From mboxrd@z Thu Jan  1 00:00:00 1970
MIME-Version: 1.0
Received: by 10.142.191.1 with HTTP; Wed, 2 Dec 2009 05:13:58 -0800 (PST)
Date: Wed, 2 Dec 2009 14:13:58 +0100
Delivered-To: chneukirchen@gmail.com
Message-ID: <e064621a0912020513o12be7409y1a432c7a4ebac2fb@mail.gmail.com>
Subject: Cookie Handling [rack/rack GH-8]
From: Christian Neukirchen <chneukirchen@gmail.com>
To: rack-devel@googlegroups.com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

mhat sent you a message.

--------------------
Rack appears to incorrectly handle cookies with values that are
quoted-strings. RFC2109 states that a value is a word and a may either
a token or a quoted-string. Rack is handling quoted-string values as
if they were tokens. Naturally this causes some problems.

It looks like the issue stems from the fact that Rack::Request#cookies
uses Rack::Utils.parse_query. What parse_query does makes sense for
parameters, but I think it is incorrect for cookie values.

If I have a cookie like so:
POST /acme/shipping HTTP/1.1
Cookie: $Version=3D"1";
=A0 =A0Customer=3D"WILE_E_COYOTE"; $Path=3D"/acme";
=A0 =A0Part_Number=3D"Rocket_Launcher_0001"; $Path=3D"/acme"

The ruby String value for key Customer should be "WILE_E_COYOTE"
rather than "\"WILE_E_COYOTE\"".

You can imagine how this handling of quoted strings leads to
interoperability problems with other application stacks.

View this Issue online: http://github.com/rack/rack/issues#issue/8
--------------------