Cookie parsing does not adhere to RFC (concerning multiple values with the same key) #115

tbu- · 2022-07-27T17:25:17Z

According to to the quoted RFC 6265, section 4.2.2

Although cookies are serialized linearly in the Cookie header,
servers SHOULD NOT rely upon the serialization order. In particular,
if the Cookie header contains two cookies with the same name (e.g.,
that were set with different Path or Domain attributes), servers
SHOULD NOT rely upon the order in which these cookies appear in the
header.

The relevant function Cookie::get does not comply with that:

headers/src/common/cookie.rs

Lines 45 to 49 in ffca4a9

    
           pub fn get(&self, name: &str) -> Option<&str> { 
        
               self.iter() 
        
                   .find(|&(key, _)| key == name) 
        
                   .map(|(_, val)| val) 
        
           }

Instead, it only takes the first cookie value of a certain name.

The documentation should call this out, especially if this is not a de-facto standard somewhere because then it can create security vulnerabilities with different parts of a web stack taking different (first, last) values of a cookie with a certain name as authoritative.

The text was updated successfully, but these errors were encountered:

tbu- changed the title ~~Cookie parsing does not adhere to RFC~~ Cookie parsing does not adhere to RFC (concerning multiple values with the same key) Jul 27, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cookie parsing does not adhere to RFC (concerning multiple values with the same key) #115

Cookie parsing does not adhere to RFC (concerning multiple values with the same key) #115

tbu- commented Jul 27, 2022

Cookie parsing does not adhere to RFC (concerning multiple values with the same key) #115

Cookie parsing does not adhere to RFC (concerning multiple values with the same key) #115

Comments

tbu- commented Jul 27, 2022