berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: ignore unparsable cookies in Cookie header (#3814) 

fix: ignore unparsable cookies in Cookie header

Co-authored-by: Rob Ede <robjtede@icloud.com>
This commit is contained in:
Filip Gregor 2026-02-09 13:53:40 +01:00 committed by GitHub
parent 747d7c0def
commit 32cb3b8361
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
actix-web/CHANGES.md
View File

@ -4,6 +4,7 @@
- Minimum supported Rust version (MSRV) is now 1.88.
- Add `HttpRequest::url_for_map` and `HttpRequest::url_for_iter` methods for named URL parameters. [#3895]
- Ignore unparsable cookies in `Cookie` request header.
[#3895]: https://github.com/actix/actix-web/pull/3895

25
actix-web/src/request.rs
View File

@ -414,6 +414,9 @@ impl HttpRequest {
}
/// Load request cookies.
///
/// Any cookie that cannot be parsed is omitted from the result.
/// This includes cookies with an empty name (e.g. `document.cookie = "=value"`).
#[cfg(feature = "cookies")]
pub fn cookies(&self) -> Result<Ref<'_, Vec<Cookie<'static>>>, CookieParseError> {
use actix_http::header::COOKIE;
@ -422,9 +425,9 @@ impl HttpRequest {
let mut cookies = Vec::new();
for hdr in self.headers().get_all(COOKIE) {
let s = str::from_utf8(hdr.as_bytes()).map_err(CookieParseError::from)?;
for cookie_str in s.split(';').map(|s| s.trim()) {
if !cookie_str.is_empty() {
cookies.push(Cookie::parse_encoded(cookie_str)?.into_owned());
for cookie_str in s.split(';').map(|s| s.trim()).filter(|s| !s.is_empty()) {
if let Ok(cookie) = Cookie::parse_encoded(cookie_str) {
cookies.push(cookie.into_owned());
}
}
}
@ -677,6 +680,22 @@ mod tests {
assert!(cookie.is_none());
}
#[test]
#[cfg(feature = "cookies")]
fn test_empty_key() {
let req = TestRequest::default()
.append_header((header::COOKIE, "cookie1=value1; value2; cookie3=value3"))
.to_http_request();
{
let cookies = req.cookies().unwrap();
assert_eq!(cookies.len(), 2);
assert_eq!(cookies[0].name(), "cookie1");
assert_eq!(cookies[0].value(), "value1");
assert_eq!(cookies[1].name(), "cookie3");
assert_eq!(cookies[1].value(), "value3");
}
}
#[test]
fn test_request_query() {
let req = TestRequest::with_uri("/?id=test").to_http_request();