Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: document that SetCookie name must be valid #9758

Closed
carbocation opened this issue Feb 3, 2015 · 4 comments
Closed

net/http: document that SetCookie name must be valid #9758

carbocation opened this issue Feb 3, 2015 · 4 comments

Comments

@carbocation
Copy link

In net/http, before cookies are read, they are checked to ensure they have a valid name. However, when setting a cookie, an invalid name may be used; rather than being permitted, this should trigger an error.

There is further discussion on the gorilla sessions topic in which it was suggested that I raise this possibility here.

To answer the questions in the guidelines:
What version of Go are you using (go version)? 1.4
What operating system and processor architecture are you using? OS X 64-bit
What did you do? Created a cookie with an empty name (or spaces, or other invalid characters) and set it in a way that was seemingly successful.
What did you expect to see? I expected to see an error.
What did you see instead? I saw my cookie get set, but I could not read it (as its name is invalid, and correctly filtered out on the reading end of things).

@mikioh mikioh changed the title net/http should reject setting cookies with invalid names net/http: should reject setting cookies with invalid names Feb 3, 2015
@bradfitz
Copy link
Contributor

bradfitz commented Feb 3, 2015

I'm not sure there's anything to do here. We can't change the signature to return an error, and a panic would be unexpected.

This might just be "Status: Unfortunate".

Maybe we just add documentation to say that the cookie name must be valid on Set-Cookie.

@bradfitz bradfitz added this to the Go1.5 milestone Feb 3, 2015
@carbocation
Copy link
Author

Your point is well taken. Documentation would be valuable - and I wonder if a signature change for 2.0 could be considered (if I am correctly recalling the go compatibility guarantees)?

@adg
Copy link
Contributor

adg commented Feb 3, 2015

@carbocation sure, the http package will change dramatically in 2.0. Lots of improvements to be made with API changes.

@rsc rsc changed the title net/http: should reject setting cookies with invalid names net/http: document that SetCookie name must be valid Jun 29, 2015
@gopherbot
Copy link

CL https://golang.org/cl/11701 mentions this issue.

@golang golang locked and limited conversation to collaborators Jun 29, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants