PHP :: Bug #76232 :: SoapClient Cookie Header Semicolon

Bug #76232

SoapClient Cookie Header Semicolon

Submitted:

2018-04-18 08:31 UTC

Modified:

2018-04-19 18:55 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

philipp dot kern at datenkraft dot com

Assigned:

Status:

Closed

Package:

SOAP related

PHP Version:

7.0.29

OS:

Ubuntu 16.04.4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	philipp dot kern at datenkraft dot com
New email:
PHP Version:		OS:

New Comment:

[2018-04-18 08:31 UTC] philipp dot kern at datenkraft dot com

Description:
------------
Hello,

we have found the following problem:

If you use the PHP SoapClient and the endpoint returns some cookies, the cookies get added to the subsequent requests, but there is an additional semicolon appended.

Example:
Cookie: testcookie1=true;testcookie2=true;

According to the RFC I've read this is not neccessary.


The problem is now that we are trying to consume a web service that unfortunately returns a "400 Bad Request" error because of this semicolon.

Test script with an other webservice is appended to see the cookie header in the request.

I have tried this with the lastest PHP versions of 7.0, 7.1 and 7.2 - same result.

Thank you!

Test script:
---------------
$client = new SoapClient("http://ec.europa.eu/taxation_customs/vies/services/checkVatService?wsdl", array('trace' => true));
$client->__setCookie('testcookie1', 'true');
$client->__setCookie('testcookie2', 'true');

try {
	$response = $client->checkVat(array("countryCode" => 'TEST', "vatNumber" => 'TEST'));
} catch (Exception $e) {
	echo "Exception caught:\n" . $e . "\n";
}

$requestLoggingData = "Request:\n" . $client->__getLastRequestHeaders() . "\n\n" . $client->__getLastRequest() . "\n\n";
$requestLoggingData .= "Response:\n" . $client->__getLastResponseHeaders() . "\n\n" . $client->__getLastResponse() . "\n\n";
$requestLoggingData .= "Cookies:\n" . print_r($client->__getCookies(), true);
echo $requestLoggingData;

Expected result:
----------------
No semicolon is prepended in the cookie header.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-04-19 18:36 UTC] cmb@php.net

-Status: Open +Status: Analyzed

[2018-04-19 18:36 UTC] cmb@php.net

> The problem is now that we are trying to consume a web service
> that unfortunately returns a "400 Bad Request" error because of
> this semicolon.

And it does rightly so, since according to RFC 6265[1] the
semicolon acts as delimiter, not as terminator.

The culprit is that the semicolon is added unconditionally
directly after each cookie-pair[2].  Doing this only if (i < n-1)
should solve the issue.

[1] <https://tools.ietf.org/html/rfc6265>
[2] <https://github.com/php/php-src/blob/PHP-7.2.5/ext/soap/php_http.c#L846>

[2018-04-19 18:55 UTC] cmb@php.net

> Doing this only if (i < n-1) should solve the issue.

Actually, this won't necessarily work, but you get it. :)

[2024-06-01 15:37 UTC] git@php.net

Automatic comment on behalf of nielsdos
Revision: https://github.com/php/php-src/commit/1b1677a8f124e4d4c810a3c5092aebdf5dfaedb7
Log: Fix bug #76232: SoapClient Cookie Header Semicolon

[2024-06-01 15:37 UTC] git@php.net

-Status: Analyzed +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 29 17:01:31 2024 UTC