-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
t/request.t fails due to change in HTTP::XSCookies? #1435
Comments
Hey, sorry about the breakage. Your diagnosis is spot on. From a technical POV, it seems to me the new behaviour is more comprehensive, since it allows the caller to know whether a value was set or not in a cookie. It also supports no-value fields like HttpOnly and Secure (which I think were just being skipped before, OMG!). OTOH, I am also willing to accept that we should follow the standard, should there be a clear definition for this. What do you think? What would be best?
|
I agree - very clearly HttpOnly and Secure should be supported without values. I do think that this problem is in Dancer2::Core::Request. I'm don't know:
I think there are people more qualified than I am to weigh in on this issue, though. |
IOW, this shows the upside of the change: my $str = 'cookie.a=foo=bar; cookie.b=1234abcd; HttpOnly; no.value.cookie;';
...
$VAR1 = {
'HttpOnly' => undef,
'no.value.cookie' => undef,
'cookie.a' => 'foo=bar',
'cookie.b' => '1234abcd'
}; If those |
RFC6265 provides the grammars for cookies; they are different for @gonzus would having Note that one downside of including |
|
Also, RFC 6265 says:
To me, that says that a cookie name, alone, without an equals sign, is not valid. |
How about we allow passing an optional parameter to crush_cookie that will tell it to put those |
Would this change in
Alternately, what would be the impact of returning a boolean instead of |
I liked the idea of returning an explicit Anyway, I already implemented the optional parameter, with a default according to what Dancer2 needs. Would that suit everyone? |
I uploaded HTTP-XSCookies-0.000017.tar.gz, containing these fixes. |
Dancer2's t/cookie.t fails with HTTP-XSCookies-0.000017:
|
Can you provide the exact call to [ 't140', 'foo', { value => [qw/bar baz/], Secure => 1 }, 'foo=bar%26baz; Secure' ], |
A debugging session revealed the following:
|
@gonzus Can you please also update the Changes file in the future? I see no changes after 0.000005 |
@perlpunk LOL, I had forgotten that file even existed... :-) I will give it a go tomorrow. |
@eserte aha! Maybe Dancer2 could use |
@perlpunk I just pushed the updated |
@gonzus Any chance you could document that flag in the POD for HTTP::XSCookies ? D2 optionally uses HTTP::XSCookies as it provides XS speedups for both bake_cookie and crush_cookie. Otherwise Cookie::Baker is the default which only has XS speedups for crush_cookie. |
@veryrusty Good idea, just did that, it will go out on the next release. |
Both Cookie::Baker and Cookie::Baker::XS return a string for the cookie value, for which we then split on `&` for handling multiple values. The alternative XS implementation for cookie crushing, HTTP::XSCookies does the split, returning an arrayref. Update the cookie object construction code to accept a string (which we split), or an arrayref of values (which we leave alone). Allows use of Cookie::Baker(::XS) or HTTP::XSCookies with minimal code to maintain. Closes #1435.
[ BUG FIXES ] * GH #1304: Fix the order by which config files are loaded, independently of their filename extension (Alberto Simões, Russell @veryrusty Jenkins) * GH #1400: Fix infinite recursion with exceptions that use circular references. (Andre Walker) * GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not installed. (Tina @perlpunk Müller - Tina) * GH #1434: Add `validate_id` method to verify a session id before requesting the session engine fetch it from its data store. (Russell @veryrusty Jenkins) * GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref of values. (Russell @veryrusty Jenkins) * GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in Dancer2::Core::Request. (Russell @veryrusty Jenkins) * GH #1443: Update copyright year (Joseph Frazer) * GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins) [ ENHANCEMENTS ] * GH #1432: Support Content-Disposition of inline in send_file() (Dave Webb) * PR #1433: Verbose testing in AppVeyor (Graham Knop) * PR #1354: TemplateToolkit template engine will log (at debug level) if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins) [ DOCUMENTATION ] * GH #1317: Document serializer configuration (sdeseille) * PR #1426: Move performance improvement information from Migration guide to Deployment (Pedro Melo)
[ BUG FIXES ] * GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in Dancer2::Core::Request. (Russell @veryrusty Jenkins) * GH #1292: Fix multiple attribute definitions within Plugins (Nigel Gregoire) * GH #1304: Fix the order by which config files are loaded, independently of their filename extension (Alberto Simões, Russell @veryrusty Jenkins) * GH #1400: Fix infinite recursion with exceptions that use circular references. (Andre Walker) * GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not installed. (Tina @perlpunk Müller - Tina) * GH #1434: Add `validate_id` method to verify a session id before requesting the session engine fetch it from its data store. (Russell @veryrusty Jenkins) * GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref of values. (Russell @veryrusty Jenkins) * GH #1443: Update copyright year (Joseph Frazer) * GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins) * PR #1447: Fix missing build requires (Mohammad S Anwar) [ ENHANCEMENTS ] * PR #1354: TemplateToolkit template engine will log (at debug level) if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins) * GH #1432: Support Content-Disposition of inline in send_file() (Dave Webb) * PR #1433: Verbose testing in AppVeyor (Graham Knop) [ DOCUMENTATION ] * GH #1314: Documentation tweaks (David Precious) * GH #1317: Document serializer configuration (sdeseille) * GH #1386: Add Hello World example (Gabor Szabo) * PR #1408: List project development resources (Steve Dondley) * PR #1426: Move performance improvement information from Migration guide to Deployment (Pedro Melo)
t/request.t fails with
Use of uninitialized value $value in split at /root/.cpanm/work/1520488903.54892/Dancer2-0.205002/lib/Dancer2/Core/Request.pm line 599.
t/request.t sets cookies as follows:
HTTP_COOKIE => 'cookie.a=foo=bar; cookie.b=1234abcd; no.value.cookie;',
Where
no.value.cookie
looks to be an intentionally bad value, with a possible expectation that HTTP::XSCookies will discard it (see #1087) .Given the following snippet:
Using HTTP::XSCookies version 0.000014 will return:
And using HTTP::XSCookies version 0.000016 will return:
The change in HTTP::XSCookies is from issue crush_cookie bug? #5
I'm not entirely sure if it is more appropriate to open the request here or against HTTP::XSCookies, but the documentation for the crush_cookies sub says, "Parse a (properly encoded) cookie string into a hashref with the individual values" which would indicate that it shouldn't be used to validate the cookie string.
The text was updated successfully, but these errors were encountered: