You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Open developer tool and create new cookie that has % in its name.
You'll find request.cookies.all is empty.
My problem
My site is mysite.example.com and example.com is not under my control.
When user access to example.com, it sets the cookie some%40key=value and Domain=.example.com (%40 is url encoded @).
This cookie also affects my site.
HTTPCookies.init returns nil if there's invalid directive.
Vapor cannot parse the cookies that has
%
in its name.(Similar issue: #2359)
According to RFC6265
cookie-name = <token, defined in [RFC2616], Section 2.2>
.And accodging to RFC2616:
If I understand correctly,
%
is valid.firstParameterToken
tries to find=
to separate cookie name and value.But it fails when it find character that is
!character.isDirectiveKey
.vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Directive.swift
Lines 133 to 143 in 45d19c3
And
%
is notisDirectiveKey
.vapor/Sources/Vapor/HTTP/Headers/HTTPHeaders+Directive.swift
Lines 249 to 251 in 45d19c3
Steps to reproduce
Open developer tool and create new cookie that has
%
in its name.You'll find
request.cookies.all
is empty.My problem
My site is
mysite.example.com
andexample.com
is not under my control.When user access to
example.com
, it sets the cookiesome%40key=value
andDomain=.example.com
(%40
is url encoded@
).This cookie also affects my site.
HTTPCookies.init
returnsnil
if there's invalid directive.vapor/Sources/Vapor/HTTP/Headers/HTTPCookies.swift
Lines 241 to 249 in 45d19c3
So
%
cookie breaks all other cookies.(I think this initializer should just ignore invalid directives)
The text was updated successfully, but these errors were encountered: