Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issue when parsing invalid cookies #34

Merged
merged 4 commits into from
May 30, 2018
Merged

Fix issue when parsing invalid cookies #34

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
544d394
Fix issue when parsing invalid cookies
danielmcq Apr 18, 2018
46dabdc
Warn when cookie header is invalid
danielmcq May 25, 2018
e25d725
Fix code to conform to jshint rules
danielmcq May 25, 2018
1730d38
Make bad cookie logic more obvious on what it is checking for
danielmcq May 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions cookiejar.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,22 @@
if (this instanceof Cookie) {
var parts = str.split(";").filter(function (value) {
return !!value;
}),
pair = parts[0].match(/([^=]+)=([\s\S]*)/),
key = pair[1],
value = pair[2],
i;
});
var i;

var pair = parts[0].match(/([^=]+)=([\s\S]*)/);
if (!pair) {
console.warn("Invalid cookie header encountered. Header: '"+str+"'");
return;
}

var key = pair[1];
var value = pair[2];
if (!key || !value) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should probably be:

if ( typeof key === 'undefined' || typeof value === 'undefined' ) {

Otherwise, if you have a false-y value like 0 we'll blow up.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess !'0' actually evaluates false. Is an empty string a valid value per the spec?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. If the name-value-pair string lacks a %x3D ("=") character,
    ignore the set-cookie-string entirely.

  2. The (possibly empty) name string consists of the characters up
    to, but not including, the first %x3D ("=") character, and the
    (possibly empty) value string consists of the characters after
    the first %x3D ("=") character.

  3. Remove any leading or trailing WSP characters from the name
    string and the value string.

  4. If the name string is empty, ignore the set-cookie-string
    entirely.

So we should probably do:

if ( typeof key !== 'string' || key.length === 0 || typeof value !== 'string' ) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. Empty strings are falsy. The string '0' is also falsy. Everything extracted via the regex would be a string, unless we were to try to cast it. https://developer.mozilla.org/en-US/docs/Glossary/Falsy

console.warn("Unable to extract values from cookie header. Cookie: '"+str+"'");
return;
}

this.name = key;
this.value = value;

Expand Down