From dc16d53b7bf5349dfd0e8779403ac72123e962c3 Mon Sep 17 00:00:00 2001 From: jccollet Date: Wed, 21 Oct 2009 13:42:39 +0200 Subject: [PATCH] 6873543: CookieManager doesn't enforce httpOnly Summary: Adds check for httpOnly tag and clarifies javadoc Reviewed-by: chegar --- src/share/classes/java/net/CookieHandler.java | 16 ++++++++++--- src/share/classes/java/net/CookieManager.java | 7 ++++++ test/java/net/CookieHandler/B6644726.java | 24 ++++++++++++++++++- 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/src/share/classes/java/net/CookieHandler.java b/src/share/classes/java/net/CookieHandler.java index 0de42ac43..1bdfe3c85 100644 --- a/src/share/classes/java/net/CookieHandler.java +++ b/src/share/classes/java/net/CookieHandler.java @@ -101,11 +101,21 @@ public abstract class CookieHandler { * Gets all the applicable cookies from a cookie cache for the * specified uri in the request header. * - * HTTP protocol implementers should make sure that this method is + *

The {@code URI} passed as an argument specifies the intended use for + * the cookies. In particular the scheme should reflect whether the cookies + * will be sent over http, https or used in another context like javascript. + * The host part should reflect either the destination of the cookies or + * their origin in the case of javascript.

+ *

It is up to the implementation to take into account the {@code URI} and + * the cookies attributes and security settings to determine which ones + * should be returned.

+ * + *

HTTP protocol implementers should make sure that this method is * called after all request headers related to choosing cookies - * are added, and before the request is sent. + * are added, and before the request is sent.

* - * @param uri a URI to send cookies to in a request + * @param uri a URI representing the intended use for the + * cookies * @param requestHeaders - a Map from request header * field names to lists of field values representing * the current request headers diff --git a/src/share/classes/java/net/CookieManager.java b/src/share/classes/java/net/CookieManager.java index 95de8c0db..57038fcdb 100644 --- a/src/share/classes/java/net/CookieManager.java +++ b/src/share/classes/java/net/CookieManager.java @@ -218,6 +218,13 @@ public class CookieManager extends CookieHandler // 'secure' cookies over unsecure links) if (pathMatches(path, cookie.getPath()) && (secureLink || !cookie.getSecure())) { + // Enforce httponly attribute + if (cookie.isHttpOnly()) { + String s = uri.getScheme(); + if (!"http".equalsIgnoreCase(s) && !"https".equalsIgnoreCase(s)) { + continue; + } + } // Let's check the authorize port list if it exists String ports = cookie.getPortlist(); if (ports != null && !ports.isEmpty()) { diff --git a/test/java/net/CookieHandler/B6644726.java b/test/java/net/CookieHandler/B6644726.java index e153bbd93..a7a330d70 100644 --- a/test/java/net/CookieHandler/B6644726.java +++ b/test/java/net/CookieHandler/B6644726.java @@ -23,7 +23,7 @@ /* * @test - * @bug 6644726 + * @bug 6644726 6873543 * @summary Cookie management issues */ @@ -170,6 +170,28 @@ public class B6644726 { if (isIn(clst, "myCookie8=")) { fail("A cookie with an invalid port list was returned"); } + + // Test httpOnly flag (CR# 6873543) + lst.clear(); + map.clear(); + cm.getCookieStore().removeAll(); + lst.add("myCookie11=httpOnlyTest; httpOnly"); + map.put("Set-Cookie", lst); + uri = new URI("http://www.sun.com/"); + cm.put(uri, map); + m = cm.get(uri, emptyMap); + clst = m.get("Cookie"); + // URI scheme was http: so we should get the cookie + if (!isIn(clst, "myCookie11=")) { + fail("Missing cookie with httpOnly flag"); + } + uri = new URI("javascript://www.sun.com/"); + m = cm.get(uri, emptyMap); + clst = m.get("Cookie"); + // URI scheme was neither http or https so we shouldn't get the cookie + if (isIn(clst, "myCookie11=")) { + fail("Should get the cookie with httpOnly when scheme is javascript:"); + } } private static boolean isIn(List lst, String cookie) { -- GitLab