Skip to content
Permalink
Browse files

net/http: send more cookie values in double quotes

According to RFC 6255 a cookie value may contain neither spaces " "
nor commas ",". But browsers seem to handle these pretty well and such
values are not uncommon in the wild so we do allow spaces and commas
in cookie values too. Up to now we use the double-quoted wire format
only for cookie values with leading and/or trailing spaces and commas.
Values with internal spaces/commas are sent without the optional double
quotes. This seems to be a problem for some agents.

This CL changes the behaviour for cookie values with spaces or commas:
Such values are always sent in double quotes. This should not have
any impact on existing agents and the increases of data transmitted
is negligible.

Fixes #18627

Change-Id: I575a98d589e048aa39d976a3c984550daaca730a
Reviewed-on: https://go-review.googlesource.com/37328
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
  • Loading branch information...
vdobler authored and bradfitz committed Feb 22, 2017
1 parent 1611839 commit 8f6d68ebaa660c6db8a87d418e95f8c0d3a221e4
Showing with 7 additions and 4 deletions.
  1. +1 −1 src/net/http/cookie.go
  2. +6 −3 src/net/http/cookie_test.go
@@ -328,7 +328,7 @@ func sanitizeCookieValue(v string) string {
if len(v) == 0 {
return v
}
if v[0] == ' ' || v[0] == ',' || v[len(v)-1] == ' ' || v[len(v)-1] == ',' {
if strings.IndexByte(v, ' ') >= 0 || strings.IndexByte(v, ',') >= 0 {
return `"` + v + `"`
}
return v
@@ -69,7 +69,7 @@ var writeSetCookiesTests = []struct {
// are disallowed by RFC 6265 but are common in the wild.
{
&Cookie{Name: "special-1", Value: "a z"},
`special-1=a z`,
`special-1="a z"`,
},
{
&Cookie{Name: "special-2", Value: " z"},
@@ -85,7 +85,7 @@ var writeSetCookiesTests = []struct {
},
{
&Cookie{Name: "special-5", Value: "a,z"},
`special-5=a,z`,
`special-5="a,z"`,
},
{
&Cookie{Name: "special-6", Value: ",z"},
@@ -398,9 +398,12 @@ func TestCookieSanitizeValue(t *testing.T) {
{"foo\"bar", "foobar"},
{"\x00\x7e\x7f\x80", "\x7e"},
{`"withquotes"`, "withquotes"},
{"a z", "a z"},
{"a z", `"a z"`},
{" z", `" z"`},
{"a ", `"a "`},
{"a,z", `"a,z"`},
{",z", `",z"`},
{"a,", `"a,"`},
}
for _, tt := range tests {
if got := sanitizeCookieValue(tt.in); got != tt.want {

0 comments on commit 8f6d68e

Please sign in to comment.
You can’t perform that action at this time.