[drupal-devel] [bug] drupal_http_request improper handles set-cookie headers

chx drupal-devel at drupal.org
Mon Aug 22 20:06:55 UTC 2005

Issue status update for 
Post a follow up: 

 Project:      Drupal
 Version:      cvs
 Component:    base system
 Category:     bug reports
 Priority:     critical
 Assigned to:  chx
 Reported by:  chx
 Updated by:   chx
 Status:       patch (ready to be committed)

Try lynx http://www.paypal.com . You'll get:

www.paypal.com cookie: sc_lucky_value=C8DF7645  Allow?
www.paypal.com cookie: cookie_check=yes  Allow? (Y/N/Always/neVer)
ww.paypal.com cookie: Apache=  Allow?

So, you need to take care of three Set-Cookie headers. If you take a
look at the current code, only the last would be returned.


Previous comments:

Wed, 10 Aug 2005 17:42:33 +0000 : chx

Attachment: http://drupal.org/files/issues/resp.patch (775 bytes)

This is an issue with cookies: when you get multiple response headers
with the same name, they are overridden. This is probably what we want
for location but for set-cookie this is bad. So says RFC 2109:
   Informally, the Set-Cookie response header comprises the token Set-
   Cookie:, followed by a comma-separated list of one or more cookies.



Wed, 10 Aug 2005 18:05:04 +0000 : killes at www.drop.org

according to the cited RFC I believe this to be correct. The patch does
apply and does not cause parse errors. ;)


Thu, 11 Aug 2005 07:28:06 +0000 : Dries

Please add a code comment quoting the relevant bits of the RFC.  Like
that, we'll be able to understand what is going on.


Thu, 18 Aug 2005 05:13:14 +0000 : chx

Attachment: http://drupal.org/files/issues/set_cookie.patch (883 bytes)

Well, now I feel this is ready to be commited. I even put a conditional
in it, so only Set-Cookie header gets different treatment.


Thu, 18 Aug 2005 21:43:53 +0000 : Dries

Where did this bug trigger?  One could argue that the $header-array
(input parameter) is malformed and that it is the caller's problem.


Thu, 18 Aug 2005 23:02:52 +0000 : chx

The $header parameter is something you send out and what this patch
affects are the result headers.

This occurs if a site sets more than one cookie which is not unheard


Mon, 22 Aug 2005 19:34:04 +0000 : Dries

But _who_ calls drupal_http_request like that?  Where is the culprit
that triggered this bug?

More information about the drupal-devel mailing list