net/http: clarify that AddCookie only sanitizes the Cookie being added

AddCookie properly encodes a cookie and appends it to the Cookie header field but does not modify or sanitize what the Cookie header field contains already. If a user manualy sets the Cookie header field to something not conforming to RFC 6265 then a cookie added via AddCookie might not be retrievable. Fixes #38437 Change-Id: I232b64ac489b39bb962fe4f7dbdc2ae44fcc0514 Reviewed-on: https://go-review.googlesource.com/c/go/+/235141 Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
2024-09-30 09:38:38 -06:00 · 2020-05-26 16:55:28 +02:00 · 2020-05-26 16:55:28 +02:00 · 1519bc4457
commit 1519bc4457
parent 8f4151ea67
1 changed files with 2 additions and 0 deletions
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@ -425,6 +425,8 @@ func (r *Request) Cookie(name string) (*Cookie, error) {
 // AddCookie does not attach more than one Cookie header field. That
 // means all cookies, if any, are written into the same line,
 // separated by semicolon.
+// AddCookie only sanitizes c's name and value, and does not sanitize
+// a Cookie header already present in the request.
 func (r *Request) AddCookie(c *Cookie) {
 	s := fmt.Sprintf("%s=%s", sanitizeCookieName(c.Name), sanitizeCookieValue(c.Value))
 	if c := r.Header.Get("Cookie"); c != "" {