Use EscapeDataString for encoding Cookies

2016-01-29 11:40:59 -08:00 · 2016-01-29 11:40:59 -08:00 · 765a52007a
parent 02363da94e
commit 765a52007a
3 changed files with 23 additions and 8 deletions
--- a/src/Microsoft.AspNetCore.Http/ResponseCookies.cs
+++ b/src/Microsoft.AspNetCore.Http/ResponseCookies.cs
@ -38,8 +38,8 @@ namespace Microsoft.AspNetCore.Http.Internal
        public void Append(string key, string value)
        {
            var setCookieHeaderValue = new SetCookieHeaderValue(
-                    UrlEncoder.Default.Encode(key),
-                    UrlEncoder.Default.Encode(value))
+                    Uri.EscapeDataString(key),
+                    Uri.EscapeDataString(value))
            {
                Path = "/"
            };
@ -61,8 +61,8 @@ namespace Microsoft.AspNetCore.Http.Internal
            }

            var setCookieHeaderValue = new SetCookieHeaderValue(
-                    UrlEncoder.Default.Encode(key),
-                    UrlEncoder.Default.Encode(value))
+                    Uri.EscapeDataString(key),
+                    Uri.EscapeDataString(value))
            {
                Domain = options.Domain,
                Path = options.Path,
@ -95,7 +95,7 @@ namespace Microsoft.AspNetCore.Http.Internal
                throw new ArgumentNullException(nameof(options));
            }
            
-            var encodedKeyPlusEquals = UrlEncoder.Default.Encode(key) + "=";
+            var encodedKeyPlusEquals = Uri.EscapeDataString(key) + "=";
            bool domainHasValue = !string.IsNullOrEmpty(options.Domain);
            bool pathHasValue = !string.IsNullOrEmpty(options.Path);

--- a/test/Microsoft.AspNetCore.Http.Tests/DefaultHttpRequestTests.cs
+++ b/test/Microsoft.AspNetCore.Http.Tests/DefaultHttpRequestTests.cs
@ -172,15 +172,15 @@ namespace Microsoft.AspNetCore.Http.Internal
            Assert.Null(cookies0["key0"]);
            Assert.False(cookies0.ContainsKey("key0"));

-            var newCookies = new[] { "name0=value0", "name1=value1" };
+            var newCookies = new[] { "name0=value0%2C", "%5Ename1=value1" };
            request.Headers["Cookie"] = newCookies;

            cookies0 = RequestCookieCollection.Parse(newCookies);
            var cookies1 = request.Cookies;
            Assert.Equal(cookies0, cookies1);
            Assert.Equal(2, cookies1.Count);
-            Assert.Equal("value0", cookies1["name0"]);
-            Assert.Equal("value1", cookies1["name1"]);
+            Assert.Equal("value0,", cookies1["name0"]);
+            Assert.Equal("value1", cookies1["^name1"]);
            Assert.Equal(newCookies, request.Headers["Cookie"]);

            var cookies2 = new RequestCookieCollection(new Dictionary<string,string>()
--- a/test/Microsoft.AspNetCore.Http.Tests/ResponseCookiesTest.cs
+++ b/test/Microsoft.AspNetCore.Http.Tests/ResponseCookiesTest.cs
@ -42,5 +42,20 @@ namespace Microsoft.AspNetCore.Http.Tests
            Assert.Contains("expires=Thu, 01 Jan 1970 00:00:00 GMT", cookieHeaderValues[0]);
        }

+        [Theory]
+        [InlineData("key", "value", "key=value")]
+        [InlineData("key,", "!value", "key%2C=%21value")]
+        [InlineData("ke#y,", "val^ue", "ke%23y%2C=val%5Eue")]
+        public void EscapesKeyValuesBeforeSettingCookie(string key, string value, string expected)
+        {
+            var headers = new HeaderDictionary();
+            var cookies = new ResponseCookies(headers);
+
+            cookies.Append(key, value);
+
+            var cookieHeaderValues = headers[HeaderNames.SetCookie];
+            Assert.Equal(1, cookieHeaderValues.Count);
+            Assert.StartsWith(expected, cookieHeaderValues[0]);
+        }
    }
 }