Conversation
kanongil
left a comment
kanongil
left a comment
There was a problem hiding this comment.
The change to strict validation is not ok.
The change to loose could potentially be accepted to better match the docs that state strictHeader option:
allows any cookie value including values in violation of RFC 6265
This is not strictly true since ; is not allowed unless the value starts and ends with a ".
I still think the current implementation is acceptable, since the browsers / user agents that would need to parse the cookie would have a very hard time to parse it. Additionally it provides a degree of security protection, since user-provides values cannot add their own tags.
I also don't see why we should accommodate another projects incorrect usage of the API.
| valueRx: { | ||
| strict: /^[^\x00-\x20",;\\\x7F]*$/, | ||
| loose: /^("[^"]*"|[^;]*)$/ | ||
| strict: /^[^\x00-\x20",\\\x7F]*$/, |
There was a problem hiding this comment.
This change is not suitable. Strict values cannot contain ;, which this would allow!
| strict: /^[^\x00-\x20",;\\\x7F]*$/, | ||
| loose: /^("[^"]*"|[^;]*)$/ | ||
| strict: /^[^\x00-\x20",\\\x7F]*$/, | ||
| loose: /^("[^"]*"|.*)$/ |
There was a problem hiding this comment.
This is simply /.*/. If we want to allow any value, then the code should not use a regex.
|
There is more discussion around the issue in #90. |
2 participants
This resolves the issue here dherault/serverless-offline#1866