inets http cookie parsing bug
Maas-Maarten Zeeman
mmzeeman@REDACTED
Fri Jan 28 15:34:04 CET 2011
Hello,
Yesterday I discovered a cookie parsing bug in inets http client.
1> inets:start().
ok
2> http:set_options([{cookies, enabled}]).
ok
3> http:request("http://zotonic.com").
{error,{function_clause,[{string,substr,
[" 01 Jul 2012 11:48:43 GMT",1,-1]},
{httpc_cookie,parse_set_cookie,3},
{lists,map,2},
{httpc_cookie,parse_set_cookies,2},
{httpc_cookie,cookies,3},
{httpc_handler,handle_cookies,4},
{httpc_handler,handle_response,1},
{httpc_handler,handle_info,2}]}}
...
...
When it parses a cookie header like this:
Set-Cookie:
z_sid=r5tOZ6GQlWtb68XEoo4m; Version=1; Path=/; HttpOnly,
z_pid=49Rr3y6VeuMs407m2KUM; Version=1; Expires=Sun, 01 Jul 2012
11:59:21 GMT; Max-Age=44928000; Path=/; HttpOnly
This cookie header is split in the wrong location. During parsing this
string is first split on the "," character. But when a cookie contains
an expires attribute with a date string, that split will be in the
wrong location, because the date format contains a comma.
The bug appears in all R13 and R14 releases.
Kind regards,
Maas-Maarten Zeeman
More information about the erlang-bugs
mailing list