Cookie being created with [" prefixed to name versions 3.0 thru 3.0.8 about rack HOT 7 CLOSED

in case future googlers end up here, it looks like the next passenger release will fix it phusion/passenger#2503

from rack.

@skipkayhil Thanks for pointing that out. In Rack 3, response header values can be arrays, and if the web server does not support Rack 3, they may be converting the array to a string, and operating on that. That would explain why [ is the first character. So it sounds quite likely that this issue is caused by using Rack 3 with a webserver that does not support it. In that case, I recommend switching to a different web server, or forcing the use of Rack 2 (as mentioned in the Rails issue).

from rack.

@trak3r what web server are you using? In rails/rails#49422 we found that Passenger does not yet support Rack 3

from rack.

I have my doubts that downgrading to the latest Rack 2.2 release fixes this issue:

h = {} 
Rack::Utils.set_cookie_header!(h, '[a]', '[]')
p Rack.release
p h
p Rack::Utils.parse_cookies_header(h['set-cookie'] || h['Set-Cookie'])

Output:

"2.2.2"
{"Set-Cookie"=>"%5Ba%5D=%5B%5D"}
{"[a]"=>"[]"}

"2.2.8"
{"Set-Cookie"=>"%5Ba%5D=%5B%5D"}
{"%5Ba%5D"=>"[]"}

"3.0.8"
{"set-cookie"=>"%5Ba%5D=%5B%5D"}
{"%5Ba%5D"=>"[]"}

This was likely changed by 1f5763d, a security fix for CVE-2020-8184, which was included in Rack 2.2.3.

from rack.

@skipkayhil i am indeed running Passenger 6.0.17/18 so that would explain it. thank you very much! cc @jeremyevans

from rack.

I believe this issue has been addressed, and will be fixed in a subsequent release of Passenger.

from rack.

This issue also affects unicorn. The master branch supports Rack 3 but the latest version of unicorn (6.1.0) doesn't support it. A v7 release of unicorn will be here "soon" as mentioned here: https://yhbt.net/unicorn-public/20231214230933.M299458@dcvr/

from rack.