diff options
| author | Volker Dobler <dr.volker.dobler@gmail.com> | 2020-05-26 16:55:28 +0200 |
|---|---|---|
| committer | Emmanuel Odeke <emm.odeke@gmail.com> | 2020-05-29 09:21:54 +0000 |
| commit | 1519bc4457af7179557a4f04bb35a4e07bedd118 (patch) | |
| tree | e8d9aa3d63547ec795fcdf725ee7b3afce3df81e /src/net/http | |
| parent | 8f4151ea67e1d498e0880f28d3fd803dc2c5448f (diff) | |
| download | go-1519bc4457af7179557a4f04bb35a4e07bedd118.tar.xz | |
net/http: clarify that AddCookie only sanitizes the Cookie being added
AddCookie properly encodes a cookie and appends it to the Cookie header
field but does not modify or sanitize what the Cookie header field
contains already. If a user manualy sets the Cookie header field to
something not conforming to RFC 6265 then a cookie added via AddCookie
might not be retrievable.
Fixes #38437
Change-Id: I232b64ac489b39bb962fe4f7dbdc2ae44fcc0514
Reviewed-on: https://go-review.googlesource.com/c/go/+/235141
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Diffstat (limited to 'src/net/http')
| -rw-r--r-- | src/net/http/request.go | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go index e386f13a37..e924e2a07f 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -425,6 +425,8 @@ func (r *Request) Cookie(name string) (*Cookie, error) { // AddCookie does not attach more than one Cookie header field. That // means all cookies, if any, are written into the same line, // separated by semicolon. +// AddCookie only sanitizes c's name and value, and does not sanitize +// a Cookie header already present in the request. func (r *Request) AddCookie(c *Cookie) { s := fmt.Sprintf("%s=%s", sanitizeCookieName(c.Name), sanitizeCookieValue(c.Value)) if c := r.Header.Get("Cookie"); c != "" { |