Problem with Rack::Lint header value verification

16 views
Skip to first unread message

Pedro Belo

unread,
Jun 27, 2008, 6:27:14 PM6/27/08
to Rack Development
Hi guys,

I'm having problems with the Rack::Lint verification for header
values: It asserts that all characters are below 037, but for the Set-
Cookie header we are definitely receiving characters in this range
(for instance 32, a space).

This is one example of a value for Set-Cookie as defined by Rails,
more specifically when you delete the cookie named auth_token:
"auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT\n"

Any ideas? Maybe this assertion needs to be more loose?

Thanks,
Pedro

Scytrin dai Kinthra

unread,
Jun 27, 2008, 8:56:48 PM6/27/08
to rack-...@googlegroups.com
As a note "\037" refers to the octal code of a character. The space is
octal "\040".
For instance `man 7 ascii` should provide a table of codes for
characters, and characters \000-\037 are control characters.
Have you tested this? In what instances is this causing a problem?
Could you provide a sample of data that causes this assertion to fail?

-- blink
stadik.net

Pedro Belo

unread,
Jun 28, 2008, 8:55:25 PM6/28/08
to rack-...@googlegroups.com
Ops, doh, I didn't notice the octal.

So the problem I'm having is a line break in the Set-Cookie header. I think that happened because I have two cookies being defined, which results in two Set-Cookie headers to the client.

This is the flow that is generating the problem: Rails stores the cookies in the header 'cookie' as one array. Then Rack::Adapter::Rails converts this header into the Set-Cookie header, joining the elements with a line break. This string representation of the cookies will be later converted to multiple Set-Cookie headers by the handler, but _before_ this happens it is processed by Lint, which detects the line break and fail.

I think the solution is to change Rack::Adapter::Rails to store the headers in hash-like structure that supports duplicate keys. What you think?

Christian Neukirchen

unread,
Jun 29, 2008, 5:49:20 AM6/29/08
to rack-...@googlegroups.com
"Pedro Belo" <pe...@heroku.com> writes:

> Ops, doh, I didn't notice the octal.
>
> So the problem I'm having is a line break in the Set-Cookie header. I think
> that happened because I have two cookies being defined, which results in two
> Set-Cookie headers to the client.
>
> This is the flow that is generating the problem: Rails stores the cookies in
> the header 'cookie' as one array. Then Rack::Adapter::Rails converts this
> header into the Set-Cookie header, joining the elements with a line break. This
> string representation of the cookies will be later converted to multiple
> Set-Cookie headers by the handler, but _before_ this happens it is processed by
> Lint, which detects the line break and fail.
>
> I think the solution is to change Rack::Adapter::Rails to store the headers in
> hash-like structure that supports duplicate keys. What you think?

"Set-Cookie" => [cookie1.to_s, cookie2.to_s] works in current Rack.
In future Racks (for 1.9 support, not yet fully specified), the
newline is the correct way.

--
Christian Neukirchen <chneuk...@gmail.com> http://chneukirchen.org

Pedro Belo

unread,
Jun 30, 2008, 4:21:01 PM6/30/08
to rack-...@googlegroups.com
Ok, for now I'll patch rails rack adapter to keep the cookies in one array.

Thanks, 
Pedro
Reply all
Reply to author
Forward
0 new messages