1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package http
6
7import (
8	"bytes"
9	"encoding/json"
10	"fmt"
11	"log"
12	"os"
13	"reflect"
14	"strings"
15	"testing"
16	"time"
17)
18
19var writeSetCookiesTests = []struct {
20	Cookie *Cookie
21	Raw    string
22}{
23	{
24		&Cookie{Name: "cookie-1", Value: "v$1"},
25		"cookie-1=v$1",
26	},
27	{
28		&Cookie{Name: "cookie-2", Value: "two", MaxAge: 3600},
29		"cookie-2=two; Max-Age=3600",
30	},
31	{
32		&Cookie{Name: "cookie-3", Value: "three", Domain: ".example.com"},
33		"cookie-3=three; Domain=example.com",
34	},
35	{
36		&Cookie{Name: "cookie-4", Value: "four", Path: "/restricted/"},
37		"cookie-4=four; Path=/restricted/",
38	},
39	{
40		&Cookie{Name: "cookie-5", Value: "five", Domain: "wrong;bad.abc"},
41		"cookie-5=five",
42	},
43	{
44		&Cookie{Name: "cookie-6", Value: "six", Domain: "bad-.abc"},
45		"cookie-6=six",
46	},
47	{
48		&Cookie{Name: "cookie-7", Value: "seven", Domain: "127.0.0.1"},
49		"cookie-7=seven; Domain=127.0.0.1",
50	},
51	{
52		&Cookie{Name: "cookie-8", Value: "eight", Domain: "::1"},
53		"cookie-8=eight",
54	},
55	{
56		&Cookie{Name: "cookie-9", Value: "expiring", Expires: time.Unix(1257894000, 0)},
57		"cookie-9=expiring; Expires=Tue, 10 Nov 2009 23:00:00 GMT",
58	},
59	// According to IETF 6265 Section 5.1.1.5, the year cannot be less than 1601
60	{
61		&Cookie{Name: "cookie-10", Value: "expiring-1601", Expires: time.Date(1601, 1, 1, 1, 1, 1, 1, time.UTC)},
62		"cookie-10=expiring-1601; Expires=Mon, 01 Jan 1601 01:01:01 GMT",
63	},
64	{
65		&Cookie{Name: "cookie-11", Value: "invalid-expiry", Expires: time.Date(1600, 1, 1, 1, 1, 1, 1, time.UTC)},
66		"cookie-11=invalid-expiry",
67	},
68	// The "special" cookies have values containing commas or spaces which
69	// are disallowed by RFC 6265 but are common in the wild.
70	{
71		&Cookie{Name: "special-1", Value: "a z"},
72		`special-1="a z"`,
73	},
74	{
75		&Cookie{Name: "special-2", Value: " z"},
76		`special-2=" z"`,
77	},
78	{
79		&Cookie{Name: "special-3", Value: "a "},
80		`special-3="a "`,
81	},
82	{
83		&Cookie{Name: "special-4", Value: " "},
84		`special-4=" "`,
85	},
86	{
87		&Cookie{Name: "special-5", Value: "a,z"},
88		`special-5="a,z"`,
89	},
90	{
91		&Cookie{Name: "special-6", Value: ",z"},
92		`special-6=",z"`,
93	},
94	{
95		&Cookie{Name: "special-7", Value: "a,"},
96		`special-7="a,"`,
97	},
98	{
99		&Cookie{Name: "special-8", Value: ","},
100		`special-8=","`,
101	},
102	{
103		&Cookie{Name: "empty-value", Value: ""},
104		`empty-value=`,
105	},
106	{
107		nil,
108		``,
109	},
110	{
111		&Cookie{Name: ""},
112		``,
113	},
114	{
115		&Cookie{Name: "\t"},
116		``,
117	},
118}
119
120func TestWriteSetCookies(t *testing.T) {
121	defer log.SetOutput(os.Stderr)
122	var logbuf bytes.Buffer
123	log.SetOutput(&logbuf)
124
125	for i, tt := range writeSetCookiesTests {
126		if g, e := tt.Cookie.String(), tt.Raw; g != e {
127			t.Errorf("Test %d, expecting:\n%s\nGot:\n%s\n", i, e, g)
128			continue
129		}
130	}
131
132	if got, sub := logbuf.String(), "dropping domain attribute"; !strings.Contains(got, sub) {
133		t.Errorf("Expected substring %q in log output. Got:\n%s", sub, got)
134	}
135}
136
137type headerOnlyResponseWriter Header
138
139func (ho headerOnlyResponseWriter) Header() Header {
140	return Header(ho)
141}
142
143func (ho headerOnlyResponseWriter) Write([]byte) (int, error) {
144	panic("NOIMPL")
145}
146
147func (ho headerOnlyResponseWriter) WriteHeader(int) {
148	panic("NOIMPL")
149}
150
151func TestSetCookie(t *testing.T) {
152	m := make(Header)
153	SetCookie(headerOnlyResponseWriter(m), &Cookie{Name: "cookie-1", Value: "one", Path: "/restricted/"})
154	SetCookie(headerOnlyResponseWriter(m), &Cookie{Name: "cookie-2", Value: "two", MaxAge: 3600})
155	if l := len(m["Set-Cookie"]); l != 2 {
156		t.Fatalf("expected %d cookies, got %d", 2, l)
157	}
158	if g, e := m["Set-Cookie"][0], "cookie-1=one; Path=/restricted/"; g != e {
159		t.Errorf("cookie #1: want %q, got %q", e, g)
160	}
161	if g, e := m["Set-Cookie"][1], "cookie-2=two; Max-Age=3600"; g != e {
162		t.Errorf("cookie #2: want %q, got %q", e, g)
163	}
164}
165
166var addCookieTests = []struct {
167	Cookies []*Cookie
168	Raw     string
169}{
170	{
171		[]*Cookie{},
172		"",
173	},
174	{
175		[]*Cookie{{Name: "cookie-1", Value: "v$1"}},
176		"cookie-1=v$1",
177	},
178	{
179		[]*Cookie{
180			{Name: "cookie-1", Value: "v$1"},
181			{Name: "cookie-2", Value: "v$2"},
182			{Name: "cookie-3", Value: "v$3"},
183		},
184		"cookie-1=v$1; cookie-2=v$2; cookie-3=v$3",
185	},
186}
187
188func TestAddCookie(t *testing.T) {
189	for i, tt := range addCookieTests {
190		req, _ := NewRequest("GET", "http://example.com/", nil)
191		for _, c := range tt.Cookies {
192			req.AddCookie(c)
193		}
194		if g := req.Header.Get("Cookie"); g != tt.Raw {
195			t.Errorf("Test %d:\nwant: %s\n got: %s\n", i, tt.Raw, g)
196			continue
197		}
198	}
199}
200
201var readSetCookiesTests = []struct {
202	Header  Header
203	Cookies []*Cookie
204}{
205	{
206		Header{"Set-Cookie": {"Cookie-1=v$1"}},
207		[]*Cookie{{Name: "Cookie-1", Value: "v$1", Raw: "Cookie-1=v$1"}},
208	},
209	{
210		Header{"Set-Cookie": {"NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly"}},
211		[]*Cookie{{
212			Name:       "NID",
213			Value:      "99=YsDT5i3E-CXax-",
214			Path:       "/",
215			Domain:     ".google.ch",
216			HttpOnly:   true,
217			Expires:    time.Date(2011, 11, 23, 1, 5, 3, 0, time.UTC),
218			RawExpires: "Wed, 23-Nov-2011 01:05:03 GMT",
219			Raw:        "NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly",
220		}},
221	},
222	{
223		Header{"Set-Cookie": {".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly"}},
224		[]*Cookie{{
225			Name:       ".ASPXAUTH",
226			Value:      "7E3AA",
227			Path:       "/",
228			Expires:    time.Date(2012, 3, 7, 14, 25, 6, 0, time.UTC),
229			RawExpires: "Wed, 07-Mar-2012 14:25:06 GMT",
230			HttpOnly:   true,
231			Raw:        ".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly",
232		}},
233	},
234	{
235		Header{"Set-Cookie": {"ASP.NET_SessionId=foo; path=/; HttpOnly"}},
236		[]*Cookie{{
237			Name:     "ASP.NET_SessionId",
238			Value:    "foo",
239			Path:     "/",
240			HttpOnly: true,
241			Raw:      "ASP.NET_SessionId=foo; path=/; HttpOnly",
242		}},
243	},
244	// Make sure we can properly read back the Set-Cookie headers we create
245	// for values containing spaces or commas:
246	{
247		Header{"Set-Cookie": {`special-1=a z`}},
248		[]*Cookie{{Name: "special-1", Value: "a z", Raw: `special-1=a z`}},
249	},
250	{
251		Header{"Set-Cookie": {`special-2=" z"`}},
252		[]*Cookie{{Name: "special-2", Value: " z", Raw: `special-2=" z"`}},
253	},
254	{
255		Header{"Set-Cookie": {`special-3="a "`}},
256		[]*Cookie{{Name: "special-3", Value: "a ", Raw: `special-3="a "`}},
257	},
258	{
259		Header{"Set-Cookie": {`special-4=" "`}},
260		[]*Cookie{{Name: "special-4", Value: " ", Raw: `special-4=" "`}},
261	},
262	{
263		Header{"Set-Cookie": {`special-5=a,z`}},
264		[]*Cookie{{Name: "special-5", Value: "a,z", Raw: `special-5=a,z`}},
265	},
266	{
267		Header{"Set-Cookie": {`special-6=",z"`}},
268		[]*Cookie{{Name: "special-6", Value: ",z", Raw: `special-6=",z"`}},
269	},
270	{
271		Header{"Set-Cookie": {`special-7=a,`}},
272		[]*Cookie{{Name: "special-7", Value: "a,", Raw: `special-7=a,`}},
273	},
274	{
275		Header{"Set-Cookie": {`special-8=","`}},
276		[]*Cookie{{Name: "special-8", Value: ",", Raw: `special-8=","`}},
277	},
278
279	// TODO(bradfitz): users have reported seeing this in the
280	// wild, but do browsers handle it? RFC 6265 just says "don't
281	// do that" (section 3) and then never mentions header folding
282	// again.
283	// Header{"Set-Cookie": {"ASP.NET_SessionId=foo; path=/; HttpOnly, .ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly"}},
284}
285
286func toJSON(v interface{}) string {
287	b, err := json.Marshal(v)
288	if err != nil {
289		return fmt.Sprintf("%#v", v)
290	}
291	return string(b)
292}
293
294func TestReadSetCookies(t *testing.T) {
295	for i, tt := range readSetCookiesTests {
296		for n := 0; n < 2; n++ { // to verify readSetCookies doesn't mutate its input
297			c := readSetCookies(tt.Header)
298			if !reflect.DeepEqual(c, tt.Cookies) {
299				t.Errorf("#%d readSetCookies: have\n%s\nwant\n%s\n", i, toJSON(c), toJSON(tt.Cookies))
300				continue
301			}
302		}
303	}
304}
305
306var readCookiesTests = []struct {
307	Header  Header
308	Filter  string
309	Cookies []*Cookie
310}{
311	{
312		Header{"Cookie": {"Cookie-1=v$1", "c2=v2"}},
313		"",
314		[]*Cookie{
315			{Name: "Cookie-1", Value: "v$1"},
316			{Name: "c2", Value: "v2"},
317		},
318	},
319	{
320		Header{"Cookie": {"Cookie-1=v$1", "c2=v2"}},
321		"c2",
322		[]*Cookie{
323			{Name: "c2", Value: "v2"},
324		},
325	},
326	{
327		Header{"Cookie": {"Cookie-1=v$1; c2=v2"}},
328		"",
329		[]*Cookie{
330			{Name: "Cookie-1", Value: "v$1"},
331			{Name: "c2", Value: "v2"},
332		},
333	},
334	{
335		Header{"Cookie": {"Cookie-1=v$1; c2=v2"}},
336		"c2",
337		[]*Cookie{
338			{Name: "c2", Value: "v2"},
339		},
340	},
341	{
342		Header{"Cookie": {`Cookie-1="v$1"; c2="v2"`}},
343		"",
344		[]*Cookie{
345			{Name: "Cookie-1", Value: "v$1"},
346			{Name: "c2", Value: "v2"},
347		},
348	},
349}
350
351func TestReadCookies(t *testing.T) {
352	for i, tt := range readCookiesTests {
353		for n := 0; n < 2; n++ { // to verify readCookies doesn't mutate its input
354			c := readCookies(tt.Header, tt.Filter)
355			if !reflect.DeepEqual(c, tt.Cookies) {
356				t.Errorf("#%d readCookies:\nhave: %s\nwant: %s\n", i, toJSON(c), toJSON(tt.Cookies))
357				continue
358			}
359		}
360	}
361}
362
363func TestSetCookieDoubleQuotes(t *testing.T) {
364	res := &Response{Header: Header{}}
365	res.Header.Add("Set-Cookie", `quoted0=none; max-age=30`)
366	res.Header.Add("Set-Cookie", `quoted1="cookieValue"; max-age=31`)
367	res.Header.Add("Set-Cookie", `quoted2=cookieAV; max-age="32"`)
368	res.Header.Add("Set-Cookie", `quoted3="both"; max-age="33"`)
369	got := res.Cookies()
370	want := []*Cookie{
371		{Name: "quoted0", Value: "none", MaxAge: 30},
372		{Name: "quoted1", Value: "cookieValue", MaxAge: 31},
373		{Name: "quoted2", Value: "cookieAV"},
374		{Name: "quoted3", Value: "both"},
375	}
376	if len(got) != len(want) {
377		t.Fatalf("got %d cookies, want %d", len(got), len(want))
378	}
379	for i, w := range want {
380		g := got[i]
381		if g.Name != w.Name || g.Value != w.Value || g.MaxAge != w.MaxAge {
382			t.Errorf("cookie #%d:\ngot  %v\nwant %v", i, g, w)
383		}
384	}
385}
386
387func TestCookieSanitizeValue(t *testing.T) {
388	defer log.SetOutput(os.Stderr)
389	var logbuf bytes.Buffer
390	log.SetOutput(&logbuf)
391
392	tests := []struct {
393		in, want string
394	}{
395		{"foo", "foo"},
396		{"foo;bar", "foobar"},
397		{"foo\\bar", "foobar"},
398		{"foo\"bar", "foobar"},
399		{"\x00\x7e\x7f\x80", "\x7e"},
400		{`"withquotes"`, "withquotes"},
401		{"a z", `"a z"`},
402		{" z", `" z"`},
403		{"a ", `"a "`},
404		{"a,z", `"a,z"`},
405		{",z", `",z"`},
406		{"a,", `"a,"`},
407	}
408	for _, tt := range tests {
409		if got := sanitizeCookieValue(tt.in); got != tt.want {
410			t.Errorf("sanitizeCookieValue(%q) = %q; want %q", tt.in, got, tt.want)
411		}
412	}
413
414	if got, sub := logbuf.String(), "dropping invalid bytes"; !strings.Contains(got, sub) {
415		t.Errorf("Expected substring %q in log output. Got:\n%s", sub, got)
416	}
417}
418
419func TestCookieSanitizePath(t *testing.T) {
420	defer log.SetOutput(os.Stderr)
421	var logbuf bytes.Buffer
422	log.SetOutput(&logbuf)
423
424	tests := []struct {
425		in, want string
426	}{
427		{"/path", "/path"},
428		{"/path with space/", "/path with space/"},
429		{"/just;no;semicolon\x00orstuff/", "/justnosemicolonorstuff/"},
430	}
431	for _, tt := range tests {
432		if got := sanitizeCookiePath(tt.in); got != tt.want {
433			t.Errorf("sanitizeCookiePath(%q) = %q; want %q", tt.in, got, tt.want)
434		}
435	}
436
437	if got, sub := logbuf.String(), "dropping invalid bytes"; !strings.Contains(got, sub) {
438		t.Errorf("Expected substring %q in log output. Got:\n%s", sub, got)
439	}
440}
441
442func BenchmarkCookieString(b *testing.B) {
443	const wantCookieString = `cookie-9=i3e01nf61b6t23bvfmplnanol3; Path=/restricted/; Domain=example.com; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=3600`
444	c := &Cookie{
445		Name:    "cookie-9",
446		Value:   "i3e01nf61b6t23bvfmplnanol3",
447		Expires: time.Unix(1257894000, 0),
448		Path:    "/restricted/",
449		Domain:  ".example.com",
450		MaxAge:  3600,
451	}
452	var benchmarkCookieString string
453	b.ReportAllocs()
454	b.ResetTimer()
455	for i := 0; i < b.N; i++ {
456		benchmarkCookieString = c.String()
457	}
458	if have, want := benchmarkCookieString, wantCookieString; have != want {
459		b.Fatalf("Have: %v Want: %v", have, want)
460	}
461}
462
463func BenchmarkReadSetCookies(b *testing.B) {
464	header := Header{
465		"Set-Cookie": {
466			"NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly",
467			".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly",
468		},
469	}
470	wantCookies := []*Cookie{
471		{
472			Name:       "NID",
473			Value:      "99=YsDT5i3E-CXax-",
474			Path:       "/",
475			Domain:     ".google.ch",
476			HttpOnly:   true,
477			Expires:    time.Date(2011, 11, 23, 1, 5, 3, 0, time.UTC),
478			RawExpires: "Wed, 23-Nov-2011 01:05:03 GMT",
479			Raw:        "NID=99=YsDT5i3E-CXax-; expires=Wed, 23-Nov-2011 01:05:03 GMT; path=/; domain=.google.ch; HttpOnly",
480		},
481		{
482			Name:       ".ASPXAUTH",
483			Value:      "7E3AA",
484			Path:       "/",
485			Expires:    time.Date(2012, 3, 7, 14, 25, 6, 0, time.UTC),
486			RawExpires: "Wed, 07-Mar-2012 14:25:06 GMT",
487			HttpOnly:   true,
488			Raw:        ".ASPXAUTH=7E3AA; expires=Wed, 07-Mar-2012 14:25:06 GMT; path=/; HttpOnly",
489		},
490	}
491	var c []*Cookie
492	b.ReportAllocs()
493	b.ResetTimer()
494	for i := 0; i < b.N; i++ {
495		c = readSetCookies(header)
496	}
497	if !reflect.DeepEqual(c, wantCookies) {
498		b.Fatalf("readSetCookies:\nhave: %s\nwant: %s\n", toJSON(c), toJSON(wantCookies))
499	}
500}
501
502func BenchmarkReadCookies(b *testing.B) {
503	header := Header{
504		"Cookie": {
505			`de=; client_region=0; rpld1=0:hispeed.ch|20:che|21:zh|22:zurich|23:47.36|24:8.53|; rpld0=1:08|; backplane-channel=newspaper.com:1471; devicetype=0; osfam=0; rplmct=2; s_pers=%20s_vmonthnum%3D1472680800496%2526vn%253D1%7C1472680800496%3B%20s_nr%3D1471686767664-New%7C1474278767664%3B%20s_lv%3D1471686767669%7C1566294767669%3B%20s_lv_s%3DFirst%2520Visit%7C1471688567669%3B%20s_monthinvisit%3Dtrue%7C1471688567677%3B%20gvp_p5%3Dsports%253Ablog%253Aearly-lead%2520-%2520184693%2520-%252020160820%2520-%2520u-s%7C1471688567681%3B%20gvp_p51%3Dwp%2520-%2520sports%7C1471688567684%3B; s_sess=%20s_wp_ep%3Dhomepage%3B%20s._ref%3Dhttps%253A%252F%252Fwww.google.ch%252F%3B%20s_cc%3Dtrue%3B%20s_ppvl%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_ppv%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-s-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_dslv%3DFirst%2520Visit%3B%20s_sq%3Dwpninewspapercom%253D%252526pid%25253Dsports%2525253Ablog%2525253Aearly-lead%25252520-%25252520184693%25252520-%2525252020160820%25252520-%25252520u-s%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.newspaper.com%2525252F%2525253Fnid%2525253Dmenu_nav_homepage%252526ot%25253DA%3B`,
506		},
507	}
508	wantCookies := []*Cookie{
509		{Name: "de", Value: ""},
510		{Name: "client_region", Value: "0"},
511		{Name: "rpld1", Value: "0:hispeed.ch|20:che|21:zh|22:zurich|23:47.36|24:8.53|"},
512		{Name: "rpld0", Value: "1:08|"},
513		{Name: "backplane-channel", Value: "newspaper.com:1471"},
514		{Name: "devicetype", Value: "0"},
515		{Name: "osfam", Value: "0"},
516		{Name: "rplmct", Value: "2"},
517		{Name: "s_pers", Value: "%20s_vmonthnum%3D1472680800496%2526vn%253D1%7C1472680800496%3B%20s_nr%3D1471686767664-New%7C1474278767664%3B%20s_lv%3D1471686767669%7C1566294767669%3B%20s_lv_s%3DFirst%2520Visit%7C1471688567669%3B%20s_monthinvisit%3Dtrue%7C1471688567677%3B%20gvp_p5%3Dsports%253Ablog%253Aearly-lead%2520-%2520184693%2520-%252020160820%2520-%2520u-s%7C1471688567681%3B%20gvp_p51%3Dwp%2520-%2520sports%7C1471688567684%3B"},
518		{Name: "s_sess", Value: "%20s_wp_ep%3Dhomepage%3B%20s._ref%3Dhttps%253A%252F%252Fwww.google.ch%252F%3B%20s_cc%3Dtrue%3B%20s_ppvl%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_ppv%3Dsports%25253Ablog%25253Aearly-lead%252520-%252520184693%252520-%25252020160820%252520-%252520u-s-lawyer%252C12%252C12%252C502%252C1231%252C502%252C1680%252C1050%252C2%252CP%3B%20s_dslv%3DFirst%2520Visit%3B%20s_sq%3Dwpninewspapercom%253D%252526pid%25253Dsports%2525253Ablog%2525253Aearly-lead%25252520-%25252520184693%25252520-%2525252020160820%25252520-%25252520u-s%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.newspaper.com%2525252F%2525253Fnid%2525253Dmenu_nav_homepage%252526ot%25253DA%3B"},
519	}
520	var c []*Cookie
521	b.ReportAllocs()
522	b.ResetTimer()
523	for i := 0; i < b.N; i++ {
524		c = readCookies(header, "")
525	}
526	if !reflect.DeepEqual(c, wantCookies) {
527		b.Fatalf("readCookies:\nhave: %s\nwant: %s\n", toJSON(c), toJSON(wantCookies))
528	}
529}
530