-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: cookie-av allows arbitrary casing #349
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patch! I agree that we should fix this. There is one issue in the lib change, and fixing this bug appears to break an existing test, which will need to be updated.
lib/rack/test/cookie_jar.rb
Outdated
@@ -28,7 +28,7 @@ def initialize(raw, uri = nil, default_host = DEFAULT_HOST) | |||
@raw, options = raw.split(/[;,] */n, 2) | |||
|
|||
@name, @value = parse_query(@raw, ';').to_a.first | |||
@options = parse_query(options, ';') | |||
@options = parse_query(options, ';').transform_keys(&:downcase) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rack-test supports back to Ruby 2.0, so you'll have to change this to use a backwards-compatible implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I introduced a correct fix but I'm currently installing 2.0.0p0 to confirm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not managed to install 2.0.0, I'm now going to hope CI runs for it
According to [RFC6265](https://httpwg.org/specs/rfc6265.html#sane-set-cookie), cookie attributes are supposed to be ~PascalCase (`Path`, `HttpOnly`, `Secure`, etc). In practice, browsers are lax in their interpretation of cookie attributes and will allow arbitrary casing (`path`, `Path`, `pAtH`, etc). Prior to this PR, `Rack::Test::Cookie` only supported lowercased cookie attributes, but this PR allows it to have any casing, making it behave closer to browsers and other cookie jars. https://github.com/python/cpython/blob/f0d3f10c43c9029378adba11a65b3d1287e4be32/Lib/http/cookiejar.py#L511-L512 https://cs.opensource.google/go/go/+/master:src/net/http/cookie.go;l=126-131;drc=592da0ba474b94b6eceee62b5613f1c9c1ed9c89?q=cookie&ss=go%2Fgo
dfd71de
to
1e4a44a
Compare
lib/rack/test/cookie_jar.rb
Outdated
@@ -28,7 +28,7 @@ def initialize(raw, uri = nil, default_host = DEFAULT_HOST) | |||
@raw, options = raw.split(/[;,] */n, 2) | |||
|
|||
@name, @value = parse_query(@raw, ';').to_a.first | |||
@options = parse_query(options, ';') | |||
@options = parse_query(options, ';').map { |k, v| [k.downcase, v] }.to_h |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess Array#to_h
was added in 2.1 :(
Thanks for working on this and getting CI fixed. I squash merged this at 16a3c5c. |
Thanks a lot for handling it this fast! |
Would you be able to cut a release that includes this please? |
It has been a while since the last release, so I can try to do that before the end of the year. |
According to RFC6265, cookie attributes are supposed to be ~PascalCase (
Path
,HttpOnly
,Secure
, etc). In practice, browsers are lax in their interpretation of cookie attributes and will allow arbitrary casing (path
,Path
,pAtH
, etc).Prior to this PR,
Rack::Test::Cookie
only supported lowercased cookie attributes, but this PR allows it to have any casing, making it behave closer to browsers and other cookie jars.Python
Go