You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Patch http-parse-set-cookie.patch corrects the behavior, producing:
Cookie:
name="c1"
value="aaa"
Cookie:
name="c2"
value="bbb"
expires="Sun, 25-Oct-2015 04:35:13 GMT"
The patch does the following:
Function parse_set_cookie() is no longer fed response.header["set-cookie"], which is a concatenation of all the cookie definitions. Instead the function is invoked on each Set-Cookie header separately, before they are joined, inside parse_header().
This allows removal of unnecessary outer looping construct while true do ... end from the cookie parsing code.
Swaps the position of functions parse_set_cookie() and parse_header() inside http.lua. This is necessary due to the moved invocation point for parse_set_cookie().
The last two changes visually inflate the patch quite a lot but a smart diff can see through it.
Case 2: Comma Splitting
Consider the following HTTP response:
...
Set-Cookie: c1=aaa; path=/bbb/ccc,ddd/eee
...
Note that this is a legitimate path. (See W3C and RFC 6265 for details.)
The current code parses the header as follows:
Cookie:
name="c1"
value="aaa"
path="=/bbb/ccc"
Patch http-parse-set-cookie-comma.patch corrects the behavior by removing special parsing of the comma from parse_set_cookie(). The parsing is not needed any more due to the function now processing only one header at a time.
Clean-up
Finally I am proposing a clean-up of parse_set_cookie() code, removing unnecessary checks like if pos <= #s and converting string functional calls to the object notation. See patch http-parse-set-cookie-cleanup.patch.
The patches are meant to be applied in this order:
http-parse-set-cookie.patch
http-parse-set-cookie-comma.patch
http-parse-set-cookie-cleanup.patch
The text was updated successfully, but these errors were encountered:
I see two modifications, compared to what I proposed:
Variable value is declared at the time of its first use
Positions of the two functions, parse_set_cookie() and parse_header(), within http.lua have been restored
I have no problem with the first one. It is cleaner this way. The reason why I did not do that is that in another patch earlier this year my late variable declaration was moved by the committing person to the beginning of the function. So I am a bit struggling to follow the coding culture of this project.
With respect to the second change, I swapped the function positions to address the following error:
nselib/http.lua:697: variable 'parse_set_cookie' is not declared
I am getting this error again with the latest modifications.
Great, I fixed the undeclared variable problem by declaring it local just above parse_header, then defining it later. I only moved it to minimize the diff and make the changes clearer. I'll apply this, then. Thanks for continuing to provide great feedback and excellent improvements!
Library
http.lua
does not correctly parse certain cases ofSet-Cookie
header.Case 1: Cookie Merge
Consider the following HTTP response:
The current code parses the headers as follows:
Patch
http-parse-set-cookie.patch
corrects the behavior, producing:The patch does the following:
parse_set_cookie()
is no longer fedresponse.header["set-cookie"]
, which is a concatenation of all the cookie definitions. Instead the function is invoked on eachSet-Cookie
header separately, before they are joined, insideparse_header()
.while true do ... end
from the cookie parsing code.parse_set_cookie()
andparse_header()
insidehttp.lua
. This is necessary due to the moved invocation point forparse_set_cookie()
.The last two changes visually inflate the patch quite a lot but a smart diff can see through it.
Case 2: Comma Splitting
Consider the following HTTP response:
Note that this is a legitimate path. (See W3C and RFC 6265 for details.)
The current code parses the header as follows:
Patch
http-parse-set-cookie-comma.patch
corrects the behavior by removing special parsing of the comma fromparse_set_cookie()
. The parsing is not needed any more due to the function now processing only one header at a time.Clean-up
Finally I am proposing a clean-up of
parse_set_cookie()
code, removing unnecessary checks likeif pos <= #s
and converting string functional calls to the object notation. See patchhttp-parse-set-cookie-cleanup.patch
.The patches are meant to be applied in this order:
The text was updated successfully, but these errors were encountered: