CR: 7183292: HttpURLConnection.getHeaderFields() throws IllegalArgumentException: Illegal cookie name

Thu Jul 19 03:00:48 PDT 2012

We'd like to make a small change to the fix for this for 7u6.
We would like to keep the restriction on $ being the first character of 
a cookie name
(since this was a genuine/correct requirement of RFC 2965). That 
restriction has been
removed in JDK8, but since that is not required for this particular bug 
fix, we will keep it in 7u.

http://cr.openjdk.java.net/~michaelm/7183292/webrev.7u6.3/

Thanks
Michael

On 18/07/12 18:47, Michael McMahon wrote:
> This is the same change for 7u6. The change is identical.
>
> http://cr.openjdk.java.net/~michaelm/7183292/webrev.7u6.2/
>
> Thanks,
> Michael
>
>
> On 18/07/12 18:38, Michael McMahon wrote:
>> Thanks Kurchi.
>>
>> I have made one small change to another test, which was specifically 
>> testing the $name assertion.
>> So, that test had to be removed.
>>
>> The new webrev is at :
>>
>> http://cr.openjdk.java.net/~michaelm/7183292/webrev.3/
>>
>> - Michael
>>
>> On 17/07/12 18:15, Kurchi Subhra Hazra wrote:
>>> I have read the sections dealing with cookie-name in 6265, and these 
>>> changes look good to me.
>>>
>>> - Kurchi
>>>
>>> On 7/17/12 7:32 AM, Michael McMahon wrote:
>>>>
>>>> Thanks for reviewing this Chris. On the question of whether $ 
>>>> should be allowed
>>>> in cookie names, it appears like that restriction has been removed 
>>>> from RFC 6265,
>>>> which is evidently a fairly comprehensive description of actual 
>>>> cookie usage on the web.
>>>> So, maybe we should just leave that out as well - assuming that it 
>>>> is being used in places
>>>> (albeit in contravention of the older RFC). What do you think?
>>>>
>>>> - Michael
>>>>
>>>> On 17/07/2012 14:18, Chris Hegarty wrote:
>>>>> On 17/07/2012 10:17, Michael McMahon wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Could I get the following change reviewed please?
>>>>>>
>>>>>> http://cr.openjdk.java.net/~michaelm/7183292/webrev.1/
>>>>>>
>>>>>> Since 7u4, we are parsing all incoming cookies via the HttpCookie 
>>>>>> class.
>>>>>> This class has had a restriction on cookie names that is causing 
>>>>>> this
>>>>>> problem
>>>>>> and which is not required by any of the cookie specifications, as 
>>>>>> far as
>>>>>> I can see,
>>>>>> (rfc 2965, and 6265 which obsoletes 2965).
>>>>>
>>>>> Right, this is my reading of the RFC's also. In fact, RFC 2965 
>>>>> explicitly states that "the NAME of a cookie MAY be the same as 
>>>>> one of the attributes in this specification".
>>>>>
>>>>>> The restriction was that cookie names could not be the same (case
>>>>>> insensitively)
>>>>>> as any of the attribute names (eg. Domain). So, the change is to 
>>>>>> remove
>>>>>> the restriction.
>>>>>
>>>>> Yes, this makes sense to me.
>>>>>
>>>>> One comment on the webrev is that isReserved also enforces that 
>>>>> the name cannot start with a '$', from 2965: "NAMEs that begin 
>>>>> with $ are reserved and MUST NOT be used by applications." I think 
>>>>> you may need to minimally reintroduce this. Otherwise, the changes 
>>>>> look good to me.
>>>>>
>>>>> -Chris.
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Michael
>>>>
>>>
>>
>