mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

net/http: trim cookie names 

The current implementation ignores cookies where the cookie name starts or ends with a space:
name =value is ignored.
This commit is contained in:
darmiel 2022-04-03 02:30:47 +02:00
parent 01c83be793
commit 0ada047371
No known key found for this signature in database
GPG Key ID: A9896FFF5A793A20
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/net/http/cookie.go
View File

@ -70,6 +70,7 @@ func readSetCookies(h Header) []*Cookie {
}
parts[0] = textproto.TrimString(parts[0])
name, value, ok := strings.Cut(parts[0], "=")
name = textproto.TrimString(name)
if !ok {
continue
}
@ -291,6 +292,7 @@ func readCookies(h Header, filter string) []*Cookie {
continue
}
name, val, _ := strings.Cut(part, "=")
name = textproto.TrimString(name)
if !isCookieNameValid(name) {
continue
}

4
src/net/http/cookie_test.go
View File

@ -352,6 +352,10 @@ var readSetCookiesTests = []struct {
Header{"Set-Cookie": {`special-8=","`}},
[]*Cookie{{Name: "special-8", Value: ",", Raw: `special-8=","`}},
},
{
Header{"Set-Cookie": {`special-9 =","`}},
[]*Cookie{{Name: "special-9", Value: ",", Raw: `special-9 =","`}},
},
// TODO(bradfitz): users have reported seeing this in the
// wild, but do browsers handle it? RFC 6265 just says "don't