Strict cookie name validation

2009-02-26 08:35:38 +00:00 · 2009-02-26 08:35:38 +00:00 · 9550c0759d
commit 9550c0759d
parent b71d2d3d7f
1 changed files with 23 additions and 0 deletions
--- a/src/main/java/org/jboss/netty/handler/codec/http/DefaultCookie.java
+++ b/src/main/java/org/jboss/netty/handler/codec/http/DefaultCookie.java
@ -21,6 +21,7 @@
 */
 package org.jboss.netty.handler.codec.http;

+
 /**
 * @author The Netty Project (netty-dev@lists.jboss.org)
 * @author Andy Taylor (andy.taylor@jboss.org)
@ -42,6 +43,28 @@ public class DefaultCookie implements Cookie {
        if (name == null) {
            throw new NullPointerException("name");
        }
+        name = name.trim();
+        if (name.length() == 0) {
+            throw new IllegalArgumentException("empty name");
+        }
+
+        for (int i = 0; i < name.length(); i ++) {
+            char c = name.charAt(i);
+            if (c > 127) {
+                throw new IllegalArgumentException(
+                        "name contains non-ascii character: " + name);
+            }
+
+            // Check prohibited characters.
+            switch (c) {
+            case '=':  case ',':  case ';': case ' ':
+            case '\t': case '\r': case '\n': case '\f':
+            case 0x0b: // Vertical tab
+                throw new IllegalArgumentException(
+                        "name contains one of the following characters: " +
+                        "=,; \\t\\r\\n\\v\\f: " + name);
+            }
+        }
        this.name = name;
        setValue(value);
    }