You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently HttpRequest::cookies assumes that all cookie are percent-encoded and returns an error if at least one cookie is not percent-encoded and contains invalid character sequences for that encoding, e.g. (%db).
Possible Solution
Given that changing the default to non-percent-encoded cookies might not be a good idea,
and that HttpRequest::cookies() does some caching in HttpRequest::extensions()
I would propose implementing a HttpRequest::cookies_lossy() function that just collects all the cookies it can and that can then be used by HttpRequest::cookie(name).
Steps to Reproduce (for bugs)
Example:
use actix_web::{http::header, test::TestRequest};fnmain(){let req = TestRequest::get().insert_header((header::COOKIE,"asd=hello other_actually_valid_cookie=%db")).to_http_request();dbg!(req.cookies().unwrap());// Err(Utf8Error)dbg!(req.cookie("asd"));// None}
Here, req.cookies() fails, hence req.cookie("asd") also returns nothing.
Context
In my use case I also have a session cookie from Authelia, which may contain such sequences,
which seem valid to me (see RFC 6265 4.1.1).
Although I don't want to parse that cookie it still prevents me from parsing the cookie for actix-session.
Your Environment
Rust Version: 1.83.0
Actix Web Version: 4.9.0
The text was updated successfully, but these errors were encountered:
Current Behavior
Currently
HttpRequest::cookiesassumes that all cookie are percent-encoded and returns an error if at least one cookie is not percent-encoded and contains invalid character sequences for that encoding, e.g. (%db).Possible Solution
Given that changing the default to non-percent-encoded cookies might not be a good idea,
and that
HttpRequest::cookies()does some caching inHttpRequest::extensions()I would propose implementing a
HttpRequest::cookies_lossy()function that just collects all the cookies it can and that can then be used byHttpRequest::cookie(name).Steps to Reproduce (for bugs)
Example:
req.cookies()fails, hencereq.cookie("asd")also returns nothing.Context
In my use case I also have a session cookie from Authelia, which may contain such sequences,
which seem valid to me (see RFC 6265 4.1.1).
Although I don't want to parse that cookie it still prevents me from parsing the cookie for
actix-session.Your Environment
The text was updated successfully, but these errors were encountered: