Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Allow double-quoted cookie values #10195

Closed
bgmerrell opened this issue Mar 19, 2015 · 5 comments

Comments

Projects
None yet
3 participants
@bgmerrell
Copy link
Contributor

commented Mar 19, 2015

RFC 6265[1] allows cookie values to be double-quoted[2]. However, the current sanitization code strips the double quotes out of a double-quoted value (i.e., a value beginning with a double quote and ending with a double quote). Ironically, the sanitization code double quotes a value if it begins or ends with a space or comma. The RFC grammar specification allowing the surrounding double quotes is also included in the comments of the sanitizeCookieValue() function.

The inability to double-quote a cookie value is preventing me from duplicating the behavior of a legacy Java system I am replacing.

There was some tangentially related conversation for #7243, but that conversation did not address this issue specifically.

[1] http://tools.ietf.org/html/rfc6265
[2] cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

@bgmerrell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 19, 2015

@bgmerrell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 19, 2015

And here's some code demonstrating the issue: https://play.golang.org/p/O4tC8fI8PY

@bradfitz

This comment has been minimized.

Copy link
Member

commented Mar 23, 2015

I think you read the RFC wrong.

A cookie value may NOT contain a double quote. It even says so:

 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

A double quote is only encode the value of a cookie when necessary. (like it starting with a space)

The inability to double-quote a cookie value is preventing me from duplicating the behavior of a
legacy Java system I am replacing.

Please describe the problem more. A client application shouldn't depend on a cookie being written as foo=bar vs foo="bar". If it does, I think it's broken. You can read/write HTTP headers directly if you need to interoperate with a non-spec-compliant peer.

@bradfitz bradfitz closed this Mar 23, 2015

@bgmerrell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 23, 2015

Thanks for the feedback Brad. I am OK with this being closed and I can set the HTTP headers directly like you said.

Just for my own understanding, though, if you don't mind:

A cookie value may NOT contain a double quote. It even says so:

cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash

But you're referencing the cookie-octet here. There is also a cookie-value specification; this is what I was assuming should be allowed int he Value field for a cookie:

cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

Am I misreading the RFC? Misunderstanding what Go's Cookie.Value field represents?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Mar 23, 2015

Go's Cookie.Value is the unencoded value.

The quoting in the RFC is for encoding it.

This snippet should make it clear: http://play.golang.org/p/8vA9El_3iU

Note that foo=bar and foo="bar" both yield a Cookie.Value of bar. The quotes are just there to encode and protect the real value. The final two examples make that more clear: notice the final value includes a trailing space in the Cookie.Value, but the third one doesn't.

@golang golang locked and limited conversation to collaborators Jun 25, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.