Skip Menu |
 

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 47667
Status: resolved
Priority: 0/
Queue: libwww-perl

People
Owner: Nobody in particular
Requestors: rls.bitcard [...] schnapp.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 5.827
Fixed in: (no value)



Subject: HTTP::Cookies.pm bug (with a fix)
Download (untitled) / with headers
text/plain 1.5k
I have no idea when this broke. So far as I know, the bug has always been there. I originally found it in a 2004 variant, and pretty much the same problem still exists. I'm seeing this with Perl 5.8.1 and 5.10.0 -- though that's probably not relevant, nor are the Linux distributions (Mandriva and OpenSUSE). In add_cookie_header, if the cookie version is nonzero and the cookie contents include a non-alpha (\W) character, it escapes any quotes or slashes in the cookie value. The problem arises when the server has delivered a cookie value that is ENCLOSED in quotes, i.e., Set-Cookie: member="whatever"; version=1; Path=/ When it comes time for add_cookie_header to do its thing, it generates Cookie: member="\"whatever\""; $Path="/" Cookie2: $Version="1" I don't know whether quoted cookie values are valid per the spec, but they do unfortunately occur (I can give you an example site, if you like). I guess there are 2 bugs here: 1) The biggest problem is with the quoting. I think I've fixed this by inserting one line in add_cookie_header in Cookies.pm: # do we need to quote the value if ($val =~ /\W/ && $version) { $val =~ s/^"(.*)"$/$1/; ### <<<<<<< A FIX $val =~ s/([\\\"])/\\$1/g; $val = qq("$val"); } 2) The second problem is with the treatment of the Path and version fields. They appear to be treated as if they are cookie values. And yet they are transmitted with a prefix of "$". I REALLY don't understand what's going on here, and I'm not inclined to mess with it.
Download (untitled) / with headers
text/plain 169b
This issue was fixed by <http://github.com/gisle/libwww- perl/commit/afe187da28a4da2785ee9c56df3163080b01333c>. It means that it has been fixed since libwww-perl-5.815.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.