net/http: expires cookie does not follow IETF RFC6265 specification for boundaries #17632
Labels
Milestone
Comments
|
CL https://golang.org/cl/32142 mentions this issue. |
rakyll
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version)?1.7.1
What operating system and processor architecture are you using (
go env)?GOHOSTOS="darwin"
GOOS="darwin"
GOARCH="amd64"
What did you do?
https://play.golang.org/p/G_tVNv_Is7
What did you expect to see?
sample=val; Expires=Sat, 01 Jan 2000 10:04:02 GMT
sample=val; Expires=Sat, 01 Jan 1700 10:04:02 GMT
What did you see instead?
sample=val; Expires=Sat, 01 Jan 2000 10:04:02 GMT
sample=val
According to IETF RFC6265 section 5.2.1, the Expires attribute should be parsed as a cookie-date, as specified in section 5.1.1. The lower bound for the year field, as listed in section 5.1.1, should be 1601 inclusive ("Abort these steps and fail to parse the cookie-date if... the year-value is less than 1601"). However, go seems to use epoch as a lower bound, as can be found here: https://github.com/golang/go/blob/master/src/net/http/cookie.go#L171
The text was updated successfully, but these errors were encountered: