Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed parsing of comma separated multiple cookies in one header field #30

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fixed parsing of comma separated multiple cookies in one header field #30

wants to merge 3 commits into from

Conversation

Smert
Copy link

@Smert Smert commented Oct 2, 2017
edited
Loading

What do you think about this fix?

https://tools.ietf.org/html/rfc2965

@danielmcq
Copy link
Contributor

This has the potential to break existing implementations. A safer approach would be to allow both the colon and the comma as delimiters. Either that or bump the major version of the library if the change is merged.

@andyburke
Copy link
Collaborator

I am open to discuss this, and I am willing to make a major version bump if we need to fix something to be RFC compliant.

First, (and this isn't really directed at you @Smert, but is something I'd like a change like this to fix up) that regex is defined quite a ways away from where it's actually used:

https://github.com/Smert/node-cookiejar/blob/40f482055cdc6901f5efc830b72dd6ba2de9ce23/cookiejar.js#L250

Secondly, my reading is that the Cookie.parse method is meant to work on a single cookie, and is doing so correctly. I think the CookieJar.setCookies method is the only place where we are splitting the cookie string according to the RFC, which states:

Informally, the Set-Cookie2 response header comprises the token Set-
   Cookie2:, followed by a comma-separated list of one or more cookies.
   Each cookie begins with a NAME=VALUE pair, followed by zero or more
   semi-colon-separated attribute-value pairs.

So that would seem to indicate to me that this is actually a good change. @danielmcq, I feel like maybe this is worth a major version bump, thoughts?

@Smert How about moving the regex closer to where it's actually used as part of this change? I was a bit confused by its current placement in the code.

@Smert
Copy link
Author

Smert commented Oct 3, 2017

@andyburke It should be noted that set-cookie2 is obsolete (https://tools.ietf.org/html/rfc6265). Fix will be useful for compatibility with rfc2965.

Might be a problem with commas in cookie-value

https://tools.ietf.org/html/rfc6265

cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Set-Cookie#Directives

A <cookie-value> can optionally be set in double quotes

I can fix parsing of quoted cookies-value.

@danielmcq
Copy link
Contributor

@andyburke Definitely in favor of a major version bump. Even though the behavior was incorrect according to standards, it's been that way for long enough in this library that fixing it would mean that there are plenty of people that would need to make changes to how they've been using it. A major version would help indicate that there may be changes needed in their code before upgrading.

@Smert Smert force-pushed the comma-separated-cookies branch from ae49415 to 0a2fb98 Compare October 3, 2017 16:07
@danielmcq danielmcq mentioned this pull request May 25, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Smert @danielmcq @andyburke