search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
122.59k stars 17.48k forks source link

net/http: invalid Cookie.Domain in case of setting cookie on IPv6 #65521

Open chernykhdk opened 6 months ago

chernykhdk commented 6 months ago

Go version

go version go1.20.5 linux/amd64

Output of go env in your module/workspace:

GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/dmitry/.cache/go-build"
GOENV="/home/dmitry/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/dmitry/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/dmitry/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.5"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/dmitry/go/src/***/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2985869622=/tmp/go-build -gno-record-gcc-switches"

What did you do?

func(w http.ResponseWriter, r *http.Request) {
    cookie := http.Cookie{
        Name:   "foo",
        Value:  "bar",
        Path:   "/",
        Domain: "[fd7d:844d:3e17:f3ae::1]",
    }

    http.SetCookie(w, &cookie)
    w.WriteHeader(http.StatusOK)
}

What did you see happen?

in logs: net/http: invalid Cookie.Domain "[fd7d:844d:3e17:f3ae::1]"; dropping domain attribute

in browser: cookie is missing

What did you expect to see?

i expect to see cookie which exists in browser like as in case of IPv4

i think trouble is in net/http/cookie.go:

// validCookieDomain reports whether v is a valid cookie domain-value.
func validCookieDomain(v string) bool {
    if isCookieDomainName(v) {
        return true
    }
    if net.ParseIP(v) != nil && !strings.Contains(v, ":") {
        return true
    }
    return false
}
mateusz834 commented 6 months ago

CC @neild

It seems like it works as per spec.

RFC 6265:

domain-value = ; defined in [RFC1034], Section 3.5, as ; enhanced by [RFC1123], Section 2.1

RFC 1123:

Whenever a user inputs the identity of an Internet host, it SHOULD be possible to enter either (1) a host domain name or (2) an IP address in dotted-decimal ("#.#.#.#") form. The host SHOULD check the string syntactically for a dotted-decimal number before looking it up in the Domain Name System.

It does not specify anything about ipv6.

seankhliao commented 6 months ago

it does appear that chrome and firefox accept this syntax https://bugzilla.mozilla.org/show_bug.cgi?id=1666678