Merge pull request hoisie#196 from hoisie/secure-cookie-crash

hoisie · web-flow · commit 454e24cfc59e · 2016-07-30T14:38:17.000-07:00
Secure cookie crash
diff --git a/examples/hello.go b/examples/hello.go
@@ -4,7 +4,7 @@ import (
 	"github.com/hoisie/web"
 )
 
-func hello(val string) string { return "hello " + val }
+func hello(val string) string { return "hello " + val + "\n" }
 
 func main() {
 	web.Get("/(.*)", hello)
diff --git a/examples/logger.go b/examples/logger.go
@@ -6,7 +6,7 @@ import (
 	"os"
 )
 
-func hello(val string) string { return "hello " + val }
+func hello(val string) string { return "hello " + val + "\n" }
 
 func main() {
 	f, err := os.Create("server.log")
diff --git a/examples/multiserver.go b/examples/multiserver.go
@@ -4,9 +4,9 @@ import (
 	"github.com/hoisie/web"
 )
 
-func hello1(val string) string { return "hello1 " + val }
+func hello1(val string) string { return "hello1 " + val + "\n" }
 
-func hello2(val string) string { return "hello2 " + val }
+func hello2(val string) string { return "hello2 " + val + "\n" }
 
 func main() {
 	var server1 web.Server
diff --git a/examples/tls.go b/examples/tls.go
@@ -47,7 +47,7 @@ gWrxykqyLToIiAuL+pvC3Jv8IOPIiVFsY032rOqcwSGdVUyhTsG28+7KnR6744tM
 -----END CERTIFICATE-----
 `
 
-func hello(val string) string { return "hello " + val }
+func hello(val string) string { return "hello " + val + "\n" }
 
 func main() {
 	config := tls.Config{
diff --git a/web.go b/web.go
@@ -145,6 +145,9 @@ func (ctx *Context) GetSecureCookie(name string) (string, bool) {
 		}
 
 		parts := strings.SplitN(cookie.Value, "|", 3)
+		if len(parts) != 3 {
+			return "", false
+		}
 
 		val := parts[0]
 		timestamp := parts[1]
diff --git a/web_test.go b/web_test.go
@@ -496,6 +496,17 @@ func TestSecureCookie(t *testing.T) {
 	}
 }
 
+func TestEmptySecureCookie(t *testing.T) {
+	mainServer.Config.CookieSecret = "7C19QRmwf3mHZ9CPAaPQ0hsWeufKd"
+	cookies := makeCookie(map[string]string{"empty": ""})
+
+	resp2 := getTestResponse("GET", "/securecookie/get/empty", "", nil, cookies)
+
+	if resp2.body != "" {
+		t.Fatalf("Expected an empty secure cookie")
+	}
+}
+
 func TestEarlyClose(t *testing.T) {
 	var server1 Server
 	server1.Close()

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ import (`
`4`	`4`	`"github.com/hoisie/web"`
`5`	`5`	`)`
`6`	`6`
`7`		`-func hello(val string) string { return "hello " + val }`
	`7`	`+func hello(val string) string { return "hello " + val + "\n" }`
`8`	`8`
`9`	`9`	`func main() {`
`10`	`10`	`web.Get("/(.*)", hello)`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import (`
`6`	`6`	`"os"`
`7`	`7`	`)`
`8`	`8`
`9`		`-func hello(val string) string { return "hello " + val }`
	`9`	`+func hello(val string) string { return "hello " + val + "\n" }`
`10`	`10`
`11`	`11`	`func main() {`
`12`	`12`	`f, err := os.Create("server.log")`
Original file line number	Diff line number	Diff line change
`@@ -4,9 +4,9 @@ import (`
`4`	`4`	`"github.com/hoisie/web"`
`5`	`5`	`)`
`6`	`6`
`7`		`-func hello1(val string) string { return "hello1 " + val }`
	`7`	`+func hello1(val string) string { return "hello1 " + val + "\n" }`
`8`	`8`
`9`		`-func hello2(val string) string { return "hello2 " + val }`
	`9`	`+func hello2(val string) string { return "hello2 " + val + "\n" }`
`10`	`10`
`11`	`11`	`func main() {`
`12`	`12`	`var server1 web.Server`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ gWrxykqyLToIiAuL+pvC3Jv8IOPIiVFsY032rOqcwSGdVUyhTsG28+7KnR6744tM`
`47`	`47`	`-----END CERTIFICATE-----`
`48`	`48`	`
`49`	`49`
`50`		`-func hello(val string) string { return "hello " + val }`
	`50`	`+func hello(val string) string { return "hello " + val + "\n" }`
`51`	`51`
`52`	`52`	`func main() {`
`53`	`53`	`config := tls.Config{`
Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,9 @@ func (ctx *Context) GetSecureCookie(name string) (string, bool) {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`parts := strings.SplitN(cookie.Value, "\|", 3)`
	`148`	`+ if len(parts) != 3 {`
	`149`	`+ return "", false`
	`150`	`+ }`
`148`	`151`
`149`	`152`	`val := parts[0]`
`150`	`153`	`timestamp := parts[1]`