Hi!
In one of the bug reports there was a question raised - should PHP be
decoding cookie names? Right now it does. The standard is pretty much
silent on this, and looks like such behavior leads to security problems:
https://hackerone.com/reports/895727
However I am not sure whether it's ok to change it, since it fails a
couple of tests (easy to fix) and may also break some stuff I have no
idea about. In general, using url-encoded cookie names is very weird,
but I can't guarantee nobody does it. So, I wonder what exactly should
we do in this case?
RoR folks just changed the code to not decode cookies.
Also, php_setcookie() does not seem to encode cookie names (note: we're
talking names not values here!) when we send them out, so maybe it
doesn't make sense to decode them when we receive them?
What do you think?
--
Stas Malyshev
smalys...@gmail.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php