Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:111908 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 11622 invoked from network); 21 Sep 2020 02:13:02 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 21 Sep 2020 02:13:02 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 6A6011804AA for ; Sun, 20 Sep 2020 18:22:29 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 20 Sep 2020 18:22:28 -0700 (PDT) Received: by mail-pj1-f53.google.com with SMTP id a9so6551907pjg.1 for ; Sun, 20 Sep 2020 18:22:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=2/elyNqESro3Pu6R1LJBXRztIfyURqngOnyWnRahSAk=; b=txq55DKjaK0FeqKdWVbSjefsmytzacGYcbNdNZVOQC7rrcNDljivH/ouccyH/BO8W8 6znxeTXOxiptL+e7puMgoX4I7ivp9jwXdPPfp83s9AWSChYzq9n/jVsGwGFkraxd3l2D vv5RInIYkW41uJg6D0OypRjZPyT+NDitLitjVCWIjC7IdRC713QfZGDAeafhIrObBTeA lWFGwS/Vy7tsFH7xvAtg0olSHian9iQI7tE4vxy9GXMiDyoX+C86ouUqems7IA4r4J4X wDuJaBnwNoUN86vNYaj3PyG3rJaf7hof3imG1vKmfCMWvuQoDEsgTCaaL+LxO25Ayky1 omlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=2/elyNqESro3Pu6R1LJBXRztIfyURqngOnyWnRahSAk=; b=kvtVr1JQKKtaHiyDRmms6Df4FqyJ5VE0cKoB8P3MdXkntkFl1Ul5BLM5/QsEYbLXbU eceQ7ooyVzxu4vF26IA6Hpmray2C6Z2VxKL3IxY5pf5DE6gmfTeF0B99JSmklwdT1pvI UedxEITnXKXDqrmk8NNGQUR9s9FhYBq5F0r8YTOz/sActsfDJUD5vsKuSon6+sMJ/HMb Mx40XtKCV5FO1c9C0WXa+2KZrSwEQPSv965nvxpH7L3xKH5qCPrHP5RjBeZTnN50nb99 HTEqM1WNg/MWq1JrWTEhFJQBa9AdraOU4kamu7m5GA3bWHtvlOCFyNDwW8o8TcEaAF9z oLnA== X-Gm-Message-State: AOAM530ZvDozbGGlwWCqO+ZVYlbdChAeLldCNxRPo/yvx0E9EzdzRfsT wg0LQ0cCAOFPgID/V56PgHRKw5MEf1kn X-Google-Smtp-Source: ABdhPJxvG63HhTnTbSNR7qG6X1o29ipe/5owKSla7YD6J+hJ5VGbShtrG6LphATELRFnSv2vLcdHaQ== X-Received: by 2002:a17:90a:e68f:: with SMTP id s15mr21672581pjy.79.1600651346365; Sun, 20 Sep 2020 18:22:26 -0700 (PDT) Received: from Stas-Mac-3.local ([104.143.92.219]) by smtp.gmail.com with ESMTPSA id x185sm10235382pfc.188.2020.09.20.18.22.25 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 20 Sep 2020 18:22:25 -0700 (PDT) To: PHP Internals Message-ID: Date: Sun, 20 Sep 2020 18:22:24 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Decoding cookie names From: smalyshev@gmail.com (Stanislav Malyshev) Hi! In one of the bug reports there was a question raised - should PHP be decoding cookie names? Right now it does. The standard is pretty much silent on this, and looks like such behavior leads to security problems: https://hackerone.com/reports/895727 However I am not sure whether it's ok to change it, since it fails a couple of tests (easy to fix) and may also break some stuff I have no idea about. In general, using url-encoded cookie names is very weird, but I can't guarantee nobody does it. So, I wonder what exactly should we do in this case? RoR folks just changed the code to not decode cookies. Also, php_setcookie() does not seem to encode cookie names (note: we're talking names not values here!) when we send them out, so maybe it doesn't make sense to decode them when we receive them? What do you think? -- Stas Malyshev smalyshev@gmail.com