From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
Newsgroups: gmane.emacs.devel
Subject: Re: [PATCH] url: Wrap cookie headers in url-http--encode-string.
Date: Fri, 09 Sep 2016 21:56:44 +0200
Message-ID: <87k2ek7soz.fsf@toke.dk>
References: <20160907153014.15752-1-toke@toke.dk>
	<jwvshtb4qc5.fsf-monnier+gmane.emacs.devel@gnu.org>
	<87inu7k5z4.fsf@toke.dk> <83bmzzaawr.fsf@gnu.org>
	<877fank1oc.fsf@toke.dk>
	<bb5f2760-fc3f-630c-290d-8108cad08405@yandex.ru>
	<87inu6iim8.fsf@toke.dk>
	<2563921f-d20d-753b-09eb-c8671bc5b6d6@yandex.ru>
	<87a8fiidso.fsf@toke.dk> <86d1kdq7cs.fsf@realize.ch>
	<83bmzwaopr.fsf@gnu.org> <8660q4ria9.fsf@realize.ch>
	<8360q4amyx.fsf@gnu.org> <861t0srh2s.fsf@realize.ch>
	<8337l8am6k.fsf@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1473451089 4242 195.159.176.226 (9 Sep 2016 19:58:09 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 9 Sep 2016 19:58:09 +0000 (UTC)
Cc: Alain Schneble <a.s@realize.ch>, emacs-devel@gnu.org,
	monnier@iro.umontreal.ca, dgutov@yandex.ru
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Sep 09 21:58:04 2016
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1biRvv-000811-57
	for ged-emacs-devel@m.gmane.org; Fri, 09 Sep 2016 21:57:55 +0200
Original-Received: from localhost ([::1]:59948 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1biRvt-0001fx-7E
	for ged-emacs-devel@m.gmane.org; Fri, 09 Sep 2016 15:57:53 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48890)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <toke@toke.dk>) id 1biRuw-0001Yx-JR
	for emacs-devel@gnu.org; Fri, 09 Sep 2016 15:56:55 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <toke@toke.dk>) id 1biRuv-0004XJ-Fl
	for emacs-devel@gnu.org; Fri, 09 Sep 2016 15:56:54 -0400
Original-Received: from mail2.tohojo.dk ([77.235.48.147]:48950)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <toke@toke.dk>)
	id 1biRuq-0004WW-0N; Fri, 09 Sep 2016 15:56:48 -0400
X-Virus-Scanned: amavisd-new at mail2.tohojo.dk
DKIM-Filter: OpenDKIM Filter v2.10.3 mail2.tohojo.dk 761B740D5E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=201310;
	t=1473451005; bh=rEP9WVC8zDKThLehATAjI5kgu+mrZZT8A8Ulh7c/arA=;
	h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
	b=kp5ALoJupsZ23AibfU7MiX2AJ9PMiSTHXpPVxwYFw7aR8+2Fu1oiWEaG6P6pjy0FV
	s+0wceKmdZeezw3sZo0YKCGzWxxlnqsuuXBHAAHrsElo7IJJ7AeKns5RFwSM2jCd06
	KjDtHOQEvDGhQwH4u6EAUfRzjE8cqaWduumzWN28=
Original-Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000)
	id 8EF0981B1; Fri,  9 Sep 2016 21:56:44 +0200 (CEST)
In-Reply-To: <8337l8am6k.fsf@gnu.org> (Eli Zaretskii's message of "Fri, 09 Sep
	2016 22:49:07 +0300")
X-Clacks-Overhead: GNU Terry Pratchett
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 77.235.48.147
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:207335
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/207335>

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Alain Schneble <a.s@realize.ch>
>> CC: <toke@toke.dk>, <dgutov@yandex.ru>, <monnier@iro.umontreal.ca>,
>> 	<emacs-devel@gnu.org>
>> Date: Fri, 9 Sep 2016 21:47:23 +0200
>> 
>> > That's not the issue.  The issue is whether a cookie-value can
>> > legitimately have non-ASCII characters.  If it can, then we must
>> > _encode_ the cookie-value, as that is the only correct way of getting
>> > a unibyte string from non-ASCII characters.  And you pointed to an RFC
>> > that seems to say non-ASCII characters in cookies are possible.
>> 
>> Yes true, but I thought that maybe fixing this as described could be a
>> viable non-invasive alternative for the upcoming 25.1 release.
>
> It wouldn't be safe if cookies could include non-ASCII characters.

Well, according to this:

http://stackoverflow.com/a/1969339

Safari, at least, will reject non-ASCII cookies. Which implies that in
practice no sites will use non-ASCII values because they would break.

How would url react if it loaded a page that contained a non-ASCII
cookie string, is really the question to be asking here. Presumably
there's some kind of input sanitation somewhere?

-Toke