From 7e411a4c33f22652a4281513b0ab7f5435cd3778 Mon Sep 17 00:00:00 2001 From: Stephen Crosby Date: Wed, 1 Feb 2023 22:03:22 -0800 Subject: [PATCH 1/3] Ignore leading dot when merging cookies Most recent specification states that leading dots are ignored by user agents: https://httpwg.org/specs/rfc6265.html#sane-domain --- lib/rack/test/cookie_jar.rb | 1 + spec/rack/test/cookie_jar_spec.rb | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/lib/rack/test/cookie_jar.rb b/lib/rack/test/cookie_jar.rb index ed5cd5fa..6825c9ef 100644 --- a/lib/rack/test/cookie_jar.rb +++ b/lib/rack/test/cookie_jar.rb @@ -32,6 +32,7 @@ def initialize(raw, uri = nil, default_host = DEFAULT_HOST) if @options['domain'] @exact_domain_match = false + @options['domain'].sub!(/^\./, '') else # If the domain attribute is not present in the cookie, # the domain must match exactly. diff --git a/spec/rack/test/cookie_jar_spec.rb b/spec/rack/test/cookie_jar_spec.rb index a1442b4a..c019a131 100644 --- a/spec/rack/test/cookie_jar_spec.rb +++ b/spec/rack/test/cookie_jar_spec.rb @@ -61,4 +61,12 @@ jar.merge('c=d; domain=example.org; secure', URI.parse('/')) jar.to_hash.must_equal 'a' => 'b' end + + it '#merge merges cookie strings where domains differ by leading dot' do + jar = Rack::Test::CookieJar.new + jar << Rack::Test::Cookie.new('a=b; domain=lithostech.com', URI('https://lithostech.com')) + jar << Rack::Test::Cookie.new('a=c; domain=.lithostech.com', URI('https://lithostech.com')) + + jar.to_hash.must_equal 'a' => 'c' + end end From 6f163c137e46419d38e1482c33201fbca175db10 Mon Sep 17 00:00:00 2001 From: Stephen Crosby Date: Wed, 1 Feb 2023 22:39:21 -0800 Subject: [PATCH 2/3] Ignore leading cookie domain dot with string index-assign --- lib/rack/test/cookie_jar.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rack/test/cookie_jar.rb b/lib/rack/test/cookie_jar.rb index 6825c9ef..cc9edbeb 100644 --- a/lib/rack/test/cookie_jar.rb +++ b/lib/rack/test/cookie_jar.rb @@ -32,7 +32,7 @@ def initialize(raw, uri = nil, default_host = DEFAULT_HOST) if @options['domain'] @exact_domain_match = false - @options['domain'].sub!(/^\./, '') + domain[0] = '' if domain[0] == '.' else # If the domain attribute is not present in the cookie, # the domain must match exactly. From 8cc66f8619ad6298b30f82eae1ecc5c2a8704330 Mon Sep 17 00:00:00 2001 From: Stephen Crosby Date: Wed, 1 Feb 2023 22:57:21 -0800 Subject: [PATCH 3/3] Reduce method call count for domain setting Add a more direct test for leading dot ignore --- lib/rack/test/cookie_jar.rb | 2 +- spec/rack/test/cookie_jar_spec.rb | 14 ++++++-------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/lib/rack/test/cookie_jar.rb b/lib/rack/test/cookie_jar.rb index cc9edbeb..c6f617d6 100644 --- a/lib/rack/test/cookie_jar.rb +++ b/lib/rack/test/cookie_jar.rb @@ -30,7 +30,7 @@ def initialize(raw, uri = nil, default_host = DEFAULT_HOST) @name, @value = parse_query(@raw, ';').to_a.first @options = parse_query(options, ';') - if @options['domain'] + if domain = @options['domain'] @exact_domain_match = false domain[0] = '' if domain[0] == '.' else diff --git a/spec/rack/test/cookie_jar_spec.rb b/spec/rack/test/cookie_jar_spec.rb index c019a131..68a9587b 100644 --- a/spec/rack/test/cookie_jar_spec.rb +++ b/spec/rack/test/cookie_jar_spec.rb @@ -17,6 +17,12 @@ jar_clone.to_hash.must_be_empty end + it 'ignores leading dot in domain' do + jar = Rack::Test::CookieJar.new + jar << Rack::Test::Cookie.new('a=c; domain=.lithostech.com', URI('https://lithostech.com')) + jar.get_cookie('a').domain.must_equal 'lithostech.com' + end + it '#[] and []= should get and set cookie values' do jar = Rack::Test::CookieJar.new jar[cookie_name].must_be_nil @@ -61,12 +67,4 @@ jar.merge('c=d; domain=example.org; secure', URI.parse('/')) jar.to_hash.must_equal 'a' => 'b' end - - it '#merge merges cookie strings where domains differ by leading dot' do - jar = Rack::Test::CookieJar.new - jar << Rack::Test::Cookie.new('a=b; domain=lithostech.com', URI('https://lithostech.com')) - jar << Rack::Test::Cookie.new('a=c; domain=.lithostech.com', URI('https://lithostech.com')) - - jar.to_hash.must_equal 'a' => 'c' - end end