net/http: parsing of cookie attribute values is too lax

[vdobler]

Currently the parsing of the values for the cookie attributes
Domain, Path, Secure, Max-Age, Expires and HttpOnly is too lax:
1. Quoted values are unquoted (which is okay for the cookie-value
itself, but not for the attribute values according to RFC 6265)
2. All values are parsed with basically the full set of allowed
characters.

Point 2 might be overkill, but there is no need to unquote
as browsers do not handle quoted attribute values.

As the infrastructure for restricted set of characters is
already in place with func parseCookieValueUsing(...) it
might be worth to allow only '0' to '9' while parsing Max-Age
and fail early (now malformed values fail in strconv.Atoi)

[ianlancetaylor]

Comment 1:

Labels changed: added repo-main, release-go1.4.

[rsc]

Comment 2:

Nigel, worth doing anything for 1.4?

[nigeltao]

Comment 3:

It's been a while since I remember the details of HTTP cookies... can you give examples
of "Cookie: etc" lines that we're not parsing correctly?
Also, this isn't a regression, and if we're not doing it correctly, we've always not
done it correctly, right?

Status changed to WaitingForReply.

[vdobler]

Comment 4:

Cookie: lines are okay, the issue is with Set-Cookie: headers, e.g.
Set-Cookie: name=value; Max-Age="45"
should be rejected according to http://tools.ietf.org/html/rfc6265#section-5.2.2
as the value of Max-Age starts with a quote and only digits and minus is
allowed. (Only the cookie-value should be unquoted before processing, the
cookie-avs should not be unquoted.)
See http://play.golang.org/p/PpzVRGeg0S

[gopherbot]

Comment 5:

CL https://golang.org/cl/148890043 mentions this issue.

[nigeltao]

Comment 6:

This issue was closed by revision e59ad69.

Status changed to Fixed.