net: fix cookie parsing when ; is used (fix #25544) (#25561)

felipensp · web-flow · commit d9a24ba5b9cc · 2025-10-22T17:07:06.000+03:00
diff --git a/vlib/net/http/cookie.v b/vlib/net/http/cookie.v
@@ -192,8 +192,9 @@ pub fn sanitize_cookie_value(v string) string {
 	if v.len == 0 {
 		return v
 	}
-	// Check for the existence of a space or comma
-	if val.starts_with(' ') || val.ends_with(' ') || val.starts_with(',') || val.ends_with(',') {
+	// Check for the existence of a space, comma or semicolon
+	if val.starts_with(' ') || v.contains(';') || val.ends_with(' ') || val.starts_with(',')
+		|| val.ends_with(',') {
 		return '"${v}"'
 	}
 	return v
diff --git a/vlib/net/http/cookie_test.v b/vlib/net/http/cookie_test.v
@@ -224,6 +224,13 @@ const write_set_cookie_tests = [
 		}
 		raw:    ''
 	},
+	SetCookieTestCase{
+		cookie: &http.Cookie{
+			name:  'complex-value'
+			value: 'a b,c;d'
+		}
+		raw:    'complex-value="a b,c;d"'
+	},
 ]
 const add_cookies_tests = [
 	AddCookieTestCase{

Original file line number	Diff line number	Diff line change
`@@ -192,8 +192,9 @@ pub fn sanitize_cookie_value(v string) string {`
`192`	`192`	`if v.len == 0 {`
`193`	`193`	`return v`
`194`	`194`	`}`
`195`		`- // Check for the existence of a space or comma`
`196`		`- if val.starts_with(' ') \|\| val.ends_with(' ') \|\| val.starts_with(',') \|\| val.ends_with(',') {`
	`195`	`+ // Check for the existence of a space, comma or semicolon`
	`196`	`+ if val.starts_with(' ') \|\| v.contains(';') \|\| val.ends_with(' ') \|\| val.starts_with(',')`
	`197`	`+ \|\| val.ends_with(',') {`
`197`	`198`	`return '"${v}"'`
`198`	`199`	`}`
`199`	`200`	`return v`