net/http: clarify that AddCookie only sanitizes the Cookie being added AddCookie properly encodes a cookie and appends it to the Cookie header field but does not modify or sanitize what the Cookie header field contains already. If a user manualy sets the Cookie header field to something not conforming to RFC 6265 then a cookie added via AddCookie might not be retrievable. Fixes #38437 Change-Id: I232b64ac489b39bb962fe4f7dbdc2ae44fcc0514 Reviewed-on: https://go-review.googlesource.com/c/go/+/235141 Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>

commit: 1519bc4457af7179557a4f04bb35a4e07bedd118 [log] [tgz]
author: Volker Dobler <dr.volker.dobler@gmail.com> Tue May 26 16:55:28 2020 +0200
committer: Emmanuel Odeke <emm.odeke@gmail.com> Fri May 29 09:21:54 2020 +0000
tree: e8d9aa3d63547ec795fcdf725ee7b3afce3df81e
parent: 8f4151ea67e1d498e0880f28d3fd803dc2c5448f [diff]
diff --git a/src/net/http/request.go b/src/net/http/request.go
index e386f13..e924e2a 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go

@@ -425,6 +425,8 @@
 // AddCookie does not attach more than one Cookie header field. That
 // means all cookies, if any, are written into the same line,
 // separated by semicolon.
+// AddCookie only sanitizes c's name and value, and does not sanitize
+// a Cookie header already present in the request.
 func (r *Request) AddCookie(c *Cookie) {
 	s := fmt.Sprintf("%s=%s", sanitizeCookieName(c.Name), sanitizeCookieValue(c.Value))
 	if c := r.Header.Get("Cookie"); c != "" {
commit	1519bc4457af7179557a4f04bb35a4e07bedd118	[log] [tgz]
author	Volker Dobler <dr.volker.dobler@gmail.com>	Tue May 26 16:55:28 2020 +0200
committer	Emmanuel Odeke <emm.odeke@gmail.com>	Fri May 29 09:21:54 2020 +0000
tree	e8d9aa3d63547ec795fcdf725ee7b3afce3df81e
parent	8f4151ea67e1d498e0880f28d3fd803dc2c5448f [diff]