ZF-4226: The cookie domain has a problem in Zend_Http_Cookie

Issue Type:
Bug
Created:
2008-09-08T10:49:42.000+0000
Last Updated:
2011-08-13T22:12:29.000+0000
Status:
Postponed
Fix version(s):
    Reporter:
    Compubelgrano (compubelgrano)
    Assignee:
    Shahar Evron (shahar)
    Tags:
    • Zend_Http_Cookie
    • zf-crteam-padraic
    • zf-crteam-priority
    Related issues:
    Attachments:

    Description

    See [http://framework.zend.com/issues/browse/ZF-4213]

    There is a error when check the domain of a cookie, I finally found that exists an error in the comparition way.

    Valid domain are:

    .zend.com => must catch zend.com and anything.zend.com .www.zend.com => must catch www.zend.com and anything.www.zend.com, this's not work right now.

    Invalid domain are:

    .com.ar .or com. or .com => the script doesn't check this. zend.com without initial dot.

    This is the code that fails online 235:

    
        // Domain is validated using tail match, while path is validated using head match
        $domain_preg = preg_quote($this->getDomain(), '/');
        if (! preg_match('/'.$domain_preg.'$/i', $uri->getHost())) return false;

    Here's a improve solution:

    
        // Domain is validated using tail match, while path is validated using head match
        $domain_preg = preg_quote($uri->getHost(), '/');
        if (! preg_match('/\.'.$domain_preg.'$/i', $this->getDomain())) return false;

    Regards.

    Comments

    Posted by Shahar Evron (shahar) on 2009-07-25T14:10:48.000+0000

    This is somewhat improved after fixing ZF-5221 in rev. 17079 - but we still can't filter out .com or .co.ar domains - that would require quite a lot of work. I am also not sure it's the work of the cookie jar to filter those - maybe if Zend_Http_Client.