Request to backport 6644726

[Chris Hegarty]

Joe,

I think that backporting this change to OpenJDK 6 should be fine.

-Chris.

On 11/02/2011 19:35, Joe Darcy wrote:
> Networking team,
>
> Any comments on backporting this change to OpenJDK 6? My inclination is
> to approve the backport, but I want your input on the issue.
>
> -Joe
>
> On 2/8/2011 1:19 AM, Florian Weimer wrote:
>> This change:
>>
>> # User jccollet
>> # Date 1208423133 -7200
>> # Node ID d44e3bf49ffbcbc5c6ce9a8fa4113153f8368a60
>> # Parent a954a6f3be6fa69014f00488f52b2da12e6634bf
>> 6644726: Cookie management issues
>> Summary: Many changes to accomodate RFC 2965 and old Netscape specs
>> Reviewed-by: chegar
>>
>> diff -r a954a6f3be6f -r d44e3bf49ffb
>> src/share/classes/java/net/CookieManager.java
>> --- a/src/share/classes/java/net/CookieManager.java Wed Apr 16
>> 14:17:54 2008 +0100
>> +++ b/src/share/classes/java/net/CookieManager.java Thu Apr 17
>> 11:05:33 2008 +0200
>> @@ -205,11 +205,31 @@
>> if (cookieJar == null)
>> return Collections.unmodifiableMap(cookieMap);
>>
>> + boolean secureLink = "https".equalsIgnoreCase(uri.getScheme());
>> List<HttpCookie> cookies = new java.util.ArrayList<HttpCookie>();
>> + String path = uri.getPath();
>> + if (path == null || path.isEmpty()) {
>> + path = "/";
>> + }
>> for (HttpCookie cookie : cookieJar.get(uri)) {
>> // apply path-matches rule (RFC 2965 sec. 3.3.4)
>> - if (pathMatches(uri.getPath(), cookie.getPath())) {
>> - cookies.add(cookie);
>> + // and check for the possible "secure" tag (i.e. don't send
>> + // 'secure' cookies over unsecure links)
>> + if (pathMatches(path, cookie.getPath())&&
>> + (secureLink || !cookie.getSecure())) {
>> [...]
>>
>> is arguably a security fix (sending HTTPS-only cookies over HTTP is a
>> problem). The whole patch seems to be quite important for
>> interoperability. (Further changes from JDK 7 and maybe even new
>> development may be required to get cookie support working; I will
>> check that if backporting such changes is fine in principle.)
>>
>