When parsing cookies, only decode the values

[CVE-2020-8184]

Author: fletchto99

lib/rack/utils.rb

@@ -215,8 +215,12 @@ def parse_cookies_header(header)
       #   the Cookie header such that those with more specific Path attributes
       #   precede those with less specific.  Ordering with respect to other
       #   attributes (e.g., Domain) is unspecified.
-      cookies = parse_query(header, ';,') { |s| unescape(s) rescue s }
-      cookies.each_with_object({}) { |(k, v), hash| hash[k] = Array === v ? v.first : v }
+      return {} unless header
+      header.split(/[;,] */n).each_with_object({}) do |cookie, cookies|
+        next if cookie.empty?
+        key, value = cookie.split('=', 2)
+        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
+      end
     end
     module_function :parse_cookies_header
 

test/spec_utils.rb

@@ -512,6 +512,10 @@ def initialize(*)
 
     env = Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar").freeze
     Rack::Utils.parse_cookies(env).must_equal({ "foo" => "bar" })
+
+    env = Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar")
+    cookies = Rack::Utils.parse_cookies(env)
+    cookies.must_equal({ "%66oo" => "baz", "foo" => "bar" })
   end
 
   it "adds new cookies to nil header" do