On 21.09.2020 at 03:22, Stanislav Malyshev wrote:

> Hi!
>
> In one of the bug reports there was a question raised - should PHP be
> decoding cookie names? Right now it does. The standard is pretty much
> silent on this, and looks like such behavior leads to security problems:
> https://hackerone.com/reports/895727
>
> However I am not sure whether it's ok to change it, since it fails a
> couple of tests (easy to fix) and may also break some stuff I have no
> idea about. In general, using url-encoded cookie names is very weird,
> but I can't guarantee nobody does it. So, I wonder what exactly should
> we do in this case?
>
> RoR folks just changed the code to not decode cookies.
> Also, php_setcookie() does not seem to encode cookie names (note: we're
> talking names not values here!) when we send them out, so maybe it
> doesn't make sense to decode them when we receive them?
>
> What do you think?

Indeed, since we don't encode when sending, we should not decode when
receiving.  Consider

    setcookie('foo%2fbar', 'value');

That looks perfectly valid to me, but we never get $_COOKIE['foo%2fbar']
back, but instead $_COOKIE['foo/bar'].

Fixing this bug may cause some BC breaks, but since it is apparently
security related, we should fix it nonetheless.

--
Christoph M. Becker

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Reply via email to