net/http: allow double-quotes only on cookie values, not cookie

attribute values, a la RFC 6265 section 4.1.1 "Syntax". Fixes #7751. LGTM=dr.volker.dobler R=dr.volker.dobler CC=bradfitz, golang-codereviews https://golang.org/cl/148890043

net/http: allow double-quotes only on cookie values, not cookie
attribute values, a la RFC 6265 section 4.1.1 "Syntax". Fixes #7751. LGTM=dr.volker.dobler R=dr.volker.dobler CC=bradfitz, golang-codereviews https://golang.org/cl/148890043
e59ad69a · Nigel Tao · 44652426 · e59ad69a · e59ad69a
Commit e59ad69a authored Sep 25, 2014 by Nigel Tao
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 5 deletions

cookie.go src/net/http/cookie.go +5 -5

cookie_test.go src/net/http/cookie_test.go +32 -0

No files found.
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -56,7 +56,7 @@ func readSetCookies(h Header) []*Cookie {
 		if !isCookieNameValid(name) {
 			continue
 		}
-		value, success := parseCookieValue(value)
+		value, success := parseCookieValue(value, true)
 		if !success {
 			continue
 		}
@@ -76,7 +76,7 @@ func readSetCookies(h Header) []*Cookie {
 				attr, val = attr[:j], attr[j+1:]
 			}
 			lowerAttr := strings.ToLower(attr)
-			val, success = parseCookieValue(val)
+			val, success = parseCookieValue(val, false)
 			if !success {
 				c.Unparsed = append(c.Unparsed, parts[i])
 				continue
@@ -205,7 +205,7 @@ func readCookies(h Header, filter string) []*Cookie {
 			if filter != "" && filter != name {
 				continue
 			}
-			val, success := parseCookieValue(val)
+			val, success := parseCookieValue(val, true)
 			if !success {
 				continue
 			}
@@ -345,9 +345,9 @@ func sanitizeOrWarn(fieldName string, valid func(byte) bool, v string) string {
 	return string(buf)
 }

-func parseCookieValue(raw string) (string, bool) {
+func parseCookieValue(raw string, allowDoubleQuote bool) (string, bool) {
 	// Strip the quotes, if present.
-	if len(raw) > 1 && raw[0] == '"' && raw[len(raw)-1] == '"' {
+	if allowDoubleQuote && len(raw) > 1 && raw[0] == '"' && raw[len(raw)-1] == '"' {
 		raw = raw[1 : len(raw)-1]
 	}
 	for i := 0; i < len(raw); i++ {

--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -313,6 +313,14 @@ var readCookiesTests = []struct {
 			{Name: "c2", Value: "v2"},
 		},
 	},
+	{
+		Header{"Cookie": {`Cookie-1="v$1"; c2="v2"`}},
+		"",
+		[]*Cookie{
+			{Name: "Cookie-1", Value: "v$1"},
+			{Name: "c2", Value: "v2"},
+		},
+	},
 }

 func TestReadCookies(t *testing.T) {
@@ -327,6 +335,30 @@ func TestReadCookies(t *testing.T) {
 	}
 }

+func TestSetCookieDoubleQuotes(t *testing.T) {
+	res := &Response{Header: Header{}}
+	res.Header.Add("Set-Cookie", `quoted0=none; max-age=30`)
+	res.Header.Add("Set-Cookie", `quoted1="cookieValue"; max-age=31`)
+	res.Header.Add("Set-Cookie", `quoted2=cookieAV; max-age="32"`)
+	res.Header.Add("Set-Cookie", `quoted3="both"; max-age="33"`)
+	got := res.Cookies()
+	want := []*Cookie{
+		{Name: "quoted0", Value: "none", MaxAge: 30},
+		{Name: "quoted1", Value: "cookieValue", MaxAge: 31},
+		{Name: "quoted2", Value: "cookieAV"},
+		{Name: "quoted3", Value: "both"},
+	}
+	if len(got) != len(want) {
+		t.Fatal("got %d cookies, want %d", len(got), len(want))
+	}
+	for i, w := range want {
+		g := got[i]
+		if g.Name != w.Name || g.Value != w.Value || g.MaxAge != w.MaxAge {
+			t.Errorf("cookie #%d:\ngot  %v\nwant %v", i, g, w)
+		}
+	}
+}
+
 func TestCookieSanitizeValue(t *testing.T) {
 	defer log.SetOutput(os.Stderr)
 	var logbuf bytes.Buffer