From 9d0829963ccab19093c37f21cfc35d019addc78a Mon Sep 17 00:00:00 2001
From: "Nicholas S. Husin" <nsh@golang.org>
Date: Wed, 3 Sep 2025 14:25:59 -0400
Subject: [PATCH] net/http: fix cookie value of "" being interpreted as empty
 string.

In issue #46443, we have established that double-quotes in cookie values
should be kept as part of the value, rather than being discarded.
However, we have missed the edge case of "" until now. This CL fixes
said edge case.

Fixes #75244

Change-Id: I627ad2376931514aa5dcc8961ad804e42b7d9434
Reviewed-on: https://go-review.googlesource.com/c/go/+/700755
Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
---
 src/net/http/cookie.go      | 3 ---
 src/net/http/cookie_test.go | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go
index 408fe88452..efe6cc3e77 100644
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -459,9 +459,6 @@ func sanitizeCookieName(n string) string {
 // See https://golang.org/issue/7243 for the discussion.
 func sanitizeCookieValue(v string, quoted bool) string {
 	v = sanitizeOrWarn("Cookie.Value", validCookieValueByte, v)
-	if len(v) == 0 {
-		return v
-	}
 	if strings.ContainsAny(v, " ,") || quoted {
 		return `"` + v + `"`
 	}
diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go
index aac6956362..8db4957b2c 100644
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -530,6 +530,7 @@ func TestCookieSanitizeValue(t *testing.T) {
 		{"a,z", false, `"a,z"`},
 		{",z", false, `",z"`},
 		{"a,", false, `"a,"`},
+		{"", true, `""`},
 	}
 	for _, tt := range tests {
 		if got := sanitizeCookieValue(tt.in, tt.quoted); got != tt.want {
-- 
2.52.0