Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: parsing cookie enclosed with double quote fails #33147

Closed
pubblic opened this issue Jul 17, 2019 · 2 comments
Closed

net/http: parsing cookie enclosed with double quote fails #33147

pubblic opened this issue Jul 17, 2019 · 2 comments

Comments

@pubblic
Copy link

@pubblic pubblic commented Jul 17, 2019

Please answer these questions before submitting your issue. Thanks!

What did you do?

https://play.golang.org/p/wHVuJ-QVq8L

What did you expect to see?

Ok: test1
Ok: test2

What did you see instead?

FAIL: test1: expect "abcd" but got abcd
2009/11/10 23:00:00 net/http: invalid byte '"' in Cookie.Value; dropping invalid bytes
FAIL: Cookie.String: expect token="abc" but got token=abc

System details

go version go1.12.7 windows/amd64
GOARCH="amd64"
GOBIN=""
GOCACHE="C:\Users\Home\lib\go\cache"
GOEXE=".exe"
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="windows"
GOOS="windows"
GOPATH="C:\Users\Home\lib\go"
GOPROXY=""
GORACE=""
GOROOT="C:\Go"
GOTMPDIR=""
GOTOOLDIR="C:\Go\pkg\tool\windows_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="C:\Users\Home\lib\src\go-naver-map-search\go.mod"
GOROOT/bin/go version: go version go1.12.7 windows/amd64
GOROOT/bin/go tool compile -V: compile version go1.12.7
gdb --version: GNU gdb (GDB) 8.2.1

Cookie is defined as below

https://tools.ietf.org/html/rfc6265#section-4.1.1
 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

The cookie-value rule has two alternatives: *cookie-octetc and DQUOTE *cookie-octetc DQUOTE. Cookie parser does not handle the DQUOTE alternative.

@pubblic pubblic changed the title net/http: parsing cookie enclosed with double fails net/http: parsing cookie enclosed with double quote fails Jul 17, 2019
@ALTree

This comment has been minimized.

Copy link
Member

@ALTree ALTree commented Jul 17, 2019

I suspect you're interpreting the RFC wrong. See Brad's answer on this dup of this issue: #10195 (comment)

@pubblic

This comment has been minimized.

Copy link
Author

@pubblic pubblic commented Jul 17, 2019

The quoting in the RFC is for encoding it.

Note that foo=bar and foo="bar" both yield a Cookie.Value of bar. The quotes are just there to encode and protect the real value.

Thank you for the precious comment. I completely agree. foo=bar and foo="bar" should have no difference. Design should not depend on the trivial enclosing double quote.

Unfortunately some system does not.

@pubblic pubblic closed this Jul 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.