HTTPCLIENT-2415: Normalize CookieOrigin path for cookie matching (#803)

arturobernalg · web-flow · commit 9189d11abf60 · 2026-02-11T07:07:09.000+01:00
Strip query / fragment from CookieOrigin path per RFC 6265.
Add regression tests for request-targets containing '?', '#'.
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/protocol/RequestAddCookies.java b/httpclient5/src/main/java/org/apache/hc/client5/http/protocol/RequestAddCookies.java
@@ -76,6 +76,28 @@ public class RequestAddCookies implements HttpRequestInterceptor {
 
     private static final Logger LOG = LoggerFactory.getLogger(RequestAddCookies.class);
 
+    private static String normalizeRequestPath(final String rawPath) {
+        if (TextUtils.isBlank(rawPath)) {
+            return "/";
+        }
+        int end = rawPath.length();
+
+        final int queryIndex = rawPath.indexOf('?');
+        if (queryIndex >= 0) {
+            end = queryIndex;
+        }
+        final int fragmentIndex = rawPath.indexOf('#');
+        if (fragmentIndex >= 0 && fragmentIndex < end) {
+            end = fragmentIndex;
+        }
+        if (end == 0) {
+            return "/";
+        }
+        if (end == rawPath.length()) {
+            return rawPath;
+        }
+        return rawPath.substring(0, end);
+    }
     public RequestAddCookies() {
         super();
     }
@@ -100,7 +122,6 @@ public void process(final HttpRequest request, final EntityDetails entity, final
             return;
         }
 
-
         final HttpClientContext clientContext = HttpClientContext.cast(context);
         final String exchangeId = clientContext.getExchangeId();
 
@@ -141,10 +162,9 @@ public void process(final HttpRequest request, final EntityDetails entity, final
         }
 
         final URIAuthority authority = request.getAuthority();
-        String path = request.getPath();
-        if (TextUtils.isEmpty(path)) {
-            path = "/";
-        }
+
+        final String path = normalizeRequestPath(request.getPath());
+
         String hostName = authority != null ? authority.getHostName() : null;
         if (hostName == null) {
             hostName = route.getTargetHost().getHostName();
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/cookie/TestCookieOrigin.java b/httpclient5/src/test/java/org/apache/hc/client5/http/cookie/TestCookieOrigin.java
@@ -76,6 +76,11 @@ void testEmptyPath() {
         Assertions.assertEquals("/", origin.getPath());
         Assertions.assertFalse(origin.isSecure());
     }
+    @Test
+    void testNormalizePathRejectsNull() {
+        Assertions.assertThrows(NullPointerException.class, () ->
+                new CookieOrigin("somehost", 80, null, false));
+    }
 
 }
 
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/cookie/TestBasicCookieAttribHandlers.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/cookie/TestBasicCookieAttribHandlers.java
@@ -399,5 +399,4 @@ void testBasicHttpOnlyParse() throws Exception {
         h.parse(cookie, "anyone");
         Assertions.assertTrue(cookie.isHttpOnly());
     }
-
 }
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/protocol/TestRequestAddCookies.java b/httpclient5/src/test/java/org/apache/hc/client5/http/protocol/TestRequestAddCookies.java
@@ -126,6 +126,62 @@ void testAddCookies() throws Exception {
         Assertions.assertFalse(cookieOrigin.isSecure());
     }
 
+    @Test
+    void testAddCookiesWithQueryParams() throws Exception {
+        final BasicCookieStore store = new BasicCookieStore();
+        final BasicClientCookie cookie = new BasicClientCookie("name", "value");
+        cookie.setDomain("localhost.local");
+        cookie.setPath("/stuff");
+        store.addCookie(cookie);
+
+        final HttpRequest request = new BasicHttpRequest("GET", "/stuff?foo=bar");
+        final HttpRoute route = new HttpRoute(this.target, null, false);
+
+        final HttpClientContext context = HttpClientContext.create();
+        context.setRoute(route);
+        context.setCookieStore(store);
+        context.setCookieSpecRegistry(this.cookieSpecRegistry);
+
+        final HttpRequestInterceptor interceptor = RequestAddCookies.INSTANCE;
+        interceptor.process(request, null, context);
+
+        final Header[] headers = request.getHeaders("Cookie");
+        Assertions.assertNotNull(headers);
+        Assertions.assertEquals(1, headers.length);
+        Assertions.assertEquals("name=value", headers[0].getValue());
+
+        final CookieOrigin cookieOrigin = context.getCookieOrigin();
+        Assertions.assertEquals("/stuff", cookieOrigin.getPath());
+    }
+
+    @Test
+    void testAddCookiesWithFragment() throws Exception {
+        final BasicCookieStore store = new BasicCookieStore();
+        final BasicClientCookie cookie = new BasicClientCookie("name", "value");
+        cookie.setDomain("localhost.local");
+        cookie.setPath("/stuff");
+        store.addCookie(cookie);
+
+        final HttpRequest request = new BasicHttpRequest("GET", "/stuff#section");
+        final HttpRoute route = new HttpRoute(this.target, null, false);
+
+        final HttpClientContext context = HttpClientContext.create();
+        context.setRoute(route);
+        context.setCookieStore(store);
+        context.setCookieSpecRegistry(this.cookieSpecRegistry);
+
+        final HttpRequestInterceptor interceptor = RequestAddCookies.INSTANCE;
+        interceptor.process(request, null, context);
+
+        final Header[] headers = request.getHeaders("Cookie");
+        Assertions.assertNotNull(headers);
+        Assertions.assertEquals(1, headers.length);
+        Assertions.assertEquals("name=value", headers[0].getValue());
+
+        final CookieOrigin cookieOrigin = context.getCookieOrigin();
+        Assertions.assertEquals("/stuff", cookieOrigin.getPath());
+    }
+
     @Test
     void testCookiesForConnectRequest() throws Exception {
         final HttpRequest request = new BasicHttpRequest("CONNECT", "www.somedomain.com");
@@ -432,5 +488,133 @@ void testSkipAddingCookiesWhenCookieHeaderPresent() throws Exception {
         Assertions.assertEquals(1, headers.length);
         Assertions.assertEquals("existingCookie=existingValue", headers[0].getValue());
     }
+    @Test
+    void testAddCookiesWithRequestPathContainingQuery() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", "/stuff?foo=bar");
+
+        final HttpRoute route = new HttpRoute(this.target, null, false);
+
+        final CookieStore store = new BasicCookieStore();
+        final BasicClientCookie cookie = new BasicClientCookie("name", "value");
+        cookie.setDomain("localhost.local");
+        cookie.setPath("/stuff");
+        store.addCookie(cookie);
+
+        final HttpClientContext context = HttpClientContext.create();
+        context.setRoute(route);
+        context.setCookieStore(store);
+        context.setCookieSpecRegistry(this.cookieSpecRegistry);
+
+        final HttpRequestInterceptor interceptor = RequestAddCookies.INSTANCE;
+        interceptor.process(request, null, context);
+
+        final Header[] headers = request.getHeaders("Cookie");
+        Assertions.assertNotNull(headers);
+        Assertions.assertEquals(1, headers.length);
+        Assertions.assertEquals("name=value", headers[0].getValue());
+
+        final CookieOrigin cookieOrigin = context.getCookieOrigin();
+        Assertions.assertNotNull(cookieOrigin);
+        Assertions.assertEquals("/stuff", cookieOrigin.getPath());
+    }
+
+    @Test
+    void testAddCookiesWithRequestPathContainingFragment() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", "/stuff#frag");
+
+        final HttpRoute route = new HttpRoute(this.target, null, false);
+
+        final CookieStore store = new BasicCookieStore();
+        final BasicClientCookie cookie = new BasicClientCookie("name", "value");
+        cookie.setDomain("localhost.local");
+        cookie.setPath("/stuff");
+        store.addCookie(cookie);
+
+        final HttpClientContext context = HttpClientContext.create();
+        context.setRoute(route);
+        context.setCookieStore(store);
+        context.setCookieSpecRegistry(this.cookieSpecRegistry);
+
+        final HttpRequestInterceptor interceptor = RequestAddCookies.INSTANCE;
+        interceptor.process(request, null, context);
+
+        final Header[] headers = request.getHeaders("Cookie");
+        Assertions.assertNotNull(headers);
+        Assertions.assertEquals(1, headers.length);
+        Assertions.assertEquals("name=value", headers[0].getValue());
+
+        final CookieOrigin cookieOrigin = context.getCookieOrigin();
+        Assertions.assertNotNull(cookieOrigin);
+        Assertions.assertEquals("/stuff", cookieOrigin.getPath());
+    }
+
+    @Test
+    void testAddCookiesWithRootPathQuery() throws Exception {
+        // Should behave as path "/" (query ignored)
+        final HttpRequest request = new BasicHttpRequest("GET", "/?foo=bar");
+
+        final HttpRoute route = new HttpRoute(this.target, null, false);
+
+        final HttpClientContext context = HttpClientContext.create();
+        context.setRoute(route);
+        context.setCookieStore(this.cookieStore); // setup cookies are path "/"
+        context.setCookieSpecRegistry(this.cookieSpecRegistry);
+
+        final HttpRequestInterceptor interceptor = RequestAddCookies.INSTANCE;
+        interceptor.process(request, null, context);
+
+        final Header[] headers = request.getHeaders("Cookie");
+        Assertions.assertNotNull(headers);
+        Assertions.assertEquals(1, headers.length);
+        Assertions.assertEquals("name1=value1; name2=value2", headers[0].getValue());
+
+        final CookieOrigin cookieOrigin = context.getCookieOrigin();
+        Assertions.assertNotNull(cookieOrigin);
+        Assertions.assertEquals("/", cookieOrigin.getPath());
+    }
+
+
+    @Test
+    void testCookieOriginPathNormalization() throws Exception {
+        final String[][] cases = new String[][]{
+                {"", "/"},
+                {" ", "/"},
+                {"\t", "/"},
+                {"?", "/"},
+                {"#","/"},
+                {"?foo", "/"},
+                {"#frag", "/"},
+                {"/", "/"},
+                {"/?foo", "/"},
+                {"/#frag", "/"},
+                {"/stuff", "/stuff"},
+                {"/stuff?foo", "/stuff"},
+                {"/stuff#frag", "/stuff"},
+                {"/stuff?foo#bar", "/stuff"},
+                {"/stuff#bar?foo", "/stuff"},
+                {"/stuff/", "/stuff/"},
+                {"/stuff/?foo", "/stuff/"},
+        };
+
+        for (final String[] c : cases) {
+            final String input = c[0];
+            final String expected = c[1];
+
+            final HttpRequest request = new BasicHttpRequest("GET", input);
+            final HttpRoute route = new HttpRoute(this.target, null, false);
+
+            final HttpClientContext context = HttpClientContext.create();
+            context.setRoute(route);
+            context.setCookieStore(new BasicCookieStore());
+            context.setCookieSpecRegistry(this.cookieSpecRegistry);
+
+            RequestAddCookies.INSTANCE.process(request, null, context);
+
+            final CookieOrigin origin = context.getCookieOrigin();
+            Assertions.assertNotNull(origin, "input=" + input);
+            Assertions.assertEquals(expected, origin.getPath(), "input=" + input);
+        }
+    }
+
 
 }

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,11 @@ void testEmptyPath() {`
`76`	`76`	`Assertions.assertEquals("/", origin.getPath());`
`77`	`77`	`Assertions.assertFalse(origin.isSecure());`
`78`	`78`	`}`
	`79`	`+ @Test`
	`80`	`+ void testNormalizePathRejectsNull() {`
	`81`	`+ Assertions.assertThrows(NullPointerException.class, () ->`
	`82`	`+ new CookieOrigin("somehost", 80, null, false));`
	`83`	`+ }`
`79`	`84`
`80`	`85`	`}`
`81`	`86`
Original file line number	Diff line number	Diff line change
`@@ -399,5 +399,4 @@ void testBasicHttpOnlyParse() throws Exception {`
`399`	`399`	`h.parse(cookie, "anyone");`
`400`	`400`	`Assertions.assertTrue(cookie.isHttpOnly());`
`401`	`401`	`}`
`402`		`-`
`403`	`402`	`}`