Bug #49302 for CGI-Cookie-XS: Fixes to handle valueless cookies

Mon Aug 31 20:42:01 2009 bitcard [...] ckeith.clara.net - Ticket created

Subject:

Fixes to handle valueless cookies

Distribution: CGI-Cookie-XS-0.16 Perl: This is perl, v5.8.8 built for x86_64-linux-thread-multi-ld v0.16 doesn't handle cookies that have no value: %perl -MData::Dumper -MCGI::Cookie::XS -e 'my $s = "lastvisit=1251731074; sessionlogin=1251760758; username=; password=; remember_login=; admin_button="; die "Version: $CGI::Cookie::XS::VERSION\n", Data::Dumper->Dump([ CGI::Cookie::XS->parse($s) ]), "\n";' Version: 0.16 $VAR1 = { 'lastvisit' => [ '1251731074' ], 'sessionlogin' => [ '1251760758' ], 'remember_login' => [ '; admin_button=' ], 'username' => [ '; password=' ] }; Obviously the "username" cookie should not have the value "; password=" This is caused in the detection of the end of the cookie name. The patch only allows the p++ to occur if the next character isn't a semi-colon, comma or the end of the string. This causes the result to be what you would expect: perl -Mblib=lib -MData::Dumper -MCGI::Cookie::XS -e 'my $s = "lastvisit=1251731074; sessionlogin=1251760758; username=; password=; remember_login=; admin_button="; die "Version: $CGI::Cookie::XS::VERSION\n", Data::Dumper->Dump([ CGI::Cookie::XS->parse($s) ]), "\n";' Version: 0.16 $VAR1 = { 'lastvisit' => [ '1251731074' ], 'password' => [], 'sessionlogin' => [ '1251760758' ], 'admin_button' => [], 'remember_login' => [], 'username' => [] }; Hope this helps someone.

Subject:

XS.xs.patch

--- XS.xs.old 2009-08-31 20:28:20.000000000 -0400 +++ XS.xs 2009-08-31 20:31:57.000000000 -0400 @@ -60,7 +60,12 @@ //DDD("in loop"); if (*p == '=' && !parsing_value ){ array = newAV(); - *p = '\0'; p++; + *p = '\0'; + + // Only move on if not the end of the cookie value + if (*(p+1) != ';' && *(p+1) != ',' && *(p+1) != '\0') + p++; + _decode_hex_str(q, &decode); q = p; hv_store( @@ -75,7 +80,7 @@ p++; _decode_hex_str(q, &decode); q = p; - if (parsing_value && array != NULL) + if (*decode != '\0' && parsing_value && array != NULL) av_push(array, newSVpvf("%s", decode)); parsing_value = FALSE; } else if (*p == '&') { // find a second value

Wed Sep 02 05:49:22 2009 agentzh [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #49302] Fixes to handle valueless cookies
Date:	Wed, 2 Sep 2009 17:48:50 +0800
To:	bug-CGI-Cookie-XS [...] rt.cpan.org
From:	agentzh <agentzh [...] gmail.com>

On Tue, Sep 1, 2009 at 8:42 AM, Colin Keith via RT < bug-CGI-Cookie-XS@rt.cpan.org> wrote: Show quoted text

> This is caused in the detection of the end of the cookie name. The patch > only allows the p++ to occur if the next character isn't a semi-colon, > comma or the end of the string. > > This causes the result to be what you would expect: >

Thank you so much! I'll look into your patch and merge into the mainstream in the next few days :) Cheers, -agentzh

Wed Sep 02 05:49:23 2009 The RT System itself - Status changed from 'new' to 'open'

Wed Sep 02 09:31:32 2009 agentzh [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #49302] Fixes to handle valueless cookies
Date:	Wed, 2 Sep 2009 21:31:12 +0800
To:	bug-CGI-Cookie-XS [...] rt.cpan.org
From:	agentzh <agentzh [...] gmail.com>

On Wed, Sep 2, 2009 at 5:49 PM, agentzh@gmail.com via RT < bug-CGI-Cookie-XS@rt.cpan.org> wrote: Show quoted text

> Thank you so much! I'll look into your patch and merge into the mainstream > in the next few days :) > >

Already applied your patch to the git repository and included it in the latest 0.17 CPAN release. Your test case has also been added to the regression test suite. Thanks for your contribution :) -agentzh

Thu Sep 03 21:31:39 2009 agentzh [...] yahoo.cn - Status changed from 'open' to 'resolved'