-
Notifications
You must be signed in to change notification settings - Fork 10.5k
Harden Cookie Parsing #62681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden Cookie Parsing #62681
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR enhances cookie parsing by skipping over invalid segments and tightening separator logic, while expanding test scenarios for strict and lenient parsing.
- Added logic in
TryParseValue
to skip past invalid cookie segments up to the next semicolon. - Updated
GetNextNonEmptyOrWhitespaceIndex
to treat only;
as a separator. - Expanded invalid-cookie test cases in
RequestCookiesCollectionTests
and restructured test datasets inCookieHeaderValueTest
.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
File | Description |
---|---|
src/Http/Shared/CookieHeaderParserShared.cs | Skip invalid cookie values by advancing index to next ; . |
src/Http/Http/test/RequestCookiesCollectionTests.cs | Added more invalid-cookie scenarios and expected outcomes. |
src/Http/Headers/test/CookieHeaderValueTest.cs | Renamed and restructured theory datasets; introduced strict set. |
var string1 = "name1=n1=v1&n2=v2&n3=v3"; | ||
|
||
var dataset = new TheoryData<IList<CookieHeaderValue>, string?[]>(); | ||
dataset.Concat(ListOfStrictCookieHeaderDataSet); |
Copilot
AI
Jul 11, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The call to dataset.Concat(...)
returns a new enumerable and does not modify dataset
, so the strict dataset items aren’t actually added. Use a loop or a method like dataset.AddRange(...)
(or iterate and dataset.Add(...)
) to include those entries.
dataset.Concat(ListOfStrictCookieHeaderDataSet); | |
foreach (var item in ListOfStrictCookieHeaderDataSet) | |
{ | |
dataset.Add(item); | |
} |
Copilot uses AI. Check for mistakes.
var separatorIndex = value.IndexOf(';', current); | ||
if (separatorIndex > 0) | ||
{ | ||
// Skip the invalid values and keep trying. | ||
index = separatorIndex; | ||
} | ||
else | ||
{ | ||
// No more separators, so we're done. | ||
index = value.Length; | ||
} |
Copilot
AI
Jul 11, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nitpick] This logic for finding the next semicolon and updating index
is duplicated in two places. Consider extracting it into a helper method (e.g., SkipToNextSeparator
) to reduce duplication and simplify maintenance.
var separatorIndex = value.IndexOf(';', current); | |
if (separatorIndex > 0) | |
{ | |
// Skip the invalid values and keep trying. | |
index = separatorIndex; | |
} | |
else | |
{ | |
// No more separators, so we're done. | |
index = value.Length; | |
} | |
index = SkipToNextSeparator(value, current); |
Copilot uses AI. Check for mistakes.
Can I please ask why this change was made? Why is it not associated with any issue? It seems like a breaking change for anyone using a comma as a separator for cookies . This seems to have been included in .Net 8.0.19 was this the intention? At the very least it should be called out in some release notes? We just spent a couple of days trying to work out what was going on with a client calling our API that was using cookies for authentication, with it working in some environments and not working in others. We finally determined it was a difference between dot net 8 versions and then tracked down this change. Very frustrating. |
No description provided.