http icon indicating copy to clipboard operation
http copied to clipboard

Published 20 hours ago verified publisher icon dart-lang

Issue on parsing set-cookie

Open JJack27 opened this issue 5 years ago • 2 comments
trafficstars

Bug Description When parsing set-cookie, some semicolon ; will be parsed as comma ,

Example {set-cookie: csrftoken=ZA7fXs4ScVxMLdMIhWlFEK3ZNVJPsZ1hTi10UDYTxKladlSGcehmx3piUi7f9lLv; expires=Tue, 26 Oct 2021 02:23:26 GMT; Max-Age=31449600; Path=/; SameSite=Lax,sessionid=m7jhocc4gvob79r4txtl9r0nuws25yr7; expires=Tue, 10 Nov 2020 02:23:26 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax, vary: Accept, Cookie, content-length: 45, content-type: application/json, x-frame-options: DENY, x-content-type-options: nosniff, allow: POST, OPTIONS}

Reproduction Send login request to any Django project with rest-framework.

JJack27 avatar Oct 27 '20 02:10 JJack27

Yes, it was a bad decision to store headers in Map instead of List. It makes me to perform value parsing. It may be better to store values with the same header as a list, rather than combining them into a single string using the , separator.

darkstarx avatar Nov 15 '20 14:11 darkstarx

Looks like it joins multiple set-cookie with comma https://github.com/dart-lang/http/blob/master/lib/src/io_client.dart#L43 At least for server side http client.

lem8r avatar Mar 08 '21 14:03 lem8r

Yes, headers should always be Map<String, List<String> as they may occur multiple times. Joining them by , makes it difficult to parse. Example:

csrf_token_5c349d55abcda945dde7b96dc14a4105480ede67710fc0f844c0b2ab2b2ff947=wpAv+VK/mtsg5zdo7evDq8UXD0Pfqkrf/LfbiOp7ljA=; Path=/; Domain=example.com; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax,ory_kratos_session=MTY3MjI3MjExNnxDcmp2LS0wRlpoOGhYeXlEU3lJRVZZMV9wTUFXd3FRZ0pJM0FQQU1MYmp0RXNpcXdybDhRWjdTVDV2RDFNWk92THVaMXhxZnU3VmFjSEVFaFFVV2g0cmYxcVE2VWVSeTg0SDN2U3c3R2RqTzdYWUp0d0RJeDVEZnZJX0dMQzJ4THlINmZvQ3NYaG1JNjVfRzRlaFhIdk45c0hoYTJNSm9GY0dOZlFOV2JrV0s4SFR4YVd2bEpiSkkzYkQ4Tmt0am1NRlRybFpMRm9BMlFkbFItSTM5QXJvaEJoMWR0QVM5WnlqcnhHSUF6SmlaN3VkWHhBWjlvRE11cGhydVRIQUR4VlFoQnhuTkVQVk1GfGKh3_ig1tdFqAbPhVyw5xZqL6r8qJ5Z9hhKuEVXtnyB; Path=/; Domain=example.com; Expires=Fri, 30 Dec 2022 00:01:55 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Lax

In the current state, cookie handling is pretty much broken since 2015. How sad for an http library.

See also: #462, #362, #24, #20

micheljung avatar Dec 29 '22 00:12 micheljung

The issue is quite old, and unfortunately, it has been ignored. This is concerning since it involves one of the main packages in the Dart infrastructure. Specifically, regarding cookies, the RFC 9110 document mentions a particular point that the logic of concatenating with commas doesn't work with them. Maybe we should add a separate field in the interface? Or should we release a breaking change? Many developers would be grateful.

yehorh avatar Nov 17 '23 11:11 yehorh

This is a duplicate of the issue https://github.com/dart-lang/http/issues/24, which has been fixed.

brianquinlan avatar Jan 12 '24 21:01 brianquinlan