Problem with Rack::Lint header value verification
Pedro Belo
I'm having problems with the Rack::Lint verification for header
values: It asserts that all characters are below 037, but for the Set-
Cookie header we are definitely receiving characters in this range
(for instance 32, a space).
This is one example of a value for Set-Cookie as defined by Rails,
more specifically when you delete the cookie named auth_token:
"auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT\n"
Any ideas? Maybe this assertion needs to be more loose?
Thanks,
Pedro
Scytrin dai Kinthra
octal "\040".
For instance `man 7 ascii` should provide a table of codes for
characters, and characters \000-\037 are control characters.
Have you tested this? In what instances is this causing a problem?
Could you provide a sample of data that causes this assertion to fail?
-- blink
stadik.net
Pedro Belo
Christian Neukirchen
> Ops, doh, I didn't notice the octal.
>
> So the problem I'm having is a line break in the Set-Cookie header. I think
> that happened because I have two cookies being defined, which results in two
> Set-Cookie headers to the client.
>
> This is the flow that is generating the problem: Rails stores the cookies in
> the header 'cookie' as one array. Then Rack::Adapter::Rails converts this
> header into the Set-Cookie header, joining the elements with a line break. This
> string representation of the cookies will be later converted to multiple
> Set-Cookie headers by the handler, but _before_ this happens it is processed by
> Lint, which detects the line break and fail.
>
> I think the solution is to change Rack::Adapter::Rails to store the headers in
> hash-like structure that supports duplicate keys. What you think?
"Set-Cookie" => [cookie1.to_s, cookie2.to_s] works in current Rack.
In future Racks (for 1.9 support, not yet fully specified), the
newline is the correct way.
--
Christian Neukirchen <chneuk...@gmail.com> http://chneukirchen.org