net/http: send more cookie values in double quotes

According to RFC 6255 a cookie value may contain neither spaces " "
nor commas ",". But browsers seem to handle these pretty well and such
values are not uncommon in the wild so we do allow spaces and commas
in cookie values too. Up to now we use the double-quoted wire format
only for cookie values with leading and/or trailing spaces and commas.
Values with internal spaces/commas are sent without the optional double
quotes. This seems to be a problem for some agents.

This CL changes the behaviour for cookie values with spaces or commas:
Such values are always sent in double quotes. This should not have
any impact on existing agents and the increases of data transmitted
is negligible.

Fixes #18627

Change-Id: I575a98d589e048aa39d976a3c984550daaca730a
Reviewed-on: https://go-review.googlesource.com/37328
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go
index 5a67476cd4263e335f73546cca2beb8181f0b2d4..cf522488c15d68470ac13f715c42c1e041066e80 100644 (file)
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -328,7 +328,7 @@ func sanitizeCookieValue(v string) string {
        if len(v) == 0 {
                return v
        }
-       if v[0] == ' ' || v[0] == ',' || v[len(v)-1] == ' ' || v[len(v)-1] == ',' {
+       if strings.IndexByte(v, ' ') >= 0 || strings.IndexByte(v, ',') >= 0 {
                return `"` + v + `"`
        }
        return v

diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go
index b3e54f8db3244f989481d2f9f1b20b19e7f0c19f..9d199a3752e0f04ad641b4cc9ea3c6c0d11f0fc8 100644 (file)
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -69,7 +69,7 @@ var writeSetCookiesTests = []struct {
        // are disallowed by RFC 6265 but are common in the wild.
        {
                &Cookie{Name: "special-1", Value: "a z"},
-               `special-1=a z`,
+               `special-1="a z"`,
        },
        {
                &Cookie{Name: "special-2", Value: " z"},
@@ -85,7 +85,7 @@ var writeSetCookiesTests = []struct {
        },
        {
                &Cookie{Name: "special-5", Value: "a,z"},
-               `special-5=a,z`,
+               `special-5="a,z"`,
        },
        {
                &Cookie{Name: "special-6", Value: ",z"},
@@ -398,9 +398,12 @@ func TestCookieSanitizeValue(t *testing.T) {
                {"foo\"bar", "foobar"},
                {"\x00\x7e\x7f\x80", "\x7e"},
                {`"withquotes"`, "withquotes"},
-               {"a z", "a z"},
+               {"a z", `"a z"`},
                {" z", `" z"`},
                {"a ", `"a "`},
+               {"a,z", `"a,z"`},
+               {",z", `",z"`},
+               {"a,", `"a,"`},
        }
        for _, tt := range tests {
                if got := sanitizeCookieValue(tt.in); got != tt.want {