Index: java/org/apache/commons/httpclient/cookie/CookieSpecBase.java =================================================================== RCS file: /home/cvspublic/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/cookie/CookieSpecBase.java,v retrieving revision 1.9 diff -u -r1.9 CookieSpecBase.java --- java/org/apache/commons/httpclient/cookie/CookieSpecBase.java 28 Jan 2003 04:40:23 -0000 1.9 +++ java/org/apache/commons/httpclient/cookie/CookieSpecBase.java 28 Jan 2003 17:03:50 -0000 @@ -446,6 +446,13 @@ + "\". Domain of origin: \"" + host + "\""); } } + else { + if (!host.equals(cookie.getDomain())) { + throw new MalformedCookieException( + "Illegal domain attribute \"" + cookie.getDomain() + + "\". Domain of origin: \"" + host + "\""); + } + } // another security check... we musn't allow the server to give us a // cookie that doesn't match this path Index: java/org/apache/commons/httpclient/cookie/RFC2109Spec.java =================================================================== RCS file: /home/cvspublic/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/cookie/RFC2109Spec.java,v retrieving revision 1.8 diff -u -r1.8 RFC2109Spec.java --- java/org/apache/commons/httpclient/cookie/RFC2109Spec.java 28 Jan 2003 04:40:23 -0000 1.8 +++ java/org/apache/commons/httpclient/cookie/RFC2109Spec.java 28 Jan 2003 17:03:49 -0000 @@ -167,17 +167,22 @@ if (dotIndex < 0 || dotIndex == cookie.getDomain().length() - 1) { throw new MalformedCookieException("Domain attribute \"" + cookie.getDomain() - + "\" violates RFC 2109: domain must contain an " - + "embedded dot"); + + "\" violates RFC 2109: domain must contain an embedded dot"); } - // host minus domain may not contain any dots - if (host.substring(0, - host.length() - - cookie.getDomain().length()).indexOf('.') != -1) { - throw new MalformedCookieException("Domain attribute \"" - + cookie.getDomain() - + "\" violates RFC 2109: host minus domain may not " - + "contain any dots"); + host = host.toLowerCase(); + if (host.indexOf(".") >= 0) { + if (!host.endsWith(cookie.getDomain())) { + throw new MalformedCookieException( + "Illegal domain attribute \"" + cookie.getDomain() + + "\". Domain of origin: \"" + host + "\""); + } + // host minus domain may not contain any dots + String hostWithoutDomain = host.substring(0, host.length() - cookie.getDomain().length()); + if (hostWithoutDomain.indexOf('.') != -1) { + throw new MalformedCookieException("Domain attribute \"" + + cookie.getDomain() + + "\" violates RFC 2109: host minus domain may not contain any dots"); + } } } } Index: test/org/apache/commons/httpclient/TestCookie.java =================================================================== RCS file: /home/cvspublic/jakarta-commons/httpclient/src/test/org/apache/commons/httpclient/TestCookie.java,v retrieving revision 1.19 diff -u -r1.19 TestCookie.java --- test/org/apache/commons/httpclient/TestCookie.java 23 Jan 2003 22:48:25 -0000 1.19 +++ test/org/apache/commons/httpclient/TestCookie.java 28 Jan 2003 17:03:49 -0000 @@ -792,7 +792,48 @@ // Expected } } + + /** + * Tests if default cookie validator rejects cookies originating from a host without domain + * where domain attribute does not match the host of origin + */ + public void testInvalidDomainWithSimpleHostName() { + CookieSpec parser = CookiePolicy.getDefaultSpec(); + Header setCookie = null; + Cookie[] cookies = null; + try { + setCookie = new Header( + "Set-Cookie", "name=\"value\"; version=\"1\"; path=\"/\"; domain=\".mydomain.com\""); + cookies = parser.parse("host", 80, "/", false, setCookie ); + try { + parser.validate("host", 80, "/", false, cookies[0]); + fail("MalformedCookieException must have thrown"); + } + catch(MalformedCookieException expected) { + } + } + catch(HttpException e) { + e.printStackTrace(); + fail("Unexpected exception: " + e.toString()); + } + try { + setCookie = new Header( + "Set-Cookie", "name=\"value\"; version=\"1\"; path=\"/\"; domain=\"host1\""); + cookies = parser.parse("host2", 80, "/", false, setCookie ); + try { + parser.validate("host2", 80, "/", false, cookies[0]); + fail("MalformedCookieException must have thrown"); + } + catch(MalformedCookieException expected) { + } + } + catch(HttpException e) { + e.printStackTrace(); + fail("Unexpected exception: " + e.toString()); + } + } + /** * Makes sure that a cookie matches with a path of the same value. */ @@ -816,6 +857,7 @@ } } + /** * Tests generic cookie formatting.