net/http: fix cookie Expires minimum year to 1601 instead of Epoch year 1970

Following RFC 6265 Section 5.1.1.5, ensure that the minimum year for which an Expires value is valid and can be included in the cookie's string, is 1601 instead of the Epoch year 1970. A detailed specification for parsing the Expiry field is at: https://tools.ietf.org/html/rfc6265#section-5.2.1 I stumbled across this bug due to this StackOverflow answer that recommends setting the Expiry to the Epoch: http://stackoverflow.com/a/5285982 Fixes #17632 Change-Id: I3c1bdf821d369320334a5dc1e4bf22783cbfe9fc Reviewed-on: https://go-review.googlesource.com/32142Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

net/http: fix cookie Expires minimum year to 1601 instead of Epoch year 1970
Following RFC 6265 Section 5.1.1.5, ensure that the minimum year for which an Expires value is valid and can be included in the cookie's string, is 1601 instead of the Epoch year 1970. A detailed specification for parsing the Expiry field is at: https://tools.ietf.org/html/rfc6265#section-5.2.1 I stumbled across this bug due to this StackOverflow answer that recommends setting the Expiry to the Epoch: http://stackoverflow.com/a/5285982 Fixes #17632 Change-Id: I3c1bdf821d369320334a5dc1e4bf22783cbfe9fc Reviewed-on: https://go-review.googlesource.com/32142Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
d86a6ef0 · Josh Chorlton · Brad Fitzpatrick · a8e86d99 · d86a6ef0 · d86a6ef0
Commit d86a6ef0 authored Oct 27, 2016 by Josh Chorlton Committed by Brad Fitzpatrick Oct 28, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 1 deletion

cookie.go src/net/http/cookie.go +7 -1

cookie_test.go src/net/http/cookie_test.go +9 -0

No files found.
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -168,7 +168,7 @@ func (c *Cookie) String() string {
 			log.Printf("net/http: invalid Cookie.Domain %q; dropping domain attribute", c.Domain)
 		}
 	}
-	if c.Expires.Unix() > 0 {
+	if validCookieExpires(c.Expires) {
 		b.WriteString("; Expires=")
 		b2 := b.Bytes()
 		b.Reset()
@@ -246,6 +246,12 @@ func validCookieDomain(v string) bool {
 	return false
 }

+// validCookieExpires returns whether v is a valid cookie expires-value.
+func validCookieExpires(t time.Time) bool {
+	// IETF RFC 6265 Section 5.1.1.5, the year must not be less than 1601
+	return t.Year() >= 1601
+}
+
 // isCookieDomainName returns whether s is a valid domain name or a valid
 // domain name with a leading dot '.'.  It is almost a direct copy of
 // package net's isDomainName.

--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -56,6 +56,15 @@ var writeSetCookiesTests = []struct {
 		&Cookie{Name: "cookie-9", Value: "expiring", Expires: time.Unix(1257894000, 0)},
 		"cookie-9=expiring; Expires=Tue, 10 Nov 2009 23:00:00 GMT",
 	},
+	// According to IETF 6265 Section 5.1.1.5, the year cannot be less than 1601
+	{
+		&Cookie{Name: "cookie-10", Value: "expiring-1601", Expires: time.Date(1601, 1, 1, 1, 1, 1, 1, time.UTC)},
+		"cookie-10=expiring-1601; Expires=Mon, 01 Jan 1601 01:01:01 GMT",
+	},
+	{
+		&Cookie{Name: "cookie-11", Value: "invalid-expiry", Expires: time.Date(1600, 1, 1, 1, 1, 1, 1, time.UTC)},
+		"cookie-11=invalid-expiry",
+	},
 	// The "special" cookies have values containing commas or spaces which
 	// are disallowed by RFC 6265 but are common in the wild.
 	{