From 1519bc4457af7179557a4f04bb35a4e07bedd118 Mon Sep 17 00:00:00 2001
From: Volker Dobler <dr.volker.dobler@gmail.com>
Date: Tue, 26 May 2020 16:55:28 +0200
Subject: [PATCH] net/http: clarify that AddCookie only sanitizes the Cookie
 being added

AddCookie properly encodes a cookie and appends it to the Cookie header
field but does not modify or sanitize what the Cookie header field
contains already. If a user manualy sets the Cookie header field to
something not conforming to RFC 6265 then a cookie added via AddCookie
might not be retrievable.

Fixes #38437

Change-Id: I232b64ac489b39bb962fe4f7dbdc2ae44fcc0514
Reviewed-on: https://go-review.googlesource.com/c/go/+/235141
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/net/http/request.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/net/http/request.go b/src/net/http/request.go
index e386f13a37..e924e2a07f 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -425,6 +425,8 @@ func (r *Request) Cookie(name string) (*Cookie, error) {
 // AddCookie does not attach more than one Cookie header field. That
 // means all cookies, if any, are written into the same line,
 // separated by semicolon.
+// AddCookie only sanitizes c's name and value, and does not sanitize
+// a Cookie header already present in the request.
 func (r *Request) AddCookie(c *Cookie) {
 	s := fmt.Sprintf("%s=%s", sanitizeCookieName(c.Name), sanitizeCookieValue(c.Value))
 	if c := r.Header.Get("Cookie"); c != "" {
-- 
2.50.0