code review 86050045: net/http: allow commas and spaces in cookie values

net/http: allow commas and spaces in cookie values

According to RFC 6265 a cookie value may contain neither
commas nor spaces but such values are very common in the
wild and browsers handle them very well so we'll allow
both commas and spaces.
Values starting or ending in a comma or a space are
sent in the quoted form to prevent missinterpetations.

RFC 6265 conforming values are handled as before and
semicolons, backslashes and double-quotes are still
disallowed.

Fixes issue 7243

[volker.dobler, 2014-04-10 08:09:23]

Hello nigeltao@golang.org (cc: bradfitz@golang.org,
golang-codereviews@googlegroups.com),

I'd like you to review this change to
https://code.google.com/p/go/

[nigeltao, 2014-04-11 06:54:47]

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go
File src/pkg/net/http/cookie.go (right):

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go...
src/pkg/net/http/cookie.go:298: // but we produce a quoted cookie-value in case
the value starts or ends
s/in case/when/

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go...
src/pkg/net/http/cookie.go:299: // with a comma or space.
I'd add
// See http://golang.org/issue/7243 for the discussion.

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go...
src/pkg/net/http/cookie.go:311: func validCookieValueByte(b byte) bool {
validCookieValueByte is the same now as isCookieByte, no?

[nigeltao, 2014-04-11 07:21:10]

Just checking that I understand the intended behavior. After this CL:

A Go server can now set commas and spaces in cookies, adding quotes to write
things like:
Set-Cookie: foo=",z"

A Go server will not send
Set-Cookie: foo=,z
without quotes, but the Go client will still accept this.

The Go client will strip quotes if present, so that it treats these two:
Set-Cookie: foo=,z
Set-Cookie: foo=",z"
as equivalent. Non-Go clients, and especially browsers (as inspected via
Javascript via alert(document.cookie), see below) don't actually strip the
quotes, but in a Go server -> browser -> Go server round trip, the Go code
(above the net/http layer) won't see quotes at either end.

Test program:
--------
package main

import (
	"fmt"
	"log"
	"net/http"
	"strconv"
	"time"
)

func main() {
	http.HandleFunc("/get", handleGet)
	http.HandleFunc("/set", handleSet)
	log.Fatal(http.ListenAndServe(":8080", nil))
}

func handleGet(w http.ResponseWriter, req *http.Request) {
	// Edit the Cookie.String code in the net/http package's cookie.go to add quote
marks.
	c, _ := req.Cookie("foobar")
	if c != nil {
		fmt.Printf("get %q\n", c.Value)
	} else {
		fmt.Printf("get -\n")
	}
	w.Write([]byte(`<html><body>Go back to <a
href="/set">/set</a>.</body></html>`))
}

func handleSet(w http.ResponseWriter, req *http.Request) {
	nanos := strconv.Itoa(time.Now().Nanosecond())
	fmt.Printf("set %q\n", nanos)
	http.SetCookie(w, &http.Cookie{
		Name:    "foobar",
		Value:   nanos,
		Expires: time.Now().Add(1 * time.Hour),
	})
	fmt.Fprintf(w, `<html><head>`+
		`<script>alert(document.cookie)</script>`+
		`<meta http-equiv="refresh" content="0; url=/get"></head></html>`)
}
--------

[volker.dobler, 2014-04-11 09:50:50]

On Fri, Apr 11, 2014 at 9:21 AM, <nigeltao@golang.org> wrote:

> Just checking that I understand the intended behavior. After this CL:
>
> A Go server can now set commas and spaces in cookies, adding quotes to
> write things like:
> Set-Cookie: foo=",z"
>
Yes. The quotes are added automatically if needed user of
net/http don't have to care about this.


> A Go server will not send
> Set-Cookie: foo=,z
> without quotes, but the Go client will still accept this.
>
Yes (for send) and yes (for accept)
(For send just almost: I think it is possible to manually add such
a header via Header.Add; but yes, not through http.SetCookie.)

>
> The Go client will strip quotes if present, so that it treats these two:
> Set-Cookie: foo=,z
> Set-Cookie: foo=",z"
> as equivalent.

Yes.
Unconditional yes for commas, for spaces
Set-Cookie: foo=" z"
Set-Cookie: foo= z
differ: The value in the second case is just "z" but this space
removal is mandated by RFC 6265: Step 4 of the Set-Cookie
parsing algorithm in section 5.2.


> Non-Go clients, and especially browsers (as inspected via
> Javascript via alert(document.cookie), see below) don't actually strip
> the quotes, but in a Go server -> browser -> Go server round trip, the
> Go code (above the net/http layer) won't see quotes at either end.
>
Yes. (Same for curl if invoked with -c it will store the quoted values.)

V.



>
> Test program:
> --------
> package main
>
> import (
>         "fmt"
>         "log"
>         "net/http"
>         "strconv"
>         "time"
> )
>
> func main() {
>         http.HandleFunc("/get", handleGet)
>         http.HandleFunc("/set", handleSet)
>         log.Fatal(http.ListenAndServe(":8080", nil))
> }
>
> func handleGet(w http.ResponseWriter, req *http.Request) {
>         // Edit the Cookie.String code in the net/http package's cookie.go
> to
> add quote marks.
>         c, _ := req.Cookie("foobar")
>         if c != nil {
>                 fmt.Printf("get %q\n", c.Value)
>         } else {
>                 fmt.Printf("get -\n")
>         }
>         w.Write([]byte(`<html><body>Go back to <a
> href="/set">/set</a>.</body></html>`))
> }
>
> func handleSet(w http.ResponseWriter, req *http.Request) {
>         nanos := strconv.Itoa(time.Now().Nanosecond())
>         fmt.Printf("set %q\n", nanos)
>         http.SetCookie(w, &http.Cookie{
>                 Name:    "foobar",
>                 Value:   nanos,
>                 Expires: time.Now().Add(1 * time.Hour),
>         })
>         fmt.Fprintf(w, `<html><head>`+
>                 `<script>alert(document.cookie)</script>`+
>                 `<meta http-equiv="refresh" content="0;
> url=/get"></head></html>`)
> }
> --------
>
> https://codereview.appspot.com/86050045/
>



-- 
Dr. Volker Dobler

[volker.dobler, 2014-04-11 09:51:19]

PTAL

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go
File src/pkg/net/http/cookie.go (right):

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go...
src/pkg/net/http/cookie.go:298: // but we produce a quoted cookie-value in case
the value starts or ends
On 2014/04/11 06:54:47, nigeltao wrote:
> s/in case/when/

Done.

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go...
src/pkg/net/http/cookie.go:299: // with a comma or space.
On 2014/04/11 06:54:47, nigeltao wrote:
> I'd add
> // See http://golang.org/issue/7243 for the discussion.

Done.

https://codereview.appspot.com/86050045/diff/80001/src/pkg/net/http/cookie.go...
src/pkg/net/http/cookie.go:311: func validCookieValueByte(b byte) bool {
On 2014/04/11 06:54:47, nigeltao wrote:
> validCookieValueByte is the same now as isCookieByte, no?

Yes.
I kept the two functions to limit the impact of the CL.

The whole handling of the attribute values is now a bit
strange and should be tightened. I created
https://code.google.com/p/go/issues/detail?id=7751
for this.

[nigeltao, 2014-04-14 00:21:49]

https://codereview.appspot.com/86050045/diff/100001/src/pkg/net/http/cookie.go
File src/pkg/net/http/cookie.go (right):

https://codereview.appspot.com/86050045/diff/100001/src/pkg/net/http/cookie.g...
src/pkg/net/http/cookie.go:313: return 0x1f < b && b < 0x7f && b != '"' && b !=
';' && b != '\\'
Changing
0x1f < b
to the equivalent
0x20 <= b
would be consistent with validCookiePathByte.

https://codereview.appspot.com/86050045/diff/100001/src/pkg/net/http/cookie.g...
src/pkg/net/http/cookie.go:360: return parseCookieValueUsing(raw, isCookieByte)
I know that you're trying to limit the impact of this CL, but as
parseCookieValueUsing is called only once, here, then I'd just inline it here
(and hard-code the validByte function). I'd also inline the unquoteCookieValue
function. The "for i := 0; i < len(raw); i++ {" loop can also then become a
for/range:

func parseCookieValue(raw string) (string, bool) {
	// Strip the quotes, if present.
	if len(raw) > 1 && raw[0] == '"' && raw[len(raw)-1] == '"' {
		raw = raw[1 : len(raw)-1]
	}
	for _, b := range raw {
		if !validCookieValueByte(b) {
			return "", false
		}
	}
	return raw, true
}

I'd still also collapse the equivalent validCookieValueByte and isCookieByte to
one: validCookieValueByte.

[volker.dobler, 2014-04-14 09:12:23]

PTAL

https://codereview.appspot.com/86050045/diff/100001/src/pkg/net/http/cookie.go
File src/pkg/net/http/cookie.go (right):

https://codereview.appspot.com/86050045/diff/100001/src/pkg/net/http/cookie.g...
src/pkg/net/http/cookie.go:313: return 0x1f < b && b < 0x7f && b != '"' && b !=
';' && b != '\\'
On 2014/04/14 00:21:50, nigeltao wrote:
> Changing
> 0x1f < b
> to the equivalent
> 0x20 <= b
> would be consistent with validCookiePathByte.

Done.

https://codereview.appspot.com/86050045/diff/100001/src/pkg/net/http/cookie.g...
src/pkg/net/http/cookie.go:360: return parseCookieValueUsing(raw, isCookieByte)
On 2014/04/14 00:21:50, nigeltao wrote:
> I know that you're trying to limit the impact of this CL, but as
> parseCookieValueUsing is called only once, here, then I'd just inline it here
> (and hard-code the validByte function). I'd also inline the unquoteCookieValue
> function. The "for i := 0; i < len(raw); i++ {" loop can also then become a
> for/range:
> 
> func parseCookieValue(raw string) (string, bool) {
> 	// Strip the quotes, if present.
> 	if len(raw) > 1 && raw[0] == '"' && raw[len(raw)-1] == '"' {
> 		raw = raw[1 : len(raw)-1]
> 	}
> 	for _, b := range raw {
> 		if !validCookieValueByte(b) {
> 			return "", false
> 		}
> 	}
> 	return raw, true
> }
> 
> I'd still also collapse the equivalent validCookieValueByte and isCookieByte
to
> one: validCookieValueByte.

Done, almost:
Iterating raw must be on bytes, not runes, so no for/range.

[nigeltao, 2014-04-17 05:59:04]

LGTM.

[nigeltao, 2014-04-17 06:01:31]

*** Submitted as https://code.google.com/p/go/source/detail?r=f1f593b2b24e ***

net/http: allow commas and spaces in cookie values

According to RFC 6265 a cookie value may contain neither
commas nor spaces but such values are very common in the
wild and browsers handle them very well so we'll allow
both commas and spaces.
Values starting or ending in a comma or a space are
sent in the quoted form to prevent missinterpetations.

RFC 6265 conforming values are handled as before and
semicolons, backslashes and double-quotes are still
disallowed.

Fixes issue 7243

LGTM=nigeltao
R=nigeltao
CC=bradfitz, golang-codereviews
https://codereview.appspot.com/86050045

Committer: Nigel Tao <nigeltao@golang.org>