Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not fold Set-Cookie values into a single header, per RFC6265 #1027

Merged
merged 1 commit into from
Sep 7, 2023
Merged

fix: do not fold Set-Cookie values into a single header, per RFC6265 #1027

merged 1 commit into from
Sep 7, 2023

Conversation

jmalloc
Copy link
Contributor

@jmalloc jmalloc commented Sep 6, 2023

This PR adds a special case for encoding Set-Cookie headers in responses. Specifically, it prevents headerParamEncoder from folding multiple header values into a single header value using a comma separator, as per RFC6265:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in RFC2616 section 4.2) might change the semantics of the Set-Cookie header field because the %x2C (,) character is used by Set-Cookie in a way that conflicts with such folding.

The comma mentioned by the RFC appears when using a cookie with an expiry timestamp, because the recommended timestamp format (see RFC2616 section 3.3.1) uses a comma after the day-of-week.

/cc @ezzatron

@codecov
Copy link

codecov bot commented Sep 6, 2023
edited
Loading

Codecov Report

Patch coverage: 83.33% and project coverage change: +0.02% 🎉

Comparison is base (660d20e) 72.20% compared to head (ab68ce3) 72.23%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1027      +/-   ##
==========================================
+ Coverage   72.20%   72.23%   +0.02%     
==========================================
  Files         192      192              
  Lines       14991    15003      +12     
==========================================
+ Hits        10825    10837      +12     
  Misses       3631     3631              
  Partials      535      535
Files Changed Coverage Δ
uri/header_param_encoder.go 69.76% <83.33%> (+11.70%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jmalloc
fix: do not fold Set-Cookie values into single header
ab68ce3 
This commit adds a special case for encoding Set-Cookie headers in responses.
Specifically, it prevents `headerParamEncoder` from folding multiple header
values into a single header value with a comma separator, as per RFC6265:

   Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
   a single header field.  The usual mechanism for folding HTTP headers
   fields (i.e., as defined in [RFC2616]) might change the semantics of
   the Set-Cookie header field because the %x2C (",") character is used
   by Set-Cookie in a way that conflicts with such folding.

The comma mentioned by the RFC appears when using a cookie with an expiry
timestamp, because the timestamp format uses a comma after the day-of-week.
shadowspore
shadowspore reviewed Sep 7, 2023
View reviewed changes
Copy link
Member

@shadowspore shadowspore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tdakkota tdakkota merged commit 051e5eb into ogen-go:main Sep 7, 2023
15 checks passed
@jmalloc
Copy link
Contributor Author

jmalloc commented Sep 11, 2023

Thank you!

@jmalloc jmalloc deleted the set-cookie-array branch September 11, 2023 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shadowspore shadowspore shadowspore left review comments

@tdakkota tdakkota tdakkota approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmalloc @tdakkota @shadowspore