Ensure some cookies don't cause failure #1645
Conversation
lib/rack/mock.rb
Outdated
| cookie_attributes.store('value', cookie_bits[0].strip) | ||
| cookie_bits.each do |bit| | ||
| if bit.include? '=' | ||
| cookie_attribute, attribute_value = bit.split('=') |
There was a problem hiding this comment.
Would it make mores sense to use split('=', 2)?
There was a problem hiding this comment.
Yes, also works. Either way, the results of this function are discarded other than for these areas:
https://github.com/rack/rack/pull/1645/files#diff-4fc9bc1f7d91630f4f9f47fc6663f3f7L240-L245
It is probably incorrect to assume '=' is a divider.
A third option is not to process the first element of the cookie_bits array at all, since this is the value. So cookie_bits[1..].each do |bit|.
Fourth option, do both since the value could possibly also contain '='.
|
BTW: the build failures appear to be due to this: ruby/rubygems#3570 |
tenderlove
left a comment
tenderlove
left a comment
There was a problem hiding this comment.
This seems good, but we need to make sure the build passes. It looks like there is a legit failure in 2.5
Co-authored-by: Aaron Patterson <aaron.patterson@gmail.com>
Done in c17569c. Thanks! |
3 participants
Cookies can on occasion have base 64 encoded strings as their value. Base 64 encoded strings tend to end in '=' as this is a filler character. Cookies of this form cause rack to fail.
An example is
__cf_bm=_somebase64encodedstringwithequalsatthened=; array=awesome.This fixes the bug.
Alternative approach would be that in the function I've patched, to only parse the headers required in the enclosing function.