php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79174 setcookie() encodes space as `+`, but $_COOKIE no longer decodes them
Submitted: 2020-01-27 15:14 UTC Modified: 2020-01-28 14:39 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bjorsch at wikimedia dot org Assigned: cmb (profile)
Status: Closed Package: URL related
PHP Version: 7.4.2 OS: Irrelevant
Private report: No CVE-ID: None
 [2020-01-27 15:14 UTC] bjorsch at wikimedia dot org
Description:
------------
http://git.php.net/?p=php-src.git;a=commit;h=79376ab209f61be03bbf8c1b6177c18261767da8 fixed #78929 by changing the cookie decoding logic to use php_raw_url_decode() rather than php_url_decode(). Unfortunately, it didn't change php_setcookie() to match.

This results in cookie values with spaces failing to round-trip.

Test script:
---------------
You already have a test illustrating this behavior at  https://git.php.net/?p=php-src.git;a=blob;f=ext/standard/tests/network/setcookie.phpt;h=d41bed01f4e9e3866817ef9e3c6aff10dd575ed5;hb=79376ab209f61be03bbf8c1b6177c18261767da8

See lines 10 and 27.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-27 16:04 UTC] nikic@php.net
-Assigned To: +Assigned To: cmb
 [2020-01-28 14:38 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=addc3c92f2956b4efea9d78f34262403adc393ad
Log: Fix #79174: cookie values with spaces fail to round-trip
 [2020-01-28 14:38 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2020-01-28 14:39 UTC] cmb@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 01:01:27 2024 UTC