8351983: HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute #25636
Conversation
|
👋 Welcome back michaelm! A progress list of the required criteria for merging this PR into |
|
@Michael-Mc-Mahon This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been no new commits pushed to the ➡️ To integrate this PR with the above commit message to the |
|
@Michael-Mc-Mahon The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
|
/csr needed |
|
@Michael-Mc-Mahon has indicated that a compatibility and specification (CSR) request is needed for this pull request. @Michael-Mc-Mahon please create a CSR request for issue JDK-8351983 with the correct fix version. This pull request cannot be integrated until the CSR request is approved. |
Webrevs
|
| // Date string in past. | ||
| new Test(-1, "Thu, 01 Jan 2024 00:00:00 GMT", 0, true), | ||
| new Test(1000, "Thu, 01 Jan 2024 00:00:00 GMT", 1000, false), | ||
| new Test(0, "Thu, 01 Jan 2024 00:00:00 GMT", 0, true), |
There was a problem hiding this comment.
Maybe you could add a test case with maxAge=1000 and expires = set at the current time + 500s. The expected maxAge would be 1000.
Something like:
static final String NOW_PLUS_500 =
DateTimeFormatter.RFC_1123_DATE_TIME.format(
java.time.ZonedDateTime.ofInstant(Instant.now().plusSeconds(500), ZoneId.of("UTC")));
...
new Test(1000, NOW_PLUS_500, 1000, false),
Ideally we'd like to test the same with maxAge = -1, but that could be tricky since we can't know in advance the exact value that will be computed for the new maxAge.
There was a problem hiding this comment.
Alternatively, we could create a HttpCookie::parse method1 accepting a long currentTimeMillis, and precisely determine the expected value?
1 This can either be private and accessed via reflection, or package-private and accessed by placing the test in the same package.
There was a problem hiding this comment.
I'll look into doing both of those. So long as we are immune to timing related issues it seems reasonable. By the way, I will push an implementation update first, which results from existing cookie regression failures.
| // Date string in past. | ||
| new Test(-1, "Thu, 01 Jan 2024 00:00:00 GMT", 0, true), | ||
| new Test(1000, "Thu, 01 Jan 2024 00:00:00 GMT", 1000, false), | ||
| new Test(0, "Thu, 01 Jan 2024 00:00:00 GMT", 0, true), |
There was a problem hiding this comment.
Alternatively, we could create a HttpCookie::parse method1 accepting a long currentTimeMillis, and precisely determine the expected value?
1 This can either be private and accessed via reflection, or package-private and accessed by placing the test in the same package.
| } | ||
| } | ||
|
|
||
| static Test[] tests = new Test[] { |
There was a problem hiding this comment.
Tip: JUnit @ParameterizedTest @CsvSource can save us some boilerplate here.
There was a problem hiding this comment.
I've updated the implementation to allow for testing with fixed cookie creation times and expiry check times. And then added some tests of this. If we're okay with it, I'd like to work on the CSR at this point.
| /* | ||
| * @test | ||
| * @bug 8351983 | ||
| * @summary HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute |
There was a problem hiding this comment.
Aren't we missing a
@runtag?
@run defaults to running the main method
There was a problem hiding this comment.
Copyright year needs to be updated.
|
@Michael-Mc-Mahon |
No rush. Thanks! |
| if (name.equalsIgnoreCase("max-age") && maxAgeValue == null) { | ||
| maxAgeValue = value; | ||
| continue; | ||
| } | ||
| if (name.equalsIgnoreCase("expires") && expiresValue == null) { | ||
| expiresValue = value; | ||
| continue; | ||
| } | ||
|
|
||
| // assign attribute to cookie | ||
| assignAttribute(cookie, name, value); | ||
| } | ||
| assignMaxAgeAttribute(cookie, expiresValue, maxAgeValue); |
There was a problem hiding this comment.
@Michael-Mc-Mahon, instead of making an exception for max-age and expires, and removing them from assignors, can't we convert the type of assignors from Map to List and add max-age & expires entries at the end?
There was a problem hiding this comment.
@Michael-Mc-Mahon, instead of making an exception for
max-ageandexpires, and removing them fromassignors, can't we convert the type ofassignorsfromMaptoListand addmax-age&expiresentries at the end?
Just converting from Map to List wouldn't be enough. The problem is that both attribute types need to be handled together. You could change the attribute name recognition to some kind of pattern match to recognise either of them. Then you need to know which of them was set and what their values were.
Maybe, I could at least use the assignor pattern to recognise the two attributes and limit the special code to just actioning the values. I'll take a look at that now.
There was a problem hiding this comment.
I think the last commit (b221131) just worsened things – now the logic is spread across assignMaxAgeAttribute, assignors, and instance variables, whereas earlier it was only in assignMaxAgeAttribute. 🫤 I suggest simply reverting it, that is, switching the state back to 9a495d7.
I agree that introducing a smarter data structure and iteration scheme to assignors would simplify things, though that is probably out of the scope of this work.
Apologies for the inconvenience and thanks so much for your patient cooperation. 🙇
There was a problem hiding this comment.
I think the last commit (b221131) just worsened things – now the logic is spread across
assignMaxAgeAttribute,assignors, and instance variables, whereas earlier it was only inassignMaxAgeAttribute. 🫤 I suggest simply reverting it, that is, switching the state back to 9a495d7.I agree that introducing a smarter data structure and iteration scheme to
assignorswould simplify things, though that is probably out of the scope of this work.Apologies for the inconvenience and thanks so much for your patient cooperation. 🙇
Yeah, I agree. I will revert it. The old version was clearer.
This reverts commit b221131.
openjdk
bot
added
ready
|
/integrate |
|
Going to push as commit 116b854. |
openjdk
bot
removed
ready
|
@Michael-Mc-Mahon Pushed as commit 116b854. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Hi,
This is a fix to j.n.HttpCookie (which has a doc/spec change). So, I'm targeting it to 26.
We currently do not obey the rule in RFC 6265 that says if both Max-Age and Expires attributes
are present in a cookie, the Max-Age should take precedence.
Thanks
Michael
Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/25636/head:pull/25636$ git checkout pull/25636Update a local copy of the PR:
$ git checkout pull/25636$ git pull https://git.openjdk.org/jdk.git pull/25636/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 25636View PR using the GUI difftool:
$ git pr show -t 25636Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/25636.diff
Using Webrev
Link to Webrev Comment