Closed
Bug 162579
Opened 23 years ago
Closed 23 years ago
Setting a quoted cookie value containing ';' fails
Categories
(Core :: Networking: Cookies, defect)
Core
Networking: Cookies
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: bzbarsky, Assigned: morse)
References
()
Details
Attempting to do:
Set-Cookie: foo="aa;bb"
fails. The value of the cookie "foo" is set to "aa" instead of "aa;bb". The
problem is reproducible both from JS (as in the url field) and from an HTTP
header (no testcase readily available, but I can put one up if really needed).
It seems we blindly search for ';' and ignore the fact that it's inside a quoted
string... that's incorrect if I read RFC 2109 [1] correctly.
[1] http://web.mit.edu/rfc/rfc2109.txt says:
set-cookie = "Set-Cookie:" cookies
cookies = 1#cookie
cookie = NAME "=" VALUE *(";" cookie-av)
VALUE = value
value = word
word = token | quoted-string
so we should be allowing any quoted string as a value and not randomly
truncating it at ';'
|
Reporter | |
Comment 1•23 years ago
|
||
This is a general problem, by the way. Any of the "value"s in a cookie header
(value of "Comment", "Max-Age", "Path", etc) is allowed to contain ';' if it's
quoted.
It looks like the cookie-parsing parsing code uses nsCRT::strtok and
nsCRT::strchr (not to mention strcasestr and such) all over; it does not
properly handle quoted values _anywhere_ in the code.
I should note, for completeness, that NS4 and IE6 exhibit the same behavior we
do.... so we may well want to not fix this.
|
Assignee | |
Comment 2•23 years ago
|
||
Based on your last comment, I would indeed recommend not fixing it. We'll
undoubtedly break some weird website somewhere if we make this change, and if IE
accepts that website we'll be looked at as the bad guy.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•