Bug#583131: epiphany-browser - Missparses quoted cookies
Bastian Blank
waldi at debian.org
Tue May 25 16:15:07 UTC 2010
Package: epiphany-browser
Version: 2.30.2-1
Severity: important
I use the following header to set a cookie:
| Set-Cookie: auth="name=blank;sig=MZTJl0eYACEJB6L8ibIm4S6QK1k="; Secure
epiphany lists the cookie with name "auth" and value '"name=blank', aka
it splits it after the first ; within the value. However RFC 2109 and
the referenced 2068 specifies this headers the following way.
set-cookie = "Set-Cookie:" cookies
cookies = 1#cookie
cookie = NAME "=" VALUE *(";" cookie-av)
VALUE = value
value = word
word = token | quoted-string
quoted-string = ( <"> *(qdtext) <"> )
qdtext = <any TEXT except <">>
TEXT = <any OCTET except CTLs, but including LWS>
The most identical definition is given in RFC 2965 and 2616 for the
Set-Cookie2 header.
It even transmits it in this broken state (note the missing quote):
| Cookie: I18N_LANGUAGE="de"; auth="name=blank
Bastian
--
Warp 7 -- It's a law we can live with.
More information about the pkg-gnome-maintainers
mailing list