Do not CGI.unescape cookies sent in requests.

It isn't appropriate to call CGI.unescape on cookie values: any URI encoding performed by servers on cookies should remain that way to avoid sending invalid characters in the Cookie request HTTP header. (e.g. If you send a cookie containing '%0A', it should send those three octets, not a newline character.) Fixes #89
2022-11-09 13:49:40 -05:00 · 2014-03-06 22:53:27 -08:00 · 2014-03-06 22:53:27 -08:00 · 3c95dbd45c
commit 3c95dbd45c
parent 77850e467a
2 changed files with 12 additions and 1 deletions
--- a/lib/restclient/request.rb
+++ b/lib/restclient/request.rb
@ -92,7 +92,7 @@ module RestClient

    def make_headers user_headers
      unless @cookies.empty?
-        user_headers[:cookie] = @cookies.map { |(key, val)| "#{key.to_s}=#{CGI::unescape(val.to_s)}" }.sort.join('; ')
+        user_headers[:cookie] = @cookies.map { |key, val| "#{key}=#{val}" }.sort.join('; ')
      end
      headers = stringify_headers(default_headers).merge(stringify_headers(user_headers))
      headers.merge!(@payload.headers) if @payload
--- a/spec/unit/request_spec.rb
+++ b/spec/unit/request_spec.rb
@ -106,6 +106,17 @@ describe RestClient::Request do
    @request.make_headers({}).should eq({ 'Foo' => 'bar', 'Cookie' => 'session_id=1; user_id=someone'})
  end

+  it "does not escape or unescape cookies" do
+    cookie = 'Foo%20:Bar%0A~'
+    @request = RestClient::Request.new(:method => 'get', :url => 'example.com',
+                                       :cookies => {:test => cookie})
+    @request.should_receive(:default_headers).and_return({'Foo' => 'bar'})
+    @request.make_headers({}).should eq({
+      'Foo' => 'bar',
+      'Cookie' => "test=#{cookie}"
+    })
+  end
+
  it "uses netrc credentials" do
    URI.stub(:parse).and_return(double('uri', :user => nil, :password => nil, :host => 'example.com'))
    Netrc.stub(:read).and_return('example.com' => ['a', 'b'])