Add spaces after semicolons in Set-Cookie header

Fixes #486.
ring-clojure · Aug 31, 2023 · 7ce01f8 · 7ce01f8
1 parent 81f136f
commit 7ce01f8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/ring-core/src/ring/middleware/cookies.clj b/ring-core/src/ring/middleware/cookies.clj
@@ -106,12 +106,12 @@
   (for [[key value] attrs]
     (let [attr (name (set-cookie-attrs key))]
       (cond
-        (satisfies? CookieInterval value) (str ";" attr "=" (->seconds value))
-        (satisfies? CookieDateTime value) (str ";" attr "=" (rfc822-format value))
-        (true? value) (str ";" attr)
+        (satisfies? CookieInterval value) (str "; " attr "=" (->seconds value))
+        (satisfies? CookieDateTime value) (str "; " attr "=" (rfc822-format value))
+        (true? value) (str "; " attr)
         (false? value) ""
-        (= :same-site key) (str ";" attr "=" (same-site-values value))
-        :else (str ";" attr "=" value)))))
+        (= :same-site key) (str "; " attr "=" (same-site-values value))
+        :else (str "; " attr "=" value)))))
 
 (defn- write-cookies [cookies encoder]
   (for [[key value] cookies]

diff --git a/ring-core/test/ring/middleware/test/cookies.clj b/ring-core/test/ring/middleware/test/cookies.clj
@@ -47,7 +47,7 @@
            (:headers resp)))))
 
 (defn- split-set-cookie [headers]
-  (letfn [(split-header [v] (set (mapcat #(str/split % #";") v)))]
+  (letfn [(split-header [v] (set (mapcat #(str/split % #"; ?") v)))]
     (update-in headers ["Set-Cookie"] split-header)))
 
 (deftest wrap-cookies-set-extra-attrs
@@ -169,6 +169,18 @@
                     0 0 0 0
                     (ZoneId/of "UTC")))
 
+(deftest wrap-cookies-spaces-after-semicolons-test
+  (let [cookies {"a" {:value "b"
+                      :path "/", :secure true, :same-site :lax
+                      :expires (zoned-date-time 2015 12 31)
+                      :max-age (Duration/between (zoned-date-time 2012)
+                                                 (zoned-date-time 2015))}}
+        handler (constantly {:cookies cookies})
+        resp    ((wrap-cookies handler) {})
+        header  (first (get-in resp [:headers "Set-Cookie"]))]
+    (is (re-matches #"([^;]+; )+([^;]+)" header)
+        "spaces after semicolons in Set-Cookie")))
+
 (deftest wrap-cookies-accepts-max-age-from-java-time
   (let [cookies {"a" {:value "b", :path "/",
                       :secure true, :http-only true,