Don't crash on empty Cookie header

It's not allowed, however a heavily deployed client (Flash player)
can send such an empty header, therefore we make a special condition
for it and return an empty list when it happens.

1 files changed, 8 insertions, 2 deletions

diff --git a/src/cowboy_req.erl b/src/cowboy_req.erl
index 093663c..0e1c8a7 100644
--- a/src/cowboy_req.erl
+++ b/src/cowboy_req.erl
@@ -492,7 +492,10 @@ cookie(Name, Req=#http_req{cookies=undefined}, Default) when is_binary(Name) ->
 		{ok, undefined, Req2} ->
 			{Default, Req2#http_req{cookies=[]}};
 		{ok, Cookies, Req2} ->
-			cookie(Name, Req2#http_req{cookies=Cookies}, Default)
+			cookie(Name, Req2#http_req{cookies=Cookies}, Default);
+		%% Flash player incorrectly sends an empty Cookie header.
+		{error, badarg} ->
+			{Default, Req#http_req{cookies=[]}}
 	end;
 cookie(Name, Req, Default) ->
 	case lists:keyfind(Name, 1, Req#http_req.cookies) of
@@ -507,7 +510,10 @@ cookies(Req=#http_req{cookies=undefined}) ->
 		{ok, undefined, Req2} ->
 			{[], Req2#http_req{cookies=[]}};
 		{ok, Cookies, Req2} ->
-			cookies(Req2#http_req{cookies=Cookies})
+			cookies(Req2#http_req{cookies=Cookies});
+		%% Flash player incorrectly sends an empty Cookie header.
+		{error, badarg} ->
+			{[], Req#http_req{cookies=[]}}
 	end;
 cookies(Req=#http_req{cookies=Cookies}) ->
 	{Cookies, Req}.