On 21.09.2020 at 03:22, Stanislav Malyshev wrote: > Hi! > > In one of the bug reports there was a question raised - should PHP be > decoding cookie names? Right now it does. The standard is pretty much > silent on this, and looks like such behavior leads to security problems: > https://hackerone.com/reports/895727 > > However I am not sure whether it's ok to change it, since it fails a > couple of tests (easy to fix) and may also break some stuff I have no > idea about. In general, using url-encoded cookie names is very weird, > but I can't guarantee nobody does it. So, I wonder what exactly should > we do in this case? > > RoR folks just changed the code to not decode cookies. > Also, php_setcookie() does not seem to encode cookie names (note: we're > talking names not values here!) when we send them out, so maybe it > doesn't make sense to decode them when we receive them? > > What do you think?
Indeed, since we don't encode when sending, we should not decode when receiving. Consider setcookie('foo%2fbar', 'value'); That looks perfectly valid to me, but we never get $_COOKIE['foo%2fbar'] back, but instead $_COOKIE['foo/bar']. Fixing this bug may cause some BC breaks, but since it is apparently security related, we should fix it nonetheless. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php