Validate cookie headers

elixir-plug · Apr 17, 2017 · 8857f8a · 8857f8a
1 parent aff88b6
commit 8857f8a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/lib/plug/conn.ex b/lib/plug/conn.ex
@@ -990,6 +990,7 @@ defmodule Plug.Conn do
           "cookie named #{inspect key} exceeds maximum size of 4096 bytes"
   end
   defp verify_cookie!(cookie, _key) do
+    validate_header_value!(cookie)
     cookie
   end
 

diff --git a/test/plug/conn_test.exs b/test/plug/conn_test.exs
@@ -605,6 +605,14 @@ defmodule Plug.ConnTest do
     end
   end
 
+  test "put_resp_cookie/4 raises on new line" do
+    assert_raise Plug.Conn.InvalidHeaderError, fn ->
+      conn(:get, "/")
+      |> put_resp_cookie("foo", "bar\nbaz")
+      |> send_resp(200, "OK")
+    end
+  end
+
   test "put_resp_cookie/4 is secure on https" do
     conn = conn(:get, "https://example.com/")
            |> put_resp_cookie("foo", "baz", path: "/baz")