inets http cookie parsing bug

Maas-Maarten Zeeman <>
Fri Jan 28 15:34:04 CET 2011


Yesterday I discovered a cookie parsing bug in inets http client.

1> inets:start().
2> http:set_options([{cookies, enabled}]).
3> http:request("").
                                 [" 01 Jul 2012 11:48:43 GMT",1,-1]},

When it parses a cookie header like this:

z_sid=r5tOZ6GQlWtb68XEoo4m; Version=1; Path=/; HttpOnly,  
z_pid=49Rr3y6VeuMs407m2KUM; Version=1; Expires=Sun, 01 Jul 2012  
11:59:21 GMT; Max-Age=44928000; Path=/; HttpOnly

This cookie header is split in the wrong location. During parsing this  
string is first split on the "," character. But when a cookie contains  
an expires attribute with a date string, that split will be in the  
wrong location, because the date format contains a comma.

The bug appears in all R13 and R14 releases.

Kind regards,

Maas-Maarten Zeeman

More information about the erlang-bugs mailing list