On Wed, 14 Sep 2005, Yukihiro Matsumoto wrote:

> Hi,
>
> In message "Re: [BUG/PATCH] cgi/session.rb"
>    on Wed, 14 Sep 2005 14:56:16 +0900, "Ara.T.Howard" <Ara.T.Howard / noaa.gov> writes:
>
> |> Something must be different.  I can't think of anything though.
> |
> |can you reproduce?  or is it just me?
>
> I couldn't.  Mine worked fine, even on localhost.

o.k. - i finally can reproduce from either localhost or hostname.  you can see
problem and solution here

   http://fortytwo.merseine.nu/a.cgi

essentially it boils down to Cookie::parse blowing up if multiple comma
separated key=value pairs show up.  for example

   harp:~ > ruby -r cgi -e "p( CGI::Cookie::parse('k=v0, k=v1') )"
   {"k"=>["v0, k=v1"]}

   harp:~ > ruby -r cgi -e "p( CGI::Cookie::parse('k=v0; k=v1') )"
   {"k"=>["v0"]}

of course the question is what, exactly, the http spec has to say about those
raw cookie string formats.  i'm certainly no expert here.  however, it seems
that mozilla and firefox (latest) both spit out comma separted k=v pairs under
certain condition so it may be wise to handle this case anyhoe.  i'm not sure
my patch it the best way to fix - but it was the least amount of code i could
write to fix the issue.

i did a little googling and comma does, in fact, seem to an acceptable k=v
pair separator:

...
   Note: For backward compatibility, the separator in the Cookie header
   is semi-colon (;) everywhere.  A server SHOULD also accept comma (,)
   as the separator between cookie-values for future compatibility.
...

from

   http://www.ietf.org/rfc/rfc2965.txt


this

   http://wp.netscape.com/newsref/std/cookie_spec.html

also suggests commas may be used as separator since

...
  NAME=VALUE
      This string is a sequence of characters excluding semi-colon, comma and
      white space. If there is a need to place such data in the name or value,
      some encoding method such as URL style %XX encoding is recommended,
      though no encoding is defined or required.
...

and i would assume the reason semi-colon and comma are disallowed is because
they are reserved as pair separators.  it doesn't actually say why it is not
allowed, however.

regards.

ps.  i never did figure out how/why my browsers decided to place commas in the
HTTP_COOKIE post, but they (mozilla, firefox) both did at several points
during testing (somehow related to browsing from localhost).  the cgi just
emulates this behaviour to show the bug.

-a
-- 
===============================================================================
| email :: ara [dot] t [dot] howard [at] noaa [dot] gov
| phone :: 303.497.6469
| Your life dwells amoung the causes of death
| Like a lamp standing in a strong breeze.  --Nagarjuna
===============================================================================