Add check for secure cookie structure

hoisie · hoisie · commit bbb68ed3db57 · 2016-07-30T14:30:56.000-07:00
A secure cookie has three parts separated by the pipe ("|") character. Before trying to parse it, ensure there are actually three parts. This is a potential fix for hoisie#163
diff --git a/web.go b/web.go
@@ -145,6 +145,9 @@ func (ctx *Context) GetSecureCookie(name string) (string, bool) {
 		}
 
 		parts := strings.SplitN(cookie.Value, "|", 3)
+		if len(parts) != 3 {
+			return "", false
+		}
 
 		val := parts[0]
 		timestamp := parts[1]
diff --git a/web_test.go b/web_test.go
@@ -496,6 +496,17 @@ func TestSecureCookie(t *testing.T) {
 	}
 }
 
+func TestEmptySecureCookie(t *testing.T) {
+	mainServer.Config.CookieSecret = "7C19QRmwf3mHZ9CPAaPQ0hsWeufKd"
+	cookies := makeCookie(map[string]string{"empty": ""})
+
+	resp2 := getTestResponse("GET", "/securecookie/get/empty", "", nil, cookies)
+
+	if resp2.body != "" {
+		t.Fatalf("Expected an empty secure cookie")
+	}
+}
+
 func TestEarlyClose(t *testing.T) {
 	var server1 Server
 	server1.Close()

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,9 @@ func (ctx *Context) GetSecureCookie(name string) (string, bool) {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`parts := strings.SplitN(cookie.Value, "\|", 3)`
	`148`	`+ if len(parts) != 3 {`
	`149`	`+ return "", false`
	`150`	`+ }`
`148`	`151`
`149`	`152`	`val := parts[0]`
`150`	`153`	`timestamp := parts[1]`