| Subject: | HTTP::Cookies.pm bug (with a fix) |
I have no idea when this broke. So far as I know, the bug has always
been there. I originally found it in a 2004 variant, and pretty much
the same problem still exists. I'm seeing this with Perl 5.8.1 and
5.10.0 -- though that's probably not relevant, nor are the Linux
distributions (Mandriva and OpenSUSE).
In add_cookie_header, if the cookie version is nonzero and the cookie
contents include a non-alpha (\W) character, it escapes any quotes or
slashes in the cookie value.
The problem arises when the server has delivered a cookie value that is
ENCLOSED in quotes, i.e.,
Set-Cookie: member="whatever"; version=1; Path=/
When it comes time for add_cookie_header to do its thing, it generates
Cookie: member="\"whatever\""; $Path="/"
Cookie2: $Version="1"
I don't know whether quoted cookie values are valid per the spec, but
they do unfortunately occur (I can give you an example site, if you like).
I guess there are 2 bugs here:
1) The biggest problem is with the quoting. I think I've fixed this by
inserting one line in add_cookie_header in Cookies.pm:
# do we need to quote the value
if ($val =~ /\W/ && $version) {
$val =~ s/^"(.*)"$/$1/; ### <<<<<<< A FIX
$val =~ s/([\\\"])/\\$1/g;
$val = qq("$val");
}
2) The second problem is with the treatment of the Path and version
fields. They appear to be treated as if they are cookie values. And yet
they are transmitted with a prefix of "$". I REALLY don't understand
what's going on here, and I'm not inclined to mess with it.