Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: readCookies unable to parse out cookies that are not well written #39087

Open
shidawuhen opened this issue May 15, 2020 · 6 comments
Open

Comments

@shidawuhen
Copy link

@shidawuhen shidawuhen commented May 15, 2020

What version of Go are you using (go version)?

$ go version
go version go1.13.10 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/pangzhiqiang/Library/Caches/go-build"
GOENV="/Users/pangzhiqiang/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY="micode.be.xiaomi.com"
GONOSUMDB="micode.be.xiaomi.com"
GOOS="darwin"
GOPATH="/Users/pangzhiqiang/data/code/golang/myproject"
GOPRIVATE="micode.be.xiaomi.com"
GOROOT="/usr/local/Cellar/go@1.13/1.13.10_1/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go@1.13/1.13.10_1/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/pangzhiqiang/data/code/golang/myproject/asap/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/0h/652yzkf17qd7n446g954_1j40000gn/T/go-build435664031=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

  1. server: create a go server, and create an api, this api is to display the cookies passed by the client
package main

import (
	"net/http"

	_ "asap/docs"

	"github.com/gin-gonic/gin"
)

func setupRouter() *gin.Engine {
	r := gin.Default()

	// Ping test
	r.GET("/ping", ping)

	return r
}

// @Summary 接口探活
// @Produce  json
// @Param lang query string false "en"
// @Success 200 {string} string "ok"
// @Router /ping [get]
func ping(c *gin.Context) {
	cookies := c.Request.Cookies()
	cookieInfo := ""
	for _, cookie := range cookies{
		cookieInfo += cookie.Name + ":" + cookie.Value + "\n"
	}
	c.String(http.StatusOK, cookieInfo )

}

func main() {
	r := setupRouter()
	// Listen and Server in 0.0.0.0:8080
	r.Run(":9090")
}

2.client:

<?php
$url = "http://127.0.0.1:9090/ping";
$cookie = "; xmuuid=XMGUEST-FCF117BF-4D1B-272F-829D-25E19826D4F8;type=protobuf";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
$output = curl_exec($ch);
curl_close($ch);
var_dump($output) ;

What did you expect to see?

string(66) "xmuuid:XMGUEST-FCF117BF-4D1B-272F-829D-25E19826D4F8
type:protobuf
"

What did you see instead?

string(0) ""

Reason

readCookies can't parse this formate

if splitIndex := strings.Index(line, ";"); splitIndex > 0 {
				part, line = line[:splitIndex], line[splitIndex+1:]
			} else {
				part, line = line, ""
			}
@gopherbot
Copy link

@gopherbot gopherbot commented May 15, 2020

Change https://golang.org/cl/233978 mentions this issue: net/http: fix readCookies unable to parse out cookies that are not well written

@odeke-em
Copy link
Member

@odeke-em odeke-em commented May 18, 2020

Thank you for filing this issue @shidawuhen and welcome to the Go project!

So firstly, what's the reason why we should be allowing malformed cookies? Do other servers allow these malformed cookies? What does Node.js do? Python? Java (Netty or Jetty) do?

Kindly pinging some cookie and security experts because this could use their eyes @vdobler @katiehockman @FiloSottile.

@vdobler
Copy link
Contributor

@vdobler vdobler commented May 18, 2020

This is one of several issues reported about our strict handling of cookie-list with empty elements.

The Cookie header set with the PHP client code is malformed according to https://tools.ietf.org/html/rfc6265#section-5.4 .
We try to parse malformed stuff if it is very common in the following sense: It must be working on A) all modern browsers and it must be handled by B) all dominant HTTP libraries in other languages.

@shidawuhen Your Cookie header is handcrafted and thus would not qualify for A and not for B. Can you provide evidence that any browser sends such Cookie headers based on normally set cookies or that any HTTP library produces such Cookie headers?

@shidawuhen
Copy link
Author

@shidawuhen shidawuhen commented May 20, 2020

@odeke-em @vdobler
We have an Android app with a large number of users.

When the APP requests the api of our server, the format of the cookie is "token = abc; xmuuid = def;".

The token is the authentication information of the user login.

When the user is not logged in, the cookie is "; xmuuid = def;"

Of course, this is indeed because Android developer did not write it very well, but the version <= go1.12 is supported, and the problem has recently been discovered by the service upgrade go version to go 1.13. The old version supports but the new version does not support, which does bring about this problem.

And we use the beego framework, it is not easy to handle cookies in the service.

@gopherbot
Copy link

@gopherbot gopherbot commented May 25, 2020

Change https://golang.org/cl/234961 mentions this issue: net/http: fix readCookies unable to parse out cookies that are not well written

@gopherbot
Copy link

@gopherbot gopherbot commented May 26, 2020

Change https://golang.org/cl/235141 mentions this issue: net/http: clarify that AddCookie appends to whatever the Cookie header contains

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.