headers icon indicating copy to clipboard operation
headers copied to clipboard
verified publisher icon hyperium

Cookie parsing does not adhere to RFC (concerning multiple values with the same key)

Open tbu- opened this issue 3 years ago • 0 comments

According to to the quoted RFC 6265, section 4.2.2

Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.

The relevant function Cookie::get does not comply with that: https://github.com/hyperium/headers/blob/ffca4a90482cc31875ac9a9364b7ea252f8c0afa/src/common/cookie.rs#L45-L49

Instead, it only takes the first cookie value of a certain name.

The documentation should call this out, especially if this is not a de-facto standard somewhere because then it can create security vulnerabilities with different parts of a web stack taking different (first, last) values of a cookie with a certain name as authoritative.

tbu- avatar Jul 27 '22 17:07 tbu-