|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78929 plus signs in cookie values are converted to spaces
Submitted: 2019-12-08 18:25 UTC Modified: 2020-01-28 14:30 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kachalin dot alexey at gmail dot com Assigned: cmb (profile)
Status: Closed Package: URL related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: kachalin dot alexey at gmail dot com
New email:
PHP Version: OS:


 [2019-12-08 18:25 UTC] kachalin dot alexey at gmail dot com
While cookie parsing PHP violate RFC standards and change valid character + "plus" x2B into invalid character space x20

How to check 
1. Set cookie by php function setrawcookie(***)
2. Make sure it set correctly in browser
3. Make request with cookie and check that $_COOKIE[ COOKIE_NAME ] have cookie which plus sign was changed into space.

Valid characters for value       defined in RFC6265.4.1.1
Valid characters for name(token) defined in RFC6265.4.1.1. -> RFC2616.2.2

This applicable only for a value, because PHP documentation put restriction to use letters and numbers only for a cookie name.
I haven't found any restriction on value and believe value should use character defined by RFC.

Test script:

/* Run twice 
 * At first time to set the cookie.
 * At second time to validate the cookie value and check an error message.
$cookieName  = 'RFC6265';
$cookieValue = '#$%&\'()*+-./0123456789<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~!';

if(empty($_COOKIE[ $cookieName ]))// Set cookie for first time.
  setrawcookie($cookieName, $cookieValue);
else// Compare received cookie value with set value. Should be same. Echo on error.
  for($i = strlen($cookieValue)-1; $i > -1; --$i)
    if(!isset($_COOKIE[ $cookieName ][ $i ]))
        {echo "\n<br>Cookie value symbol is lost:".     $cookieValue[ $i ];}
    elseif($cookieValue[ $i ] != $_COOKIE[ $cookieName ][ $i ] )
        {echo "\n<br>Cookie value symbol is different:".$cookieValue[ $i ];}

Expected result:
Empty output. No error message on success execution.   

Actual result:
If error happened message will showed with wrong or lost characters.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-08 21:09 UTC] kachalin dot alexey at gmail dot com
The following pull request has been associated:

Patch Name: Fix #78929:  Fix a cookie parsing value. Switch to a php_raw_url_decode()
On GitHub:
 [2019-12-10 11:07 UTC]
-Status: Open +Status: Verified
 [2019-12-10 11:07 UTC]
Ugh, indeed, plus signs in cookie values should be left untouched.

However, the oldest PHP version which still has active support is
PHP 7.3, and I have doubts that we should fix this issue for that
version (not even sure about PHP 7.4) for BC reasons.
 [2019-12-10 14:06 UTC] kachalin dot alexey at gmail dot com
While making a good decision, please consider:

1. It's affected only for cookie set by setrawcookie() with "plus sign" inside value. The setcookie() properly encodes a "plus sign".

2. If cookie is set by external system, it's pretty hard to figure out that interaction is failed because of cookie parsing.
For example: Cookie WXYZ[]^+_'abcde looks same as WXYZ[]^ _`abcde

3. PHP 7.4 released 3 weeks ago. Most probably it will have long live for several years. Some developers can write software that already need a "plus sign" fix.
 [2019-12-12 13:13 UTC]
-Summary: Cookie value parsing. Valid character changed into invalid. RFC6265 RFC2616 +Summary: plus signs in cookie values are converted to spaces -Assigned To: +Assigned To: cmb
 [2019-12-12 13:13 UTC]
You're reasoning makes sense, so I agree that the bugfix should
target PHP 7.4
 [2019-12-12 13:23 UTC]
Automatic comment on behalf of
Log: Fix #78929: plus signs in cookie values are converted to spaces
 [2019-12-12 13:23 UTC]
-Status: Verified +Status: Closed
 [2020-01-28 14:23 UTC] steve at vtsv dot ca
While this change fixes the case when using setrawcookie() with data containing a plus sign, it breaks the case when using setcookie() with data containing a space, as setcookie() will url encode the data, turning the space into a plus. The plus no longer gets converted back to a space, and so any validation will fail.
 [2020-01-28 14:30 UTC]
Steve, see bug #79174.
 [2020-06-03 23:51 UTC] jaroslavas dot karmazinas at outlook dot com
The following pull request has been associated:

Patch Name: protect master branches except for the pecl repos against force pushes
On GitHub:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 23 15:01:28 2024 UTC