Replace std::string::find with base::StartsWith when comparing cookie paths.

net/cookies/canonical_cookie.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Portions of this code based on Mozilla:
 //   (netwerk/cookie/src/nsCookieService.cpp)
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
@@ skipping 29 matching lines @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "net/cookies/canonical_cookie.h"
 
 #include "base/format_macros.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "net/cookies/cookie_util.h"
 #include "net/cookies/parsed_cookie.h"
 #include "url/gurl.h"
 #include "url/url_canon.h"
 
 using base::Time;
 using base::TimeDelta;
 
 namespace net {
@@ skipping 282 matching lines @@
   // would also make no sense for our prefix match.  The code that
   // creates a CanonicalCookie should make sure the path is never zero length,
   // but we double check anyway.
   if (path_.empty())
     return false;
 
   // The Mozilla code broke this into three cases, based on if the cookie path
   // was longer, the same length, or shorter than the length of the url path.
   // I think the approach below is simpler.
 
-  // Make sure the cookie path is a prefix of the url path.  If the
-  // url path is shorter than the cookie path, then the cookie path
-  // can't be a prefix.
-  if (url_path.find(path_) != 0)
+  // Make sure the cookie path is a prefix of the url path.  If the url path is
+  // shorter than the cookie path, then the cookie path can't be a prefix.
+  if (!base::StartsWith(url_path, path_, base::CompareCase::SENSITIVE))

[mmenke, 2016/03/02 20:02:01]

Does this really mean that you can set cookies with paths "bar" and "bar/"...And
the first would not be returned for "bar", but both would be returned for
"bar/"?

[Mike West, 2016/03/03 18:56:28]

That sounds wrong. The path matching algorithm at
https://tools.ietf.org/html/rfc6265#section-5.1.4 says 'The cookie-path is a
prefix of the request-path, and the first character of the request-path that is
not included in the cookie-path is a %x2F ("/") character.' `path=/bar` should
match `/bar/foo` and `/bar`.

[mmenke, 2016/03/03 19:02:58]

Sorry, that should be "/bar/" and "/bar"...  and was meant to go below line 367.
(Notice the path_.back() check, in particular)

     return false;
 
-  // Now we know that url_path is >= cookie_path, and that cookie_path
-  // is a prefix of url_path.  If they are the are the same length then
-  // they are identical, otherwise we need an additional check:
+  // |url_path| is >= |path_|, and |path_| is a prefix of |url_path|.  If they
+  // are the are the same length then they are identical, otherwise need an
+  // additional check:
 
   // In order to avoid in correctly matching a cookie path of /blah
   // with a request path of '/blahblah/', we need to make sure that either
   // the cookie path ends in a trailing '/', or that we prefix up to a '/'
   // in the url path.  Since we know that the url path length is greater
   // than the cookie path length, it's safe to index one byte past.
   if (path_.length() != url_path.length() && path_.back() != '/' &&
-      url_path[path_.length()] != '/')
+      url_path[path_.length()] != '/') {
     return false;
+  }
 
   return true;
 }
 
 bool CanonicalCookie::IsDomainMatch(const std::string& host) const {
   // Can domain match in two ways; as a domain cookie (where the cookie
   // domain begins with ".") or as a host cookie (where it doesn't).
 
   // Some consumers of the CookieMonster expect to set cookies on
   // URLs like http://.strange.url.  To retrieve cookies in this instance,
@@ skipping 126 matching lines @@
   if (prefix == CanonicalCookie::COOKIE_PREFIX_SECURE)
     return parsed_cookie.IsSecure() && url.SchemeIsCryptographic();
   if (prefix == CanonicalCookie::COOKIE_PREFIX_HOST) {
     return parsed_cookie.IsSecure() && url.SchemeIsCryptographic() &&
            !parsed_cookie.HasDomain() && parsed_cookie.Path() == "/";
   }
   return true;
 }
 
 }  // namespace net