diff --git a/bom/pom.xml b/bom/pom.xml
index c66b2fae7b..c135bd59d1 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -5,7 +5,7 @@
org.asynchttpclient
async-http-client-project
- 2.15.0
+ 2.16.0
async-http-client-bom
diff --git a/client/pom.xml b/client/pom.xml
index 0dcb45c1bd..a1f941250e 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -2,7 +2,7 @@
org.asynchttpclient
async-http-client-project
- 2.15.0
+ 2.16.0
4.0.0
async-http-client
diff --git a/client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java b/client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java
index 8cdc29f45e..9e2e6a658d 100644
--- a/client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java
+++ b/client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java
@@ -154,6 +154,11 @@ private boolean hasCookieExpired(Cookie cookie, long whenCreated) {
return false;
}
+ // rfc6265#section-5.1.3
+ private boolean domainsMatch(String cookieDomain, String requestDomain) {
+ return requestDomain.equals(cookieDomain) || requestDomain.endsWith('.' + cookieDomain);
+ }
+
// rfc6265#section-5.1.4
private boolean pathsMatch(String cookiePath, String requestPath) {
return Objects.equals(cookiePath, requestPath) ||
@@ -164,6 +169,14 @@ private void add(String requestDomain, String requestPath, Cookie cookie) {
AbstractMap.SimpleEntry pair = cookieDomain(cookie.domain(), requestDomain);
String keyDomain = pair.getKey();
boolean hostOnly = pair.getValue();
+
+ // rfc6265#section-5.3 step 6: ignore a cookie whose Domain attribute is not
+ // domain-matched by the request host, otherwise a host can plant cookies for
+ // unrelated domains (cookie tossing).
+ if (!hostOnly && !domainsMatch(keyDomain, requestDomain)) {
+ return;
+ }
+
String keyPath = cookiePath(cookie.path(), requestPath);
CookieKey key = new CookieKey(cookie.name().toLowerCase(), keyPath);
diff --git a/client/src/test/java/org/asynchttpclient/CookieStoreTest.java b/client/src/test/java/org/asynchttpclient/CookieStoreTest.java
index d97276971c..c5ad915487 100644
--- a/client/src/test/java/org/asynchttpclient/CookieStoreTest.java
+++ b/client/src/test/java/org/asynchttpclient/CookieStoreTest.java
@@ -55,6 +55,7 @@ public void tearDownGlobal() {
public void runAllSequentiallyBecauseNotThreadSafe() throws Exception {
addCookieWithEmptyPath();
dontReturnCookieForAnotherDomain();
+ dontStoreCookieForUnrelatedDomainAttribute();
returnCookieWhenItWasSetOnSamePath();
returnCookieWhenItWasSetOnParentPath();
dontReturnCookieWhenDomainMatchesButPathIsDifferent();
@@ -93,6 +94,14 @@ private void addCookieWithEmptyPath() {
assertTrue(store.get(uri).size() > 0);
}
+ // rfc6265#section-5.3 step 6: a host must not be able to set a cookie for an unrelated domain
+ private void dontStoreCookieForUnrelatedDomainAttribute() {
+ CookieStore store = new ThreadSafeCookieStore();
+ store.add(Uri.create("http://www.evil.com/"), ClientCookieDecoder.LAX.decode("SID=attacker; Domain=victim.com"));
+ assertTrue(store.get(Uri.create("https://victim.com/account")).isEmpty());
+ assertTrue(store.getAll().isEmpty());
+ }
+
private void dontReturnCookieForAnotherDomain() {
CookieStore store = new ThreadSafeCookieStore();
store.add(Uri.create("http://www.foo.com"), ClientCookieDecoder.LAX.decode("ALPHA=VALUE1; path="));
diff --git a/example/pom.xml b/example/pom.xml
index cb705ba8e3..d88037ca0f 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -2,7 +2,7 @@
org.asynchttpclient
async-http-client-project
- 2.15.0
+ 2.16.0
4.0.0
async-http-client-example
diff --git a/extras/guava/pom.xml b/extras/guava/pom.xml
index 98f48cedbb..8e5f62c720 100644
--- a/extras/guava/pom.xml
+++ b/extras/guava/pom.xml
@@ -2,7 +2,7 @@
org.asynchttpclient
async-http-client-extras-parent
- 2.15.0
+ 2.16.0
4.0.0
async-http-client-extras-guava
diff --git a/extras/jdeferred/pom.xml b/extras/jdeferred/pom.xml
index 64d81e047b..80fbd9bd44 100644
--- a/extras/jdeferred/pom.xml
+++ b/extras/jdeferred/pom.xml
@@ -18,7 +18,7 @@
async-http-client-extras-parent
org.asynchttpclient
- 2.15.0
+ 2.16.0
async-http-client-extras-jdeferred
Asynchronous Http Client JDeferred Extras
diff --git a/extras/pom.xml b/extras/pom.xml
index d735025314..006534c4ca 100644
--- a/extras/pom.xml
+++ b/extras/pom.xml
@@ -2,7 +2,7 @@
org.asynchttpclient
async-http-client-project
- 2.15.0
+ 2.16.0
4.0.0
async-http-client-extras-parent
diff --git a/extras/registry/pom.xml b/extras/registry/pom.xml
index 70b832a334..79a52a656e 100644
--- a/extras/registry/pom.xml
+++ b/extras/registry/pom.xml
@@ -2,7 +2,7 @@
org.asynchttpclient
async-http-client-extras-parent
- 2.15.0
+ 2.16.0
4.0.0
async-http-client-extras-registry
diff --git a/extras/retrofit2/pom.xml b/extras/retrofit2/pom.xml
index 2cfbb2f077..c91daa9a54 100644
--- a/extras/retrofit2/pom.xml
+++ b/extras/retrofit2/pom.xml
@@ -4,7 +4,7 @@
async-http-client-extras-parent
org.asynchttpclient
- 2.15.0
+ 2.16.0
async-http-client-extras-retrofit2
diff --git a/extras/rxjava/pom.xml b/extras/rxjava/pom.xml
index e8a383ed5f..8fb7cf99a5 100644
--- a/extras/rxjava/pom.xml
+++ b/extras/rxjava/pom.xml
@@ -3,7 +3,7 @@
async-http-client-extras-parent
org.asynchttpclient
- 2.15.0
+ 2.16.0
async-http-client-extras-rxjava
Asynchronous Http Client RxJava Extras
diff --git a/extras/rxjava2/pom.xml b/extras/rxjava2/pom.xml
index a32efb15e6..c1bce44e1c 100644
--- a/extras/rxjava2/pom.xml
+++ b/extras/rxjava2/pom.xml
@@ -3,7 +3,7 @@
async-http-client-extras-parent
org.asynchttpclient
- 2.15.0
+ 2.16.0
async-http-client-extras-rxjava2
Asynchronous Http Client RxJava2 Extras
diff --git a/extras/simple/pom.xml b/extras/simple/pom.xml
index 76f4f98cce..5fd546ef95 100644
--- a/extras/simple/pom.xml
+++ b/extras/simple/pom.xml
@@ -3,7 +3,7 @@
async-http-client-extras-parent
org.asynchttpclient
- 2.15.0
+ 2.16.0
async-http-client-extras-simple
Asynchronous Http Simple Client
diff --git a/extras/typesafeconfig/pom.xml b/extras/typesafeconfig/pom.xml
index 8df1284558..5c5a8fd2fe 100644
--- a/extras/typesafeconfig/pom.xml
+++ b/extras/typesafeconfig/pom.xml
@@ -4,7 +4,7 @@
async-http-client-extras-parent
org.asynchttpclient
- 2.15.0
+ 2.16.0
async-http-client-extras-typesafe-config
diff --git a/netty-utils/pom.xml b/netty-utils/pom.xml
index 1b92154319..41df40b3bb 100644
--- a/netty-utils/pom.xml
+++ b/netty-utils/pom.xml
@@ -2,7 +2,7 @@
org.asynchttpclient
async-http-client-project
- 2.15.0
+ 2.16.0
4.0.0
async-http-client-netty-utils
diff --git a/pom.xml b/pom.xml
index 6672bf0493..b03b29a5b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
org.asynchttpclient
async-http-client-project
- 2.15.0
+ 2.16.0
pom
Asynchronous Http Client Project
@@ -34,7 +34,7 @@
scm:git:git@github.com:AsyncHttpClient/async-http-client.git
scm:git:git@github.com:AsyncHttpClient/async-http-client.git
https://github.com/AsyncHttpClient/async-http-client/tree/master
- async-http-client-project-2.15.0
+ async-http-client-project-2.16.0