Description
Note: I attempted to post this to the golang nuts list, but my message was rejected twice for unspecified reasons.
What version of Go are you using (go version
)?
go version go1.10.1 windows/amd64
Does this issue reproduce with the latest release?
Code in current https://github.com/golang/go/blob/master/src/net/http/cookie.go is the same as my release.
What operating system and processor architecture are you using (go env
)?
go env
Output
set GOARCH=amd64 set GOBIN= set GOCACHE=C:\Users\david\AppData\Local\go-build set GOEXE=.exe set GOHOSTARCH=amd64 set GOHOSTOS=windows set GOOS=windows set GOPATH=I:\golang set GORACE= set GOROOT=I:\Go set GOTMPDIR= set GOTOOLDIR=I:\Go\pkg\tool\windows_amd64 set GCCGO=gccgo set CC=gcc set CXX=g++ set CGO_ENABLED=1 set CGO_CFLAGS=-g -O2 set CGO_CPPFLAGS= set CGO_CXXFLAGS=-g -O2 set CGO_FFLAGS=-g -O2 set CGO_LDFLAGS=-g -O2 set PKG_CONFIG=pkg-config set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\david\AppData\Local\Temp\go-build742879430=/tmp/go-build -gno-record-gcc-switches
What did you do?
- I make a http post call to a server ( happens to be https://www.ealing.gov.uk/site/custom_scripts/waste_collection/waste_collection.aspx )
- I receive this Set-Cookie:
Set-Cookie: ISAWPLB{48BCE7DA-ADD0-4237-A5B8-816663CFDD23}={70F05AF6-A2D2-4861-9D98-B73CEF42E642}; HttpOnly; Path=/
What did you expect to see?
I expected the http package to tolerate sloppy cookie names that exist in the wild on the internet and are supported by all major browsers. This cookie name works on firefox and chrome latest. I've not tested with anything else, but given my local council is using it, and it's produced by a Microsoft application stack, I suspect it works everywhere.
What did you see instead?
net/http/client.go attempts to handle the Set-Cookie header by calling net/http/cookie.go readSetCookies() , but fails silently, swallowing the Set-Cookie without any warning, because it deems the cookie name ISAWPLB{48BCE7DA-ADD0-4237-A5B8-816663CFDD23}
invalid because it contains, as far as I can tell, {
and }
.
This actually means that it's impossible for me to use go (without hacking net/http) to communicate properly with this web server, because the stringer on a Cookie returns "" unless the name is valid, which stops the cookie being included with outbound requests. So, even if I manually handled this badly named cookie, the http client will refuse to send it, regardless.