net/http: sanitize Cookie.Domain #6013
Labels
Milestone
Comments
What kind of "validation" do you think of? Currently
`func (c *Cookie) String() string` does not validate anything
it just cleans up unsuitable (for a cookie header) characters
via sanitize{Value,Name}.
Is this issue about adding sanitizeDomain (and maybe
sanitizePath also) which replaces/dropps characters from
Domain (and Path) which do not conform to RFC 6265?
Or should `func (c *Cookie) String() string` be changed:
// String returns the serialization of the cookie for use in a Cookie
// header (if only Name and Value are set) or a Set-Cookie response
// header (if other fields are set).
// **NEW** It returns an empty string if a RFC 6265 conforming Set-Cookie
// response header cannot be constructed from c's fields. **NEW**
func (c *Cookie) String() string
But this would break Go 1 compatibility, or?
|
See the updates in net/http: don't write out invalid cookie lines https://code.google.com/p/go/source/detail?r=65920aec044a This bug is about finishing that CL in the same way. I deleted "sanitizeValue" because it was undefined and wrong, used by different callers who needed different things, |
pkg net's dnsclient.go func isDomainName(s string) bool is pretty lax: It allows labels to start with a digit and allows underscores in labels. Neither is permitted by http://tools.ietf.org/html/rfc1034#section-3.5 which is referenced for cookies in http://tools.ietf.org/html/rfc6265#section-4.1.1 Chrome actually allows cookies for domains like 3m.com Is it okay to be lax for cookie domains too and allow domains like www.3m.com and _xmpp-server._tcp.google.com? as the domain-value of a cookie? I'll assume yes and will prepare a CL. |
|
This issue was closed by revision 4f86a96. Status changed to Fixed. |
bradfitz
added
fixed
Suggested
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The text was updated successfully, but these errors were encountered: