Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:111909 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 31145 invoked from network); 21 Sep 2020 09:12:08 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 21 Sep 2020 09:12:08 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 6A4ED1804DA for ; Mon, 21 Sep 2020 01:21:44 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 21 Sep 2020 01:21:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1600676501; bh=5jRkQQldHjnk2g88whtftLg4JXKsV+h8wgtQyz/5PEw=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=SvO4zFGBUylhuxg7iPxdUjOMn3kB6vNMIwwdr5DHdht/ET4fuM7CcdhpGpi/LK4Mk Dpm97zEiukk1Xue1wAqol+1GCYgHLRGbok1B2pkRMAm9wLIo4J4FAJKeSDpy+fJOq9 oU94Dn5isvTFwqET+dUFmAPzjA3+zd2ukglshMwg= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.2.130] ([79.222.46.174]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MpUYu-1ko6af1nX2-00pu9e; Mon, 21 Sep 2020 10:21:41 +0200 To: Stanislav Malyshev , PHP Internals References: Message-ID: Date: Mon, 21 Sep 2020 10:21:41 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.2.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:GyXe34yEDBDe7FD2HIpyBUscy06p5aBzFlJseWLyhIrM2tZZAiw 1qnrCWtA14F6HTPonncThnmea/s15SE+II+jPYMGvU3h67VWHtg14w6w4NxTyn88PYr4q+v r2Osim9Bajh/rqltn1BJ5B1lbl6gk9GALIFg7V4Dfs00EoT3UagJsSC5PnS9TwzaKiXXPrU rbSeBYO65u3sF2hacI6MQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:rs87MFDMCyA=:d6gl9E4OXa/VDUgGYyyeQT QopSMNs1Snbp2tIKMebROpjPwChWe8KlnuNOfJaexUP7UzsvhiBSWBSd5KOzdJPa3FonDHwao 3GgCnhd/nEo8uXIjGgDj4Ucujr62EMP0NW5EX3UZKYZgWkS2Vm7+eur+PuraUMhVYIcK/mUnz Ig8qJ69/Kk2zFyrnr+aU2hybjWRhSQd7GjCil/LdN255vNfntR9nk7kRcq7wFbFAtWwuyt6BG DbacDFeNl65a8pkAOJskp1mWPoJJuqfVDrp3cZIrECiNzOohV/79/egpTnXDbnJJm9XxeyKrG 5oZBqdhAZO0GhlL1FCtfjanxxK/VNRE7o5oYx3EH9j6tTqgbonlPB4CksMbbTMS5rxwxcQbzW y/QOU+Fa9aSwTUYJlfO3GA+/yupn03gI40NZh+ZK0VrhknxF7MBb8TzSmIc2Qw6XxWF2I4UWw 0na/wqw3DnQFoDvM/UKaTVo+Hve1YPonL3V6kPtCJ+gDxGlTuCC4A4ZsNXynti2f4lhwW4qNW K5zEqJ39XTjL15jA/nZ++wXKnQLg9c++dwDpb+JZgdChtF4wBbBRS/L9qEZTMimjWEhMwKa+u GCOhAz9F0rZLQb+ommbd7eX9xwYrJ3h0Nn85gV9gUS9Ifok42smulsaf/srxQiuc+rk3gufsq cV0fDkTR4CRrZv+5Ly/3jv75nibBUmzMsTovnwcFmo2hRInjcQf6q9C/VEFbVQ60lw1y9WAYo phLuikI1Oy/SrCoIa1CY6GqGPNm/jgRL0fIrsER/V5K0rvak786b4f4ers+WkpTcCA/tVvaCw o8M4bAACqzNU11D0HOeOdc0CBVtB2XyDNAwFzeV/Z6FWyX4J57iBAa8E8ZLK/Gc/gvJZA28cw UFFtE/AdNlHyE9R28eXQHpZ7fWDZ5gUyWGx14chUBBvMuE+il2a2TqInXnAcFNjG2M7troJXu H0HGhW2n1MjfQzwagdwfkkZp4tZ7biVDzs6IypAWS9IuDJMjj6qmawfeJkgaBIO3R4MbrQaHE aPIT/UMW2FmJFLDRwlhKEvRyqKEoH4oc5bkaeg3uruXYdZLupzFMOpGol2b50yyic5HpYDo9X 7e3srpkqz/SoVOBMgieKa5h9FXFrEkJiH8hu62hEN7a6RPj1wKfM0Z/skAj9uCJbWgVSRssxN 9vmAFYyRS1C9XEOsYNkBljiN+qe9wSFLhYZIrn/k5u3av3V0MN5Gjis6tzGNeYki2V8Wgz/it eInewekaK5DX5tVYRhtXWFrGVZGLLFVe74mm2eA== Subject: Re: Decoding cookie names From: cmbecker69@gmx.de ("Christoph M. Becker") On 21.09.2020 at 03:22, Stanislav Malyshev wrote: > Hi! > > In one of the bug reports there was a question raised - should PHP be > decoding cookie names? Right now it does. The standard is pretty much > silent on this, and looks like such behavior leads to security problems: > https://hackerone.com/reports/895727 > > However I am not sure whether it's ok to change it, since it fails a > couple of tests (easy to fix) and may also break some stuff I have no > idea about. In general, using url-encoded cookie names is very weird, > but I can't guarantee nobody does it. So, I wonder what exactly should > we do in this case? > > RoR folks just changed the code to not decode cookies. > Also, php_setcookie() does not seem to encode cookie names (note: we're > talking names not values here!) when we send them out, so maybe it > doesn't make sense to decode them when we receive them? > > What do you think? Indeed, since we don't encode when sending, we should not decode when receiving. Consider setcookie('foo%2fbar', 'value'); That looks perfectly valid to me, but we never get $_COOKIE['foo%2fbar'] back, but instead $_COOKIE['foo/bar']. Fixing this bug may cause some BC breaks, but since it is apparently security related, we should fix it nonetheless. =2D- Christoph M. Becker