I've come across a bug in the escape_url macro
in apache_cookie.c. For cookies that have an "&"
sign in them somewhere like
-name = "people"
-value = "Jack&Jill"
It will wind up being serialized as something like:
Set-Cookie: people=Jack&Jill; ...
^
*not* escaped by escape_url
When this cookie is returned to the server, it will be parsed
like a multivalued cookie because "&" is used as the separator in
ApacheCookie_parse (this is common practice).
It needs to be uri-escaped to %26 in this case, but I don't
think ap_os_escape_path will work as is, since it escapes the % sign:
ap_os_escape_path( p , "Jack%26Jill" , 1) == "Jack%2526Jill"
which is also bad. There needs to be an additional escape for "&"
on the result of ap_os_escape_path.
I should have a patch ready in a few days.
--
Joe Schaefer
