php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #10519 $HTTP_COOKIE_VARS spoofing
Submitted: 2001-04-26 21:35 UTC Modified: 2010-11-24 09:33 UTC
From: stuff at cheesygames dot net Assigned: jani (profile)
Status: Closed Package: *General Issues
PHP Version: 4.0.4pl1 OS: Win98
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stuff at cheesygames dot net
New email:
PHP Version: OS:

 

 [2001-04-26 21:35 UTC] stuff at cheesygames dot net 
<?
   setCookie('cookie[one]','one');
   setCookie('cookie[two]','two');

   print_r($HTTP_COOKIE_VARS);
?>

If you access this page with the command line arguement 

?cookie[three]=three 

print_r will show cookie[three] in $HTTP_COOKIE_VARS.

Just a bit of incongrous material, but for some sites could cause problems if cookies are spoofed thusly.

Regards

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-04-29 13:23 UTC] bbonev@php.net 
think about cookies the same way as GET data or POST data - they are at the same level and can be spoofed very easy with a cURL client for example. one can tell his client what cookie with what value to pass for a given request

the issue here is not security but programmers comfort. but when one uses the short representations of variables she must be aware of the GPC order setting.

i think this is the same like overriding a post variable with a get one.

do you think this bug shall be closed?
 [2001-04-29 16:34 UTC] bbonev@php.net 
indeed i have missed one of the points - the fact that when passing data in the array form, all the values combine in a single array. further testing showed that the cookies also appear in HTTP_GET_VARS. i am sure that if there is a post to an url with a get var and some cookies (all varnames in array form) HTTP_*_ARRAY will contain all the values.

this issue is a serious concern about the --enable-track-vars code. it must be resolved by overwriting the whole arrays, not adding data to them in order to be consistent

e.g.

get var: myarr[one]=1
post var: myarr[two]=2
cookie var: myarr[three]=3

gpc order is GPC

the global array $myarr has only the 'one' key

the HTTP_*_VARS have only the proper arrays
 [2001-08-31 12:10 UTC] sander@php.net 
Not a bug (as stated by bbonev). Making it a feature/change request.
 [2010-11-24 09:33 UTC] jani@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-11-24 09:33 UTC] jani@php.net 
This is handled by variables_order. Since some PHP 5.x it has not been possible to spoof $_COOKIE, AFAIK.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Mar 12 11:01:32 2025 UTC