From 11787b802a1ea8152507e94940f9af394d343c4c Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis@37signals.com>
Date: Tue, 12 Feb 2008 21:45:39 +0000
Subject: remove support for ampersand-delimited cookie values

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8861 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/CHANGELOG                               | 2 ++
 actionpack/lib/action_controller/cgi_ext/cookie.rb | 7 +++----
 actionpack/test/controller/cookie_test.rb          | 5 +++++
 3 files changed, 10 insertions(+), 4 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 166b2319ff..a718b4b8e0 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Remove support for multivalued (e.g., '&'-delimited) cookies. [Jamis Buck]
+
 * Fix problem with render :partial collections, records, and locals. #11057 [lotswholetime] 
 
 * Added support for naming concrete classes in sweeper declarations [DHH]
diff --git a/actionpack/lib/action_controller/cgi_ext/cookie.rb b/actionpack/lib/action_controller/cgi_ext/cookie.rb
index c7ea1b6443..3dd374f126 100644
--- a/actionpack/lib/action_controller/cgi_ext/cookie.rb
+++ b/actionpack/lib/action_controller/cgi_ext/cookie.rb
@@ -90,12 +90,11 @@ class CGI #:nodoc:
 
       if raw_cookie
         raw_cookie.split(/;\s?/).each do |pairs|
-          name, values = pairs.split('=',2)
-          next unless name and values
+          name, value = pairs.split('=',2)
+          next unless name and value
           name = CGI::unescape(name)
-          values = values.split('&').collect!{|v| CGI::unescape(v) }
           unless cookies.has_key?(name)
-            cookies[name] = new(name, *values)
+            cookies[name] = new(name, CGI::unescape(value))
           end
         end
       end
diff --git a/actionpack/test/controller/cookie_test.rb b/actionpack/test/controller/cookie_test.rb
index 6a82a26261..0483fe918a 100644
--- a/actionpack/test/controller/cookie_test.rb
+++ b/actionpack/test/controller/cookie_test.rb
@@ -132,4 +132,9 @@ class CookieTest < Test::Unit::TestCase
     assert cookie_str !~ /secure/
     assert cookie_str !~ /HttpOnly/
   end
+
+  def test_cookies_should_not_be_split_on_ampersand_values
+    cookies = CGI::Cookie.parse('return_to=http://rubyonrails.org/search?term=api&scope=all&global=true')
+    assert_equal({"return_to" => ["http://rubyonrails.org/search?term=api&scope=all&global=true"]}, cookies)
+  end
 end
-- 
cgit v1.2.3