Use RFC6265 rules for cookie path & path matching

Url encoding of paths is no longer used. This matches the
current release behaviour of Firefox, Chrome and MSIE browsers.
RFC6265 does not allow this type of encoding.

This fixes remaining path test cases in the IETF test suite.
Currently the path0027 test is passed by Firefox but failed by
Chrome and MSIE, so there is a potential compatibility issue.
However it is a corner case with a malformed cookie.

Task-number: QTBUG-15794
Change-Id: I9b02bb5adc32d614f512d314d06f2c60894aa2b0
Reviewed-by: Richard J. Moore <rich@kde.org>

2 files changed, 25 insertions, 8 deletions

diff --git a/src/network/access/qnetworkcookie.cpp b/src/network/access/qnetworkcookie.cpp
index 306195addb..5a75dd55e8 100644
--- a/src/network/access/qnetworkcookie.cpp
+++ b/src/network/access/qnetworkcookie.cpp
@@ -466,7 +466,7 @@ QByteArray QNetworkCookie::toRawForm(RawForm form) const
         }
         if (!d->path.isEmpty()) {
             result += "; path=";
-            result += QUrl::toPercentEncoding(d->path, "/");
+            result += d->path.toUtf8();
         }
     }
     return result;
@@ -954,8 +954,15 @@ QList<QNetworkCookie> QNetworkCookiePrivate::parseSetCookieHeaderLine(const QByt
                     }
                     //if unparsed, ignore the attribute but not the whole cookie (RFC6265 section 5.2.2)
                 } else if (field.first == "path") {
-                    QString path = QUrl::fromPercentEncoding(field.second);
-                    cookie.setPath(path);
+                    if (field.second.startsWith('/')) {
+                        // ### we should treat cookie paths as an octet sequence internally
+                        // However RFC6265 says we should assume UTF-8 for presentation as a string
+                        cookie.setPath(QString::fromUtf8(field.second));
+                    } else {
+                        // if the path doesn't start with '/' then set the default path (RFC6265 section 5.2.4)
+                        // and also IETF test case path0030 which has valid and empty path in the same cookie
+                        cookie.setPath(QString());
+                    }
                 } else if (field.first == "secure") {
                     cookie.setSecure(true);
                 } else if (field.first == "httponly") {
diff --git a/src/network/access/qnetworkcookiejar.cpp b/src/network/access/qnetworkcookiejar.cpp
index 9e5dfe0371..b4cf8ce0bf 100644
--- a/src/network/access/qnetworkcookiejar.cpp
+++ b/src/network/access/qnetworkcookiejar.cpp
@@ -140,11 +140,21 @@ void QNetworkCookieJar::setAllCookies(const QList<QNetworkCookie> &cookieList)
 
 static inline bool isParentPath(QString path, QString reference)
 {
-    if (!path.endsWith(QLatin1Char('/')))
-        path += QLatin1Char('/');
-    if (!reference.endsWith(QLatin1Char('/')))
-        reference += QLatin1Char('/');
-    return path.startsWith(reference);
+    if (path.startsWith(reference)) {
+        //The cookie-path and the request-path are identical.
+        if (path.length() == reference.length())
+            return true;
+        //The cookie-path is a prefix of the request-path, and the last
+        //character of the cookie-path is %x2F ("/").
+        if (reference.endsWith('/'))
+            return true;
+        //The cookie-path is a prefix of the request-path, and the first
+        //character of the request-path that is not included in the cookie-
+        //path is a %x2F ("/") character.
+        if (path.at(reference.length()) == '/')
+            return true;
+    }
+    return false;
 }
 
 static inline bool isParentDomain(QString domain, QString reference)