You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using URLSession to perform HTTP requests, there is an edge case that works on macOS, but causes the process to terminate with illegal instruction on Linux.
Set-Cookie: country=hu; path=/;
If the server response contains a trailing semicolon in a Set-Cookie header, the HTTPCookie.cookies(withResponseHeaderFields:for:) method crashes.
Consider the following Swift code that uses URLSession (inside):
import Foundation
do{letdata=tryData(contentsOf:URL(string:"https://https://www.espn.com/espnradio/feeds/rss/podcast.xml?id=26832777")!)print(String(data: data, encoding:.utf8)!)}catch{print(error)}
On macOS, the code executes perfectly fine and prints the XML data.
On Linux (official Swift 5.0.2 docker image), the process crashes and dumps a stacktrace instead:
The stacktrace is a bit different on 4.2.4, but still originates from the same HTTPCookie.cookies(withResponseHeaderFields:for:) method.
While inspecting the response from the mentioned URL with curl -v, the Set-Cookie headers became suspicious. Particularly, the semicolons after each line:
To test this suspicion, I hacked together a small hello-world-like Node.js script (attached as index.js).
Running it on macOS while pointing the test Swift code running in Docker at host.docker.internal:3000 allowed me to test how URLSession behaves depending on the headers.
I confirmed that if the semicolon is at the end of the header, HTTPCookie crashes; and by removing the extra semicolon the crash disappears as well.
The text was updated successfully, but these errors were encountered:
Note this affects 5.0.2 but 5.1 and master are unaffected - there have been serveral PRs to fix HTTPCookie issues including parsing that went into master post 5.0.
Attachment: Download
Environment
Swift 5.0.2 using the official swift:5.0.2 Docker image.
Additional Detail from JIRA
md5: d9768b4cd9f0c26fef747e98c5ada8a6
Issue Description:
tl;dr version
When using URLSession to perform HTTP requests, there is an edge case that works on macOS, but causes the process to terminate with illegal instruction on Linux.
If the server response contains a trailing semicolon in a Set-Cookie header, the
HTTPCookie.cookies(withResponseHeaderFields:for:)
method crashes.One liner reproduction:
Long version
Consider the following Swift code that uses URLSession (inside):
On macOS, the code executes perfectly fine and prints the XML data.
On Linux (official Swift 5.0.2 docker image), the process crashes and dumps a stacktrace instead:
The stacktrace is a bit different on 4.2.4, but still originates from the same
HTTPCookie.cookies(withResponseHeaderFields:for:)
method.While inspecting the response from the mentioned URL with
curl -v
, the Set-Cookie headers became suspicious. Particularly, the semicolons after each line:To test this suspicion, I hacked together a small hello-world-like Node.js script (attached as index.js).
Running it on macOS while pointing the test Swift code running in Docker at
host.docker.internal:3000
allowed me to test how URLSession behaves depending on the headers.I confirmed that if the semicolon is at the end of the header, HTTPCookie crashes; and by removing the extra semicolon the crash disappears as well.
The text was updated successfully, but these errors were encountered: