From e5b9f9fcde9858dcebe6ae558cee8f11acb40f2d Mon Sep 17 00:00:00 2001 From: Barak Shechter Date: Mon, 15 Jul 2019 16:40:48 -0400 Subject: [PATCH] URL decoding of raw cookie header key-value pairs as recommended by https://tools.ietf.org/html/rfc6265#section-4.1.1 --- index.js | 9 ++++++++- package.json | 2 +- test/test.js | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/index.js b/index.js index 9c468ae..b0db218 100644 --- a/index.js +++ b/index.js @@ -62,7 +62,14 @@ Cookies.prototype.get = function(name, opts) { match = header.match(getPattern(name)) if (!match) return - value = match[1] + /* + * https://tools.ietf.org/html/rfc6265#section-4.1.1 + * + * To maximize compatibility with user agents, servers that wish to + * store arbitrary data in a cookie-value SHOULD encode that data, for + * example, using Base64 [RFC4648]. + */ + value = decodeURIComponent(match[1]) if (!opts || !signed) return value remote = this.get(sigName) diff --git a/package.json b/package.json index da32ec5..e314cdc 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "cookies", "description": "Cookies, optionally signed using Keygrip.", - "version": "0.7.3", + "version": "0.7.4", "author": "Jed Schmidt (http://jed.is)", "contributors": [ "Douglas Christopher Wilson " diff --git a/test/test.js b/test/test.js index 202812d..4a512dd 100644 --- a/test/test.js +++ b/test/test.js @@ -80,8 +80,8 @@ describe('new Cookies(req, res, [options])', function () { res.end(String(cookies.get('foo'))) })) .get('/') - .set('Cookie', 'foo=bar') - .expect(200, 'bar', done) + .set('Cookie', 'foo=bar%3D') + .expect(200, 'bar=', done) }) it('should work for cookie name with special characters', function (done) {