Cookie parsing handles invalid URL-encoded cookies (fixes #51)

mmcgrana · e2eb01fde0e7756334bfbdeb498088a63b4c6ffd · weavejester committed Mar 17, 2012 · Mar 17, 2012 · e2eb01f
1 parent cf038f7
commit e2eb01fde0e7756334bfbdeb498088a63b4c6ffd
Unified Split

Showing with 11 additions and 5 deletions.

+6 −5 ring-core/src/ring/middleware/cookies.clj

+5 −0 ring-core/test/ring/middleware/test/cookies.clj
@@ -45,11 +45,12 @@
 (defn- normalize-quoted-strs
   "Turn quoted strings into normal Clojure strings using read-string."
   [cookies]
-  (for [[name value] cookies]
-    (let [value (codec/url-decode value)]
-      (if (.startsWith ^String value "\"")
-        [name (read-string value)]
-        [name value]))))
+  (remove nil?
+    (for [[name value] cookies]
+      (if-let [value (codec/url-decode value)]
+        (if (.startsWith ^String value "\"")
+          [name (read-string value)]
+          [name value])))))
 
 (defn- get-cookie
   "Get a single cookie from a sequence of cookie-values"
@@ -72,6 +72,11 @@
     (is (= {"Set-Cookie" (list "a=hello+world")}
            (:headers resp)))))
 
+(deftest wrap-cookies-invalid-url-encoded
+  (let [req  {:headers {"cookie" "a=%D"}}
+        resp ((wrap-cookies :cookies) req)]
+    (is (= {} resp))))
+
 (deftest wrap-cookies-keep-set-cookies-intact
   (let [handler (constantly {:headers {"Set-Cookie" (list "a=b")}
                              :cookies {:c "d"}})