net/http: send more cookie values in double quotes

vdobler · bradfitz · commit 8f6d68ebaa66 · 2017-05-22T19:13:51.000Z
According to RFC 6255 a cookie value may contain neither spaces " " nor commas ",". But browsers seem to handle these pretty well and such values are not uncommon in the wild so we do allow spaces and commas in cookie values too. Up to now we use the double-quoted wire format only for cookie values with leading and/or trailing spaces and commas. Values with internal spaces/commas are sent without the optional double quotes. This seems to be a problem for some agents. This CL changes the behaviour for cookie values with spaces or commas: Such values are always sent in double quotes. This should not have any impact on existing agents and the increases of data transmitted is negligible. Fixes #18627 Change-Id: I575a98d589e048aa39d976a3c984550daaca730a Reviewed-on: https://go-review.googlesource.com/37328 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go
@@ -328,7 +328,7 @@ func sanitizeCookieValue(v string) string {
 	if len(v) == 0 {
 		return v
 	}
-	if v[0] == ' ' || v[0] == ',' || v[len(v)-1] == ' ' || v[len(v)-1] == ',' {
+	if strings.IndexByte(v, ' ') >= 0 || strings.IndexByte(v, ',') >= 0 {
 		return `"` + v + `"`
 	}
 	return v
diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go
@@ -69,7 +69,7 @@ var writeSetCookiesTests = []struct {
 	// are disallowed by RFC 6265 but are common in the wild.
 	{
 		&Cookie{Name: "special-1", Value: "a z"},
-		`special-1=a z`,
+		`special-1="a z"`,
 	},
 	{
 		&Cookie{Name: "special-2", Value: " z"},
@@ -85,7 +85,7 @@ var writeSetCookiesTests = []struct {
 	},
 	{
 		&Cookie{Name: "special-5", Value: "a,z"},
-		`special-5=a,z`,
+		`special-5="a,z"`,
 	},
 	{
 		&Cookie{Name: "special-6", Value: ",z"},
@@ -398,9 +398,12 @@ func TestCookieSanitizeValue(t *testing.T) {
 		{"foo\"bar", "foobar"},
 		{"\x00\x7e\x7f\x80", "\x7e"},
 		{`"withquotes"`, "withquotes"},
-		{"a z", "a z"},
+		{"a z", `"a z"`},
 		{" z", `" z"`},
 		{"a ", `"a "`},
+		{"a,z", `"a,z"`},
+		{",z", `",z"`},
+		{"a,", `"a,"`},
 	}
 	for _, tt := range tests {
 		if got := sanitizeCookieValue(tt.in); got != tt.want {

Original file line number	Diff line number	Diff line change
`@@ -328,7 +328,7 @@ func sanitizeCookieValue(v string) string {`
`328`	`328`	`if len(v) == 0 {`
`329`	`329`	`return v`
`330`	`330`	`}`
`331`		`- if v[0] == ' ' \|\| v[0] == ',' \|\| v[len(v)-1] == ' ' \|\| v[len(v)-1] == ',' {`
	`331`	`+ if strings.IndexByte(v, ' ') >= 0 \|\| strings.IndexByte(v, ',') >= 0 {`
`332`	`332`	return `"` + v + `"`
`333`	`333`	`}`
`334`	`334`	`return v`