Bug#329245: Minor RFC 2109 / 2965 violation

Joel Aelwyn fenton at debian.org
Tue Sep 20 18:47:47 UTC 2005 

Package: libcommons-httpclient-java
Version: 2.0.2-1
Severity: minor
Tags: upstream

The following bug is present in upstream, 2.0.2 and 3.0RC3, at least as far
as I can tell by testing.

The specification grammar for the Cookie and Cookie2 HTTP headers
(specified by RFC 2109 section 4.3.4, and RFC 2965 section 3.3.4,
respectively) require that the ordering of pairs is "Version, NAME, path,
domain" (and, in RFC 2965, "port" after "domain"). However, HTTPClient
produces a cookie string with the domain pair appearing before, rather
than after, the path pair. The RFCs specifically *do not* use either the
grammar or the clarifying text ("can occur in any order") that occurs in
the sections that define the Set-Cookie and Set-Cookie2 headers (4.2.2 and
3.2.2, respectively).

Since the sections in question do not, in fact, discuss the issue of pair
ordering in Set-Cookie/Set-Cookie2 at all (other than in using a grammar
that clearly expresses the requirement), and since the complimentary
header explicitly permits them to occur in any order, it seems likely
that HTTPClient is not the only client with this issue, and that most
servers will accomodate this situation (in fact, for it to have gone
unnoticed for this long, it seems likely that either I'm badly misreading
the specification, or no major server has a problem coping with this).

However, while I believe that should make this a 'minor' bug, I do
consider it more than 'wishlist' - the early RFCs had strong reasons for
establishing 'be conservative in what you send' as well as 'be liberal in
what you accept', and fixing this seems likely to be fairly straightforward
(though given the state of 3.0RC3, I would, I would expect it may well not
show up until 3.0.1 or 3.1 or 4.0 or... whatever comes next).
-- 
Joel Aelwyn <fenton at debian.org>                                       ,''`.
                                                                     : :' :
                                                                     `. `'
                                                                       `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20050920/8d0d2f88/attachment.pgp

More information about the pkg-java-maintainers mailing list