We are seeing several 500 errors for some incoming requests from IE9 users. Issue there was a cookie set by mixpanel using a different encoding, i.e. %uXXXX to represent UTF-16 characters.
This is one of the exceptions for instance:
ArgumentError (cannot parse Cookie header: invalid %-encoding (%7B%22all%22%3A%20%7B%22%24initial_referrer%22%3A%20%22http%3A//www.akakura365.net/%u30AD%u30E3%u30CA%u30EB%u30B3%u30FC%u30C8petit/%22%2C%22%24initial_referring_domain%22%3A%
I added some code which recodes %uXXXX to UTF-8 representation so that the cookie can be parsed correctly and thus the request can be processed.
handle cookies with %uXXXX encoding as sent by IE
+1. I also occurred in this issue.
On this, I looked at the RFC 2109, and it doesn't says that cookies are www-form-encoded in any kind.
I have never seen this syntax before, where is it specified?
sorry, I don't know if there is any specification, I'm just working with the data we observe.
Anyway, the default behavior (throwing an exception, causing a 500) gives a pretty bad user experience in case something manages to set a malformed cookie...
@chneukirchen , as I replied to @mreinsch, the fact is that you should threat cookies as black boxes.
In my case for example we are working on a Ruby application that is reverseproxied on the same domain of an ASP.NET application, and some cookie values similar to @mreinsch's raise a 500 exception on the cookie jar deserialization code.
@morenocarullo we should look at RFC 6265, but it basically says the same.
The problem is that Rack cookies values are escaped in set_cookie code (so that you can throw at it strings with any characters inside) and unescaped in cookies (so you can read back the strange string you set before) through this code
string = @env["HTTP_COOKIE"]
Utils.parse_query(string, ';,') ...
Any progress on this?
For now I have written a middleware (https://gist.github.com/2413136) that attempts to throw away unwanted chars from the cookie string, but of course is not the best option I think.
@gioele, Yes -- the problem is that Rack assumes that all visible cookies have been previously set by Rack itself, that it's not always the case.
It seems that it's a pending issue, see #272 and #225.
Maybe some core Rack developers (@chneukirchen, @tenderlove) can say something on this?
Add a decoder that supports ECMA unicode uris
References #337 #360 #323
More detail here:
I've got the exact same problem using simpleCart.js
Apparently @raggi 's solution was not merged because of a security issue.
Did you guys found a quick and dirty fix in the meantime?
Do not fail on cookies that are not URI escaped
* Closes #360
* Closes #360
Now tell me what should I do. Someone set incorrect header for whole enterprise domain *.blah.com and now all Rails apps underneeth fails instanlty. I need at least a workaround. Can you guys give me a snippet that would do it? I do not want to patch our Rack, it looks like you do not want to push this upstream and that would mean I need to keep patching it forever. Thanks.