-
Notifications
You must be signed in to change notification settings - Fork 18.1k
net/http: readCookies unable to parse out cookies that are not well written #39087
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Change https://golang.org/cl/233978 mentions this issue: |
Thank you for filing this issue @shidawuhen and welcome to the Go project! So firstly, what's the reason why we should be allowing malformed cookies? Do other servers allow these malformed cookies? What does Node.js do? Python? Java (Netty or Jetty) do? Kindly pinging some cookie and security experts because this could use their eyes @vdobler @katiehockman @FiloSottile. |
This is one of several issues reported about our strict handling of cookie-list with empty elements. The Cookie header set with the PHP client code is malformed according to https://tools.ietf.org/html/rfc6265#section-5.4 . @shidawuhen Your Cookie header is handcrafted and thus would not qualify for A and not for B. Can you provide evidence that any browser sends such Cookie headers based on normally set cookies or that any HTTP library produces such Cookie headers? |
@odeke-em @vdobler When the APP requests the api of our server, the format of the cookie is "token = abc; xmuuid = def;". The token is the authentication information of the user login. When the user is not logged in, the cookie is "; xmuuid = def;" Of course, this is indeed because Android developer did not write it very well, but the version <= go1.12 is supported, and the problem has recently been discovered by the service upgrade go version to go 1.13. The old version supports but the new version does not support, which does bring about this problem. And we use the beego framework, it is not easy to handle cookies in the service. |
Change https://golang.org/cl/234961 mentions this issue: |
Change https://golang.org/cl/235141 mentions this issue: |
Was fixed by https://golang.org/cl/235141 . |
Thanks for the reminder @vdobler, and for working on it too. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
2.client:
What did you expect to see?
string(66) "xmuuid:XMGUEST-FCF117BF-4D1B-272F-829D-25E19826D4F8
type:protobuf
"
What did you see instead?
string(0) ""
Reason
readCookies can't parse this formate
The text was updated successfully, but these errors were encountered: