remove support for ampersand-delimited cookie values

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8861 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

remove support for ampersand-delimited cookie values
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8861 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
11787b80 · Jamis Buck · 87393901 · 11787b80 · 11787b80 · 11787b80
3 changed file
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
 *SVN*

+* Remove support for multivalued (e.g., '&'-delimited) cookies. [Jamis Buck]
+
 * Fix problem with render :partial collections, records, and locals. #11057 [lotswholetime] 

 * Added support for naming concrete classes in sweeper declarations [DHH]

--- a/actionpack/lib/action_controller/cgi_ext/cookie.rb
+++ b/actionpack/lib/action_controller/cgi_ext/cookie.rb
@@ -90,12 +90,11 @@ def self.parse(raw_cookie)

      if raw_cookie
        raw_cookie.split(/;\s?/).each do |pairs|
-          name, values = pairs.split('=',2)
-          next unless name and values
+          name, value = pairs.split('=',2)
+          next unless name and value
          name = CGI::unescape(name)
-          values = values.split('&').collect!{|v| CGI::unescape(v) }
          unless cookies.has_key?(name)
-            cookies[name] = new(name, *values)
+            cookies[name] = new(name, CGI::unescape(value))
          end
        end
      end

--- a/actionpack/test/controller/cookie_test.rb
+++ b/actionpack/test/controller/cookie_test.rb
@@ -132,4 +132,9 @@ def test_cookie_to_s_hash_default_not_secure_not_http_only
    assert cookie_str !~ /secure/
    assert cookie_str !~ /HttpOnly/
  end
+
+  def test_cookies_should_not_be_split_on_ampersand_values
+    cookies = CGI::Cookie.parse('return_to=http://rubyonrails.org/search?term=api&scope=all&global=true')
+    assert_equal({"return_to" => ["http://rubyonrails.org/search?term=api&scope=all&global=true"]}, cookies)
+  end
 end