jdk6-dev
mailing list