From e0faaa4807b9c612fb6a4a0ea59d73bf7eea3153 Mon Sep 17 00:00:00 2001
From: Rossen Stoyanchev <rstoyanchev@pivotal.io>
Date: Wed, 6 Nov 2019 16:17:41 +0000
Subject: [PATCH] Relax domain name checks in ResponseCookie

Closes gh-23924
---
 .../springframework/http/ResponseCookie.java  |  2 +-
 .../http/ResponseCookieTests.java             | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java
index 65afc80a50..68373c4638 100644
--- a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java
+++ b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java
@@ -374,7 +374,7 @@ public final class ResponseCookie extends HttpCookie {
 			}
 			int char1 = domain.charAt(0);
 			int charN = domain.charAt(domain.length() - 1);
-			if (char1 == '.' || char1 == '-' || charN == '.' || charN == '-') {
+			if (char1 == '-' || charN == '.' || charN == '-') {
 				throw new IllegalArgumentException("Invalid first/last char in cookie domain: " + domain);
 			}
 			for (int i = 0, c = -1; i < domain.length(); i++) {
diff --git a/spring-web/src/test/java/org/springframework/http/ResponseCookieTests.java b/spring-web/src/test/java/org/springframework/http/ResponseCookieTests.java
index 79affb0daf..a1a021f6cb 100644
--- a/spring-web/src/test/java/org/springframework/http/ResponseCookieTests.java
+++ b/spring-web/src/test/java/org/springframework/http/ResponseCookieTests.java
@@ -85,6 +85,31 @@ public class ResponseCookieTests {
 				});
 	}
 
+	@Test
+	public void domainChecks() {
+
+		Arrays.asList("abc", "abc.org", "abc-def.org", "abc3.org", ".abc.org")
+				.forEach(domain -> ResponseCookie.from("n", "v").domain(domain).build());
+
+		Arrays.asList("-abc.org", "abc.org.", "abc.org-", "-abc.org", "abc.org-")
+				.forEach(domain -> {
+					try {
+						ResponseCookie.from("n", "v").domain(domain).build();
+					}
+					catch (IllegalArgumentException ex) {
+						assertThat(ex.getMessage(), Matchers.containsString("Invalid first/last char"));
+					}
+				});
 
+		Arrays.asList("abc..org", "abc.-org", "abc-.org")
+				.forEach(domain -> {
+					try {
+						ResponseCookie.from("n", "v").domain(domain).build();
+					}
+					catch (IllegalArgumentException ex) {
+						assertThat(ex.getMessage(), Matchers.containsString("invalid cookie domain char"));
+					}
+				});
+	}
 
 }
-- 
GitLab