remove support for ampersand-delimited cookie values

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8861 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-02-12 21:45:39 +00:00 · 2008-02-12 21:45:39 +00:00 · 11787b802a
commit 11787b802a
parent 8739390134
3 changed files with 10 additions and 4 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@ -1,5 +1,7 @@
 *SVN*

+* Remove support for multivalued (e.g., '&'-delimited) cookies. [Jamis Buck]
+
 * Fix problem with render :partial collections, records, and locals. #11057 [lotswholetime] 

 * Added support for naming concrete classes in sweeper declarations [DHH]
--- a/actionpack/lib/action_controller/cgi_ext/cookie.rb
+++ b/actionpack/lib/action_controller/cgi_ext/cookie.rb
@ -90,12 +90,11 @@ def self.parse(raw_cookie)

      if raw_cookie
        raw_cookie.split(/;\s?/).each do |pairs|
-          name, values = pairs.split('=',2)
-          next unless name and values
+          name, value = pairs.split('=',2)
+          next unless name and value
          name = CGI::unescape(name)
-          values = values.split('&').collect!{|v| CGI::unescape(v) }
          unless cookies.has_key?(name)
-            cookies[name] = new(name, *values)
+            cookies[name] = new(name, CGI::unescape(value))
          end
        end
      end
--- a/actionpack/test/controller/cookie_test.rb
+++ b/actionpack/test/controller/cookie_test.rb
@ -132,4 +132,9 @@ def test_cookie_to_s_hash_default_not_secure_not_http_only
    assert cookie_str !~ /secure/
    assert cookie_str !~ /HttpOnly/
  end
+
+  def test_cookies_should_not_be_split_on_ampersand_values
+    cookies = CGI::Cookie.parse('return_to=http://rubyonrails.org/search?term=api&scope=all&global=true')
+    assert_equal({"return_to" => ["http://rubyonrails.org/search?term=api&scope=all&global=true"]}, cookies)
+  end
 end