Fix Cookie header parsing issues

2025-08-13 13:26:01 +03:00 · 2019-11-14 08:14:04 -08:00 · 2019-11-14 08:14:04 -08:00 · b8160cce6b
commit b8160cce6b
parent 7ba77631f9
3 changed files with 58 additions and 5 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 v3.0.4 - YYYY-MMM-DD (to be released)
 -------------------------------------

+ - Fix Cookie header parsing issues
+   [Issue #2201 - @airween, @martinhsv]
 - Fix rules with nolog are logging to part H
   [Issue #2196 - @martinhsv]
 - Fix argument key-value pair parsing cases
--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -549,7 +549,18 @@ int Transaction::addRequestHeader(const std::string& key,
    if (keyl == "cookie") {
        size_t localOffset = m_variableOffset;
        size_t pos;
+
        std::vector<std::string> cookies = utils::string::ssplit(value, ';');
+
+        // Get rid of any optional whitespace after the cookie-string
+        // (i.e. after the end of the final cookie-pair)
+        if (!cookies.empty()) {
+            std::string& final_cookie_pair = cookies.back();
+            while (!final_cookie_pair.empty() && isspace(final_cookie_pair.back())) {
+                final_cookie_pair.pop_back();
+            }
+        }
+
        for (const std::string &c : cookies) {
            // skip empty substring, eg "Cookie: ;;foo=bar"
            if (c.empty() == true) {
--- a/test/test-cases/regression/variable-REQUEST_COOKIES.json
+++ b/test/test-cases/regression/variable-REQUEST_COOKIES.json
@ -2,7 +2,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: REQUEST_COOKIES (1/5)",
+    "title":"Testing Variables :: REQUEST_COOKIES (1/6)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -42,7 +42,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: REQUEST_COOKIES (2/5)",
+    "title":"Testing Variables :: REQUEST_COOKIES (2/6)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -82,7 +82,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: REQUEST_COOKIES (3/5)",
+    "title":"Testing Variables :: REQUEST_COOKIES (3/6)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -122,7 +122,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: REQUEST_COOKIES (4/5)",
+    "title":"Testing Variables :: REQUEST_COOKIES (4/6)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -162,7 +162,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: REQUEST_COOKIES (5/5)",
+    "title":"Testing Variables :: REQUEST_COOKIES (5/6)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -198,6 +198,46 @@
      "SecRuleEngine On",
      "SecRule REQUEST_COOKIES \"@contains test \" \"id:1,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: REQUEST_COOKIES (6/6)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Cookie":"aaa=bbb;abc=def  "
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Target value: \"def\" \\(Variable: REQUEST_COOKIES:abc\\)"
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule REQUEST_COOKIES:abc \"@rx ^def$\" \"id:1,pass\""
+    ]
  }
 ]