Hello Jani,
I happily repeat myself until you actually read my comments.
There is a cookie 0 format defined by Netscape
- no quoted strings and only ; as separator
and a cookie 1 format defined by RFC 2109/2965
- with quoted_strings
- and with , and ; as separator
PHP understood up to today only Ne
On Sun, 24 Apr 2005, Stefan Esser wrote:
Forgive me my ignorance, but I do not see any handling of " chars.
And there wasn't such before I added the , as acceptable separator.
^^ I hate when I have to repeat myself, so read the above line again..
Yes because PHP spoke cookie version 0 before
Hi Jani,
'value' can NOT contain any of these chars: ,; \t\r\n\013\014
Wrong. value is to the RFC either a token or a quoted_string and a
quoted_string can contain , and ;
If you want such chars in them, you have to encode them.
Yes in your implementation that is not RFC conform
Forgive
On Sun, 24 Apr 2005, Stefan Esser wrote:
As now it handles these strings it gets the same:
name="whatever,this,might,be";name2="value2"
name="whatever,this,might,be",name2="value2"
These were actually invalid examples.
'name' can NOT contain any of these chars: =,; \t\r\n\0
As now it handles these strings it gets the same:
name="whatever,this,might,be";name2="value2"
name="whatever,this,might,be",name2="value2"
How can this affect modsecurity at all
Forgive me my ignorance, but I do not see any handling of " chars.
your strings should now resu
This patch was supposed to make it RFC compliant.
Can you please point me the part in the RFC 2965
which now isn't implemented correctly?
As now it handles these strings it gets the same:
name="whatever,this,might,be";name2="value2"
name="whatever,this,might,be",name2="v
