From mboxrd@z Thu Jan  1 00:00:00 1970
Delivered-To: chneukirchen@gmail.com
Received: by 10.142.191.1 with SMTP id o1cs481355wff; Wed, 2 Dec 2009
 09:19:17 -0800 (PST)
Received: from mr.google.com ([10.115.100.26]) by 10.115.100.26 with SMTP id
 c26mr184031wam.7.1259774357270 (num_hops = 1); Wed, 02 Dec 2009 09:19:17
 -0800 (PST)
Received: by 10.115.100.26 with SMTP id c26mr30624wam.7.1259774355891; Wed,
 02 Dec 2009 09:19:15 -0800 (PST)
X-BeenThere: rack-devel@googlegroups.com
Received: by 10.114.188.15 with SMTP id l15ls4285384waf.3.p; Wed, 02 Dec 2009
  09:19:12 -0800 (PST)
Received: by 10.115.148.3 with SMTP id a3mr85487wao.20.1259774352527; Wed, 02
 Dec 2009 09:19:12 -0800 (PST)
Received: by 10.115.148.3 with SMTP id a3mr85486wao.20.1259774352483; Wed, 02
 Dec 2009 09:19:12 -0800 (PST)
Return-Path: <scytrin@gmail.com>
Received: from mail-px0-f195.google.com (mail-px0-f195.google.com
 [209.85.216.195]) by gmr-mx.google.com with ESMTP id
 19si153971pzk.8.2009.12.02.09.19.11; Wed, 02 Dec 2009 09:19:11 -0800 (PST)
Received-SPF: pass (google.com: domain of scytrin@gmail.com designates
 209.85.216.195 as permitted sender) client-ip=209.85.216.195;
Received: by mail-px0-f195.google.com with SMTP id 33so291993pxi.10 for
 <rack-devel@googlegroups.com>; Wed, 02 Dec 2009 09:19:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.249.24 with SMTP id w24mr40007wfh.325.1259774350997; Wed,
  02 Dec 2009 09:19:10 -0800 (PST)
In-Reply-To: <5a9d52bd0912020917q180168a3t48343dcc1f7fba1@mail.gmail.com>
References: <e064621a0912020513o12be7409y1a432c7a4ebac2fb@mail.gmail.com>
 <5a9d52bd0912020917q180168a3t48343dcc1f7fba1@mail.gmail.com>
Date: Wed, 2 Dec 2009 09:19:10 -0800
Message-ID: <5a9d52bd0912020919re8d74ddu6c40a35996c57eda@mail.gmail.com>
Subject: Re: Cookie Handling [rack/rack GH-8]
From: Scytrin dai Kinthra <scytrin@gmail.com>
To: rack-devel@googlegroups.com
X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: 
 domain of scytrin@gmail.com designates 209.85.216.195 as permitted sender) 
 smtp.mail=scytrin@gmail.com; dkim=pass (test mode) header.i=@gmail.com
Reply-To: rack-devel@googlegroups.com
Precedence: list
Mailing-list: list rack-devel@googlegroups.com; contact
 rack-devel+owners@googlegroups.com
List-ID: <rack-devel.googlegroups.com>
List-Post: <http://groups.google.com/group/rack-devel/post?hl=>, 
 <mailto:rack-devel@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=>,
 <mailto:rack-devel+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/rack-devel?hl=>
X-Thread-Url: http://groups.google.com/group/rack-devel/t/8cc9d8384e136ac4
X-Message-Url: http://groups.google.com/group/rack-devel/msg/461cc93f8aaef349
List-Unsubscribe: <http://groups.google.com/group/rack-devel/subscribe?hl=>, 
 <mailto:rack-devel+unsubscribe@googlegroups.com>
List-Subscribe: <http://groups.google.com/group/rack-devel/subscribe?hl=>, 
 <mailto:rack-devel+subscribe@googlegroups.com>
Content-Type: multipart/alternative; boundary=005045018098b03a530479c2125e

--005045018098b03a530479c2125e
Content-Type: text/plain; charset=UTF-8

I can see about fixing this today if no one else is claiming it.
--
stadik.net

On Dec 2, 2009 5:14 AM, "Christian Neukirchen" <chneukirchen@gmail.com>
wrote:

mhat sent you a message.

--------------------
Rack appears to incorrectly handle cookies with values that are
quoted-strings. RFC2109 states that a value is a word and a may either
a token or a quoted-string. Rack is handling quoted-string values as
if they were tokens. Naturally this causes some problems.

It looks like the issue stems from the fact that Rack::Request#cookies
uses Rack::Utils.parse_query. What parse_query does makes sense for
parameters, but I think it is incorrect for cookie values.

If I have a cookie like so:
POST /acme/shipping HTTP/1.1
Cookie: $Version="1";
   Customer="WILE_E_COYOTE"; $Path="/acme";
   Part_Number="Rocket_Launcher_0001"; $Path="/acme"

The ruby String value for key Customer should be "WILE_E_COYOTE"
rather than "\"WILE_E_COYOTE\"".

You can imagine how this handling of quoted strings leads to
interoperability problems with other application stacks.

View this Issue online: http://github.com/rack/rack/issues#issue/8
--------------------

--005045018098b03a530479c2125e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p>I can see about fixing this today if no one else is claiming it.<br>
--<br>
<a href=3D"http://stadik.net">stadik.net</a></p>
<p><blockquote type=3D"cite">On Dec 2, 2009 5:14 AM, &quot;Christian Neukir=
chen&quot; &lt;<a href=3D"mailto:chneukirchen@gmail.com">chneukirchen@gmail=
.com</a>&gt; wrote:<br><br>mhat sent you a message.<br>
<br>
--------------------<br>
Rack appears to incorrectly handle cookies with values that are<br>
quoted-strings. RFC2109 states that a value is a word and a may either<br>
a token or a quoted-string. Rack is handling quoted-string values as<br>
if they were tokens. Naturally this causes some problems.<br>
<br>
It looks like the issue stems from the fact that Rack::Request#cookies<br>
uses Rack::Utils.parse_query. What parse_query does makes sense for<br>
parameters, but I think it is incorrect for cookie values.<br>
<br>
If I have a cookie like so:<br>
POST /acme/shipping HTTP/1.1<br>
Cookie: $Version=3D&quot;1&quot;;<br>
=C2=A0 =C2=A0Customer=3D&quot;WILE_E_COYOTE&quot;; $Path=3D&quot;/acme&quot=
;;<br>
=C2=A0 =C2=A0Part_Number=3D&quot;Rocket_Launcher_0001&quot;; $Path=3D&quot;=
/acme&quot;<br>
<br>
The ruby String value for key Customer should be &quot;WILE_E_COYOTE&quot;<=
br>
rather than &quot;\&quot;WILE_E_COYOTE\&quot;&quot;.<br>
<br>
You can imagine how this handling of quoted strings leads to<br>
interoperability problems with other application stacks.<br>
<br>
View this Issue online: <a href=3D"http://github.com/rack/rack/issues#issue=
/8" target=3D"_blank">http://github.com/rack/rack/issues#issue/8</a><br>
--------------------<br>
</blockquote></p>

--005045018098b03a530479c2125e--