php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76232 SoapClient Cookie Header Semicolon
Submitted: 2018-04-18 08:31 UTC Modified: 2018-04-19 18:55 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: philipp dot kern at datenkraft dot com Assigned:
Status: Analyzed Package: SOAP related
PHP Version: 7.0.29 OS: Ubuntu 16.04.4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: philipp dot kern at datenkraft dot com
New email:
PHP Version: OS:

 

 [2018-04-18 08:31 UTC] philipp dot kern at datenkraft dot com
Description:
------------
Hello,

we have found the following problem:

If you use the PHP SoapClient and the endpoint returns some cookies, the cookies get added to the subsequent requests, but there is an additional semicolon appended.

Example:
Cookie: testcookie1=true;testcookie2=true;

According to the RFC I've read this is not neccessary.


The problem is now that we are trying to consume a web service that unfortunately returns a "400 Bad Request" error because of this semicolon.

Test script with an other webservice is appended to see the cookie header in the request.

I have tried this with the lastest PHP versions of 7.0, 7.1 and 7.2 - same result.

Thank you!

Test script:
---------------
$client = new SoapClient("http://ec.europa.eu/taxation_customs/vies/services/checkVatService?wsdl", array('trace' => true));
$client->__setCookie('testcookie1', 'true');
$client->__setCookie('testcookie2', 'true');

try {
	$response = $client->checkVat(array("countryCode" => 'TEST', "vatNumber" => 'TEST'));
} catch (Exception $e) {
	echo "Exception caught:\n" . $e . "\n";
}

$requestLoggingData = "Request:\n" . $client->__getLastRequestHeaders() . "\n\n" . $client->__getLastRequest() . "\n\n";
$requestLoggingData .= "Response:\n" . $client->__getLastResponseHeaders() . "\n\n" . $client->__getLastResponse() . "\n\n";
$requestLoggingData .= "Cookies:\n" . print_r($client->__getCookies(), true);
echo $requestLoggingData;

Expected result:
----------------
No semicolon is prepended in the cookie header.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-19 18:36 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2018-04-19 18:36 UTC] cmb@php.net
> The problem is now that we are trying to consume a web service
> that unfortunately returns a "400 Bad Request" error because of
> this semicolon.

And it does rightly so, since according to RFC 6265[1] the
semicolon acts as delimiter, not as terminator.

The culprit is that the semicolon is added unconditionally
directly after each cookie-pair[2].  Doing this only if (i < n-1)
should solve the issue.

[1] <https://tools.ietf.org/html/rfc6265>
[2] <https://github.com/php/php-src/blob/PHP-7.2.5/ext/soap/php_http.c#L846>
 [2018-04-19 18:55 UTC] cmb@php.net
> Doing this only if (i < n-1) should solve the issue.

Actually, this won't necessarily work, but you get it. :)
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 12 13:01:26 2018 UTC