ZF-11726 - Issues - Zend Framework

ZF-11726: Zend_Http_CookieJar::getAllCookies(Zend_Http_CookieJar::COOKIE_STRING_CONCAT) creates an invalid (RFC 6265) Cookie string

Issue Type:

Patch

Created:

2011-09-08T17:37:32.000+0000

Last Updated:

2012-06-01T01:11:27.000+0000

Status:

Resolved

Fix version(s):

1.12.0 (27/Aug/12)

Reporter:

Dominic Luechinger (dol)

Assignee:

Adam Lundrigan (adamlundrigan)

Tags:

Zend_Http_CookieJar
FixForZF1.12
state:need-feedback
zf-caretaker-adamlundrigan
zf-crteam-review

Related issues:

Attachments:

ZF-11726.patch

Description

If the Zend_Http_CookieJar method 'getAllCookies()' with the 1 parameter set to Zend_Http_CookieJar::COOKIE_STRING_CONCAT, the returned string is invalid and not matches the RCF 6265 (http://tools.ietf.org/html/rfc6265).

Description:

The returned string not contains a space between each cookie key-value element and the ending semicolon. The RCF 6265 describes the Cookie string as following (EBNF): ;SP (space) ;WSP (whitespace) ;CR (carriage return) ;CRLF (CR LF) ;LF (line feed) OWS = *( [ obs-fold ] WSP ); "optional" whitespace obs-fold = CRLF cookie-header = "Cookie:" OWS cookie-string OWS cookie-string = cookie-pair *( ";" SP cookie-pair ) cookie-pair = cookie-name "=" cookie-value ...

Expected result:

CookieJar with two cookies: 1. foo=bar; Path=/; Domain=example.com 2. acme=login; Path=/; Domain=example.com

(string) 'foobar=bar; acme=login'

Actual result:

(string) 'foobar=bar;acme=login;'

There are two problems here. First, the space between the two cookies is missing. Second, the last character cannot be a semicolon.

Patch:

I created an patch to this issue: https://gist.github.com/1205916

Comments

Posted by Dominic Luechinger (dol) on 2011-10-18T21:02:26.000+0000

Patch to solve the cookie problem

Posted by Adam Lundrigan (adamlundrigan) on 2011-11-03T16:21:08.000+0000

Yes, {{Zend_Http_CookieJar}} (and {{Zend_Http_Cookie}} as well) don't adhere exactly to the spec, but does it cause any real-world problems? I suspect that changing this behavior could qualify as a backwards-compatibility break (unlikely, IMHO).

Posted by Adam Lundrigan (adamlundrigan) on 2011-11-03T16:33:54.000+0000

Reproducing unit test:


Index: tests/Zend/Http/CookieJarTest.php
===================================================================
--- tests/Zend/Http/CookieJarTest.php   (revision 24549)
+++ tests/Zend/Http/CookieJarTest.php   (working copy)
@@ -470,4 +470,33 @@
         $jar->reset();
         $this->assertTrue($jar->isEmpty());
     }
+
+    /**
+     * @group ZF-11726
+     */
+    public function testEnsureCookieJarWithSingleCookieAdheresToSyntaxSpecifiedInRfc6265()
+    {
+        $jar = new Zend_Http_CookieJar();
+        $jar->addCookie(Zend_Http_Cookie::fromString('foo1=bar1; domain=.example.com; path=/a/b'));
+
+        $cookies = $jar->getAllCookies(Zend_Http_CookieJar::COOKIE_STRING_CONCAT);
+        // Assert that last key-value pair does not end with separator (;)
+        $this->assertNotRegExp('/;$/',ltrim($cookies));
+    }
+
+    /**
+     * @group ZF-11726
+     */
+    public function testEnsureCookieJarWithMultipleCookiesAdheresToSyntaxSpecifiedInRfc6265()
+    {
+        $jar = new Zend_Http_CookieJar();
+        $jar->addCookie(Zend_Http_Cookie::fromString('foo1=bar1; domain=.example.com; path=/a/b'));
+        $jar->addCookie(Zend_Http_Cookie::fromString('foo2=bar2; domain=.example.com; path=/c/d'));
+
+        $cookies = $jar->getAllCookies(Zend_Http_CookieJar::COOKIE_STRING_CONCAT);
+        // Assert that parts have a space right after the separator (;)
+        $this->assertRegExp('/^[^=]+=[^;]+; [^=]+=[^;]+$/',ltrim($cookies));
+        // Assert that last key-value pair does not end with separator (;)
+        $this->assertNotRegExp('/;$/',ltrim($cookies));
+    }
 }

Posted by Dominic Luechinger (dol) on 2011-11-07T23:31:30.000+0000

Dear Adam

I had problem with a cPanel Server, with only allows RFC conform cookies. This harmed my application to fail and took me hours to figure out what caused the problem. I wasn't thinking a missing space makes the difference. Because I was such annoyed, I wrote this patch to avoid frustration in the future.

Posted by Adam Lundrigan (adamlundrigan) on 2011-11-08T01:16:34.000+0000

Dominic: Thank you for your feedback. I'm not entirely certain it's possible to directly alter the current behavior of {{Zend_Http_CookieJar}}, as there may be implementations which rely on the current (albeit non-standard) behavior. One thing we can investigate, though, is adding a "strict" mode so that the default behavior remains intact but one can switch on strict RFC6265 compatibility if necessary.

Posted by Adam Lundrigan (adamlundrigan) on 2012-06-01T01:11:26.000+0000

Fixed in trunk r24856