Hi!
In one of the bug reports there was a question raised - should PHP be
decoding cookie names? Right now it does. The standard is pretty much
silent on this, and looks like such behavior leads to security problems:
https://hackerone.com/reports/895727
However I am not sure whether it's ok to change it, since it fails a
couple of tests (easy to fix) and may also break some stuff I have no
idea about. In general, using url-encoded cookie names is very weird,
but I can't guarantee nobody does it. So, I wonder what exactly should
we do in this case?
RoR folks just changed the code to not decode cookies.
Also, php_setcookie() does not seem to encode cookie names (note: we're
talking names not values here!) when we send them out, so maybe it
doesn't make sense to decode them when we receive them?
What do you think?
Stas Malyshev
smalyshev@gmail.com
Hi!
In one of the bug reports there was a question raised - should PHP be
decoding cookie names? Right now it does. The standard is pretty much
silent on this, and looks like such behavior leads to security problems:
https://hackerone.com/reports/895727However I am not sure whether it's ok to change it, since it fails a
couple of tests (easy to fix) and may also break some stuff I have no
idea about. In general, using url-encoded cookie names is very weird,
but I can't guarantee nobody does it. So, I wonder what exactly should
we do in this case?RoR folks just changed the code to not decode cookies.
Also, php_setcookie() does not seem to encode cookie names (note: we're
talking names not values here!) when we send them out, so maybe it
doesn't make sense to decode them when we receive them?What do you think?
Indeed, since we don't encode when sending, we should not decode when
receiving. Consider
setcookie('foo%2fbar', 'value');
That looks perfectly valid to me, but we never get $_COOKIE['foo%2fbar']
back, but instead $_COOKIE['foo/bar'].
Fixing this bug may cause some BC breaks, but since it is apparently
security related, we should fix it nonetheless.
--
Christoph M. Becker