I want to create a cookie that it's value contains many ";" characters that is usually used to separate multiple cookies in java, that's why my code isn't making his job.
if someone can help me how to create this "special" cookie and make my code work?
thanks.
You can use URL encoding to escape any special characters (+, %, =, ;).
The URL encoded value of ; is %3B.
For a better reference, check out the Java JSON API.
Semicolon is not allowed in cookies. Your best shot is to use some other separator. Read the linked answer to figure out what character can be used.
Related
I have a properties file, and I need to use the / forward slash in some of my keys.
e.g.
app.module/hdr.key1=value 1
app.module/hdr.key2=value 2
I just have no choice but need to do it that way. Please advise is this achievable and how to do this?
Thanks.
The use of forward slashes will not cause a problem. To understand why, I suggest you read a critique of the syntax used in Java properties that I wrote. In essence, what you need to know is the following:
Leaving aside edge cases (comment lines, blank lines and escape sequences), the syntax of a name=value pair permits almost any character (including forward-slashes) in the name.
The = can actually be any of the following: (1) = (optionally preceded and/or followed by whitespace); (2) : (optionally preceded and/or followed by whitespace); or (3) just whitespace. So, yes name=value is equivalent to name:value and also to name value.
All escape sequences begin with the backslash character. For details of the escape sequences, I suggest you do a Google search for java.util.Properties to find online documentation for that class, and look at the long description of the load(InputStream) method.
I need a simple way to implement the contains function using matches. I believe this is my starting point:
xxx.matches("'.*yyy.*'");
But I need to make it a universal method and pre-process whatever I search for to be accepted by matches! This must be done using only the escape '\' character!
Imagine a string SEARCH_FOR that can contain some special characters that must be "regex escaped"...
String SEARCH_FOR="*.\\"
xxx.matches("'.*" + SEARCH_FOR + ".*'");
Are there any catches? Special situations? Any other "special chars should be taken into account?
Are you looking for Pattern.quote(String) ?
This escapes special characters for you.
EDIT:
After reading the comments, I really hope you try Pattern.quote(yourString.toLowerCase()) as it sounds like you've been using Pattern.quote(yourString).toLowerCase(). If DataNucleus is applying the regex then there should be no problems with using the \Q and \E escape sequence.
Since you have really asked for it, ".\\".replaceAll("(\\.|\\$|\\+|\\*|\\\\)", "\\\\\$1") outputs \.\\
This will escape .'s, $'s, + 's, *'s and \'s. Note that the security of this is now all upon you. If you don't escape something you needed to, or you escape it incorrectly, you will either allow people to use regex inside the search term when you weren't expecting to or it won't returns results that you were expecting.
So, in a nutshell I'm trying to create a regex that I can use in a java program that is about to submit a JSON object to my php server.
myString.replaceAll(myRegexString,"");
My question is that I am absolutely no good with regex and to add onto that I need to escape the characters properly as its stored in a string, and then also escape the characters properly inside the regex. good lordy.
What I came up with was this:
String myRegexString = "[\"',{}[]:;]"
The first backslash was to escape outer quotes to get a " in there. And then it struck me that {} and [] are also regex commands. Would I escape those as well? Like:
String myRegexString = "[\"',\{\}\[\]:;]"
Thanks in advance. In case it wasnt clear from examples above the only characters I really care about at this moment in time is:
" { } [ ] , and also ; : ' for general sqlinj protection.
UPDATE:
This is the final regex:
[\\Q\"',{}[\]:;\\E] for anyone else curious. Thanks Amit!
Why don't you use an actual JSON encoding API/framework? What you're doing is not sanitizing. What you're doing is corrupting the data. If my name is O'Reilly, I want it to be spelled O'Reilly, not OReilly. If I send a message containing [ or {, I want these to be in the messages. Use a framework or API that escapes those characters when needed rather than removing them blindly.
Googling for JSON Java will lead you to many APIs and frameworks.
Try something like
String myRegexString = "[\\Q\"',{}[]:;\\E]";
now the characters between \Q and \E are now treated as normal characters.
I know there are other questions but they seem to have answers which are assumptions rather than being definitive.
My limited understanding is that cookie values are:
semi-colons are already used to separate cookies attributes within a single cookie.
equals signs are used to separate cookie names and values
colons are used to separate multiple cookies within a header.
Are there any other "special" characters ?
Some other q/a suggest that one base64 encodes the value but this does of course may include equals signs which of course are not valid.
i have also seen some suggestions that values may be quoted this however leads to other questions.
do the special characters need to be quoted ?
do quoted values support the usual backslash escaping mechanisms.
RFC
I read a few RFCs including some of the many cookie RFCS but i am still unsure as there is cross reference to another RFC etc with no definitive simple explaination or sample that "answers" my query.
Hopefully no one will say read the RFC because the question becomes which RFC...?
I think i have also read that different browsers have slightly different rules so hopefully please note this in your answers if this matters.
The latest RFC is 6265, and it states that previous Cookie RFCs are obsoleted.
Here's what the syntax rules in the RFC say:
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash
Thus:
The special characters are white-space characters, double quote, comma, semicolon and backslash. Equals is not a special character.
The special characters cannot be used at all, with the exception that double quotes may surround the value.
Special characters cannot be quoted.
Backslash does not act as an escape.
It follows that base-64 encoding can be used, because equals is not special.
Finally, from what I can tell, the RFC 6265 cookie values are defined so that they will work with any browser that implements any of the Cookie RFCs. However, if you tried to use cookie values that don't conform to RFC 6265 (but do arguably do conform to earlier RFCs), you may find that cookie behavior varies with different browsers.
In short, conform to the letter of RFC 6265 and you should be fine.
If you need pass cookie values that include any of the forbidden characters, your application needs to do its own encoding and decoding of the values; e.g. using base64.
There was the mention of base64, so here is a cooked cookie solution using that in cookies. The functions are about a modified version of base64, they only use [0-9a-zA-Z_-]
You can use it for both the name and value part of cookies, is binary safe, as they say.
The gzdeflate/gzinflate takes back 30% or so space created by base64, could not resist using it. Note that php gzdeflate/gzinflate is only available in most hosting companies, not all.
//write
setcookie
(
'mycookie'
,code_base64_FROM_bytes_cookiesafe(gzdeflate($mystring))
,time()+365*24*3600
);
//read
$mystring=gzinflate(code_bytes_FROM_base64_cookiesafe($_COOKIE['mycookie']));
function code_base64_FROM_bytes_cookiesafe($bytes)
{
//safe for name and value part [0-9a-zA-Z_-]
return strtr(base64_encode($bytes),Array
(
'/'=>'_',
'+'=>'-',
'='=>'',
' '=>'',
"\n"=>'',
"\r"=>'',
));
}
function code_bytes_FROM_base64_cookiesafe($enc)
{
$enc=str_pad($enc,strlen($enc)%4,'=',STR_PAD_RIGHT);//add back =
$enc=chunk_split($enc);//inserts \r\n every 76 chars
return base64_decode(strtr($enc,Array
(
'_'=>'/',
'-'=>'+',
)));
}
Is there any real way to represent a URL (which more than likely will also have a query string) as a filename in Java without obscuring the original URL completely?
My first approach was to simply escape invalid characters with arbitrary replacements (for example, replacing "/" with "_", etc).
The problem is, as in the example of replacing with underscores is that a URL such as "app/my_app" would become "app_my_app" thus obscuring the original URL completely.
I have also attempted to encode all the special characters, however again, seeing crazy %3e %20 etc is really not clear.
Thank you for any suggestions.
Well, you should know what you want here, exactly. Keep in mind that the restrictions on file names vary between systems. On a Unix system you probably only need to escape the virgule somehow, whereas on Windows you need to take care of the colon and the question mark as well.
I guess, the safest thing would be to encode anything that could potentially clash (everything non-alphanumeric would be a good candidate, although you migth adapt this to the platform) with percent-encoding. It's still somewhat readable and you're guaranteed to get the original URL back.
Why? URL-encoding is already defined in an RFC: there's not much point in reinventing it. Basically you must have an escape character such as %, otherwise you can't tell whether a character represents itself or an escape. E.g. in your example app_my_app could represent app/my/app. You therefore also need a double-escape convention so you can represent the escape character itself. It is not simple.