diff options
| author | Volker Dobler <dr.volker.dobler@gmail.com> | 2017-02-22 14:40:17 +0100 |
|---|---|---|
| committer | Brad Fitzpatrick <bradfitz@golang.org> | 2017-05-22 19:13:51 +0000 |
| commit | 8f6d68ebaa660c6db8a87d418e95f8c0d3a221e4 (patch) | |
| tree | f442a14108781b59737cd20f6d0c0a7a9604a11a /src | |
| parent | 1611839b29a5447f3132e93f14c75b1639a34490 (diff) | |
| download | go-8f6d68ebaa660c6db8a87d418e95f8c0d3a221e4.tar.xz | |
net/http: send more cookie values in double quotes
According to RFC 6255 a cookie value may contain neither spaces " "
nor commas ",". But browsers seem to handle these pretty well and such
values are not uncommon in the wild so we do allow spaces and commas
in cookie values too. Up to now we use the double-quoted wire format
only for cookie values with leading and/or trailing spaces and commas.
Values with internal spaces/commas are sent without the optional double
quotes. This seems to be a problem for some agents.
This CL changes the behaviour for cookie values with spaces or commas:
Such values are always sent in double quotes. This should not have
any impact on existing agents and the increases of data transmitted
is negligible.
Fixes #18627
Change-Id: I575a98d589e048aa39d976a3c984550daaca730a
Reviewed-on: https://go-review.googlesource.com/37328
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/net/http/cookie.go | 2 | ||||
| -rw-r--r-- | src/net/http/cookie_test.go | 9 |
2 files changed, 7 insertions, 4 deletions
diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go index 5a67476cd4..cf522488c1 100644 --- a/src/net/http/cookie.go +++ b/src/net/http/cookie.go @@ -328,7 +328,7 @@ func sanitizeCookieValue(v string) string { if len(v) == 0 { return v } - if v[0] == ' ' || v[0] == ',' || v[len(v)-1] == ' ' || v[len(v)-1] == ',' { + if strings.IndexByte(v, ' ') >= 0 || strings.IndexByte(v, ',') >= 0 { return `"` + v + `"` } return v diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go index b3e54f8db3..9d199a3752 100644 --- a/src/net/http/cookie_test.go +++ b/src/net/http/cookie_test.go @@ -69,7 +69,7 @@ var writeSetCookiesTests = []struct { // are disallowed by RFC 6265 but are common in the wild. { &Cookie{Name: "special-1", Value: "a z"}, - `special-1=a z`, + `special-1="a z"`, }, { &Cookie{Name: "special-2", Value: " z"}, @@ -85,7 +85,7 @@ var writeSetCookiesTests = []struct { }, { &Cookie{Name: "special-5", Value: "a,z"}, - `special-5=a,z`, + `special-5="a,z"`, }, { &Cookie{Name: "special-6", Value: ",z"}, @@ -398,9 +398,12 @@ func TestCookieSanitizeValue(t *testing.T) { {"foo\"bar", "foobar"}, {"\x00\x7e\x7f\x80", "\x7e"}, {`"withquotes"`, "withquotes"}, - {"a z", "a z"}, + {"a z", `"a z"`}, {" z", `" z"`}, {"a ", `"a "`}, + {"a,z", `"a,z"`}, + {",z", `",z"`}, + {"a,", `"a,"`}, } for _, tt := range tests { if got := sanitizeCookieValue(tt.in); got != tt.want { |