From 73d82396c01c631dab54aa3b4786a096f1d3cb4f Mon Sep 17 00:00:00 2001
From: Vadim Belman <vrurg@lflat.org>
Date: Tue, 22 Oct 2024 20:58:44 -0400
Subject: [PATCH] Fix cases where cookie may have duplicate parameters

This is a real-life case where dumb ASP.NET software managed to set two
conflicting values for `SameSite` parameter. Such situation causes
Cro::HTTP::Cookie to die.

According to RFC 6265bis specs (or, at least, according to how ChatGPT
interprets them since I got no time to read them in full), the standard
parameters must not be repeated. If this is not the case then client
software should either reject wrong-made cookie or use the first
specified parameter. From the resilience perspective, the second
approach is preferable.
---
 lib/Cro/HTTP/Cookie.pm6 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Cro/HTTP/Cookie.pm6 b/lib/Cro/HTTP/Cookie.pm6
index 81ff6ab..8c91b96 100644
--- a/lib/Cro/HTTP/Cookie.pm6
+++ b/lib/Cro/HTTP/Cookie.pm6
@@ -76,7 +76,7 @@ class Cro::HTTP::Cookie::CookieBuilder {
                     %extensions.append(.extension);
                 }
                 default {
-                    %args.append($_);
+                    %args{$_[0]} //= $_[1];
                 }
             }
         };