Ignore Set-Cookie Directive where both name and value are empty

BUG=392295 Review URL: https://codereview.chromium.org/405233004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285932 0039d316-1c4b-4281-b951-d872f2087c98
qweri0p · Jul 28, 2014 · 8fbe410 · 8fbe410
1 parent ca190c8
commit 8fbe410
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/net/cookies/parsed_cookie.cc b/net/cookies/parsed_cookie.cc
@@ -410,6 +410,12 @@ void ParsedCookie::ParseTokenValuePairs(const std::string& cookie_line) {
 }
 
 void ParsedCookie::SetupAttributes() {
+  // Ignore Set-Cookie directive where name and value are both empty.
+  if (pairs_[0].first.empty() && pairs_[0].second.empty()) {
+    pairs_.clear();
+    return;
+  }
+
   // We skip over the first token/value, the user supplied one.
   for (size_t i = 1; i < pairs_.size(); ++i) {
     if (pairs_[i].first == kPathTokenName) {

diff --git a/net/cookies/parsed_cookie.h b/net/cookies/parsed_cookie.h
@@ -25,6 +25,8 @@ class NET_EXPORT ParsedCookie {
   static const int kMaxPairs = 16;
 
   // Construct from a cookie string like "BLAH=1; path=/; domain=.google.com"
+  // Format is according to RFC 6265. Cookies with both name and value empty
+  // will be considered invalid.
   ParsedCookie(const std::string& cookie_line);
   ~ParsedCookie();
 

diff --git a/net/cookies/parsed_cookie_unittest.cc b/net/cookies/parsed_cookie_unittest.cc
@@ -18,6 +18,21 @@ TEST(ParsedCookieTest, TestBasic) {
   EXPECT_EQ("b", pc.Value());
 }
 
+TEST(ParsedCookieTest, TestEmpty) {
+  ParsedCookie pc1("=; path=/; secure;");
+  EXPECT_FALSE(pc1.IsValid());
+  ParsedCookie pc2("= ; path=/; secure;");
+  EXPECT_FALSE(pc2.IsValid());
+  ParsedCookie pc3(" =; path=/; secure;");
+  EXPECT_FALSE(pc3.IsValid());
+  ParsedCookie pc4(" = ; path=/; secure;");
+  EXPECT_FALSE(pc4.IsValid());
+  ParsedCookie pc5(" ; path=/; secure;");
+  EXPECT_FALSE(pc5.IsValid());
+  ParsedCookie pc6("; path=/; secure;");
+  EXPECT_FALSE(pc6.IsValid());
+}
+
 TEST(ParsedCookieTest, TestQuoted) {
   // These are some quoting cases which the major browsers all
   // handle differently.  I've tested Internet Explorer 6, Opera 9.6,
@@ -184,13 +199,13 @@ TEST(ParsedCookieTest, TrailingWhitespace) {
 
 TEST(ParsedCookieTest, TooManyPairs) {
   std::string blankpairs;
-  blankpairs.resize(ParsedCookie::kMaxPairs - 1, ';');
+  blankpairs.resize(ParsedCookie::kMaxPairs - 2, ';');
 
-  ParsedCookie pc1(blankpairs + "secure");
+  ParsedCookie pc1("a=b;" + blankpairs + "secure");
   EXPECT_TRUE(pc1.IsValid());
   EXPECT_TRUE(pc1.IsSecure());
 
-  ParsedCookie pc2(blankpairs + ";secure");
+  ParsedCookie pc2("a=b;" + blankpairs + ";secure");
   EXPECT_TRUE(pc2.IsValid());
   EXPECT_FALSE(pc2.IsSecure());
 }