net/http: allow double-quotes only on cookie values, not cookie

author Nigel Tao <nigeltao@golang.org>

Thu, 25 Sep 2014 00:21:52 +0000 (10:21 +1000)

committer Nigel Tao <nigeltao@golang.org>

Thu, 25 Sep 2014 00:21:52 +0000 (10:21 +1000)
author Nigel Tao <nigeltao@golang.org>
Thu, 25 Sep 2014 00:21:52 +0000 (10:21 +1000)
committer Nigel Tao <nigeltao@golang.org>
Thu, 25 Sep 2014 00:21:52 +0000 (10:21 +1000)
diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go

index dc60ba87f5f9bf8e19c1ccd769fb0540ace0ceb9..a0d0fdbbd074436dc7eb1f328b02836b606b26a1 100644 (file)
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -56,7 +56,7 @@ func readSetCookies(h Header) []*Cookie {
                 if !isCookieNameValid(name) {
                         continue
                 }
-               value, success := parseCookieValue(value)
+               value, success := parseCookieValue(value, true)
                 if !success {
                         continue
                 }
@@ -76,7 +76,7 @@ func readSetCookies(h Header) []*Cookie {
                                 attr, val = attr[:j], attr[j+1:]
                         }
                         lowerAttr := strings.ToLower(attr)
-                       val, success = parseCookieValue(val)
+                       val, success = parseCookieValue(val, false)
                         if !success {
                                 c.Unparsed = append(c.Unparsed, parts[i])
                                 continue
@@ -205,7 +205,7 @@ func readCookies(h Header, filter string) []*Cookie {
                         if filter != "" && filter != name {
                                 continue
                         }
-                       val, success := parseCookieValue(val)
+                       val, success := parseCookieValue(val, true)
                         if !success {
                                 continue
                         }
@@ -345,9 +345,9 @@ func sanitizeOrWarn(fieldName string, valid func(byte) bool, v string) string {
         return string(buf)
  }
  
-func parseCookieValue(raw string) (string, bool) {
+func parseCookieValue(raw string, allowDoubleQuote bool) (string, bool) {
         // Strip the quotes, if present.
-       if len(raw) > 1 && raw[0] == '"' && raw[len(raw)-1] == '"' {
+       if allowDoubleQuote && len(raw) > 1 && raw[0] == '"' && raw[len(raw)-1] == '"' {
                 raw = raw[1 : len(raw)-1]
         }
         for i := 0; i < len(raw); i++ {
diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go

index f78f37299f4885ed0407a74fa131c32b3cacc646..98dc2fade0d9d438ac681ffb576267574d223b3d 100644 (file)
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -313,6 +313,14 @@ var readCookiesTests = []struct {
                         {Name: "c2", Value: "v2"},
                 },
         },
+       {
+               Header{"Cookie": {`Cookie-1="v$1"; c2="v2"`}},
+               "",
+               []*Cookie{
+                       {Name: "Cookie-1", Value: "v$1"},
+                       {Name: "c2", Value: "v2"},
+               },
+       },
  }
  
  func TestReadCookies(t *testing.T) {
@@ -327,6 +335,30 @@ func TestReadCookies(t *testing.T) {
         }
  }
  
+func TestSetCookieDoubleQuotes(t *testing.T) {
+       res := &Response{Header: Header{}}
+       res.Header.Add("Set-Cookie", `quoted0=none; max-age=30`)
+       res.Header.Add("Set-Cookie", `quoted1="cookieValue"; max-age=31`)
+       res.Header.Add("Set-Cookie", `quoted2=cookieAV; max-age="32"`)
+       res.Header.Add("Set-Cookie", `quoted3="both"; max-age="33"`)
+       got := res.Cookies()
+       want := []*Cookie{
+               {Name: "quoted0", Value: "none", MaxAge: 30},
+               {Name: "quoted1", Value: "cookieValue", MaxAge: 31},
+               {Name: "quoted2", Value: "cookieAV"},
+               {Name: "quoted3", Value: "both"},
+       }
+       if len(got) != len(want) {
+               t.Fatal("got %d cookies, want %d", len(got), len(want))
+       }
+       for i, w := range want {
+               g := got[i]
+               if g.Name != w.Name || g.Value != w.Value || g.MaxAge != w.MaxAge {
+                       t.Errorf("cookie #%d:\ngot  %v\nwant %v", i, g, w)
+               }
+       }
+}
+
  func TestCookieSanitizeValue(t *testing.T) {
         defer log.SetOutput(os.Stderr)
         var logbuf bytes.Buffer
author	Nigel Tao <nigeltao@golang.org>
	Thu, 25 Sep 2014 00:21:52 +0000 (10:21 +1000)
committer	Nigel Tao <nigeltao@golang.org>
	Thu, 25 Sep 2014 00:21:52 +0000 (10:21 +1000)
src/net/http/cookie.go		patch \| blob \| history
src/net/http/cookie_test.go		patch \| blob \| history