Issues

ZF-9864: Zend_Http_Cookie does not allow quoted values as stated in RFC 2965 section 3.1

Description

While dealing with the Asterisk AMI interface, we received cookie key, value pairs which featured quoted values. When using the built-in cookie jar functionality, the cookie was then being reused on later calls in a urlencoded form which replaced the double quotes (") with the encoded counterpart (%22), which did not work. After much research we discovered that the Zend_Http_Cookie class does not account for double quotes in values as is specified by the RFC 2965 in section 3.1 (http://tools.ietf.org/html/rfc2965#section-3.1) which stipulates values can be a "token | quoted-string". We have modified the Zend_Http_Cookie class to simply strip quotes before storing the value. Since I do appear to be able to submit files with this ticket, the patch is as follows:

Index: library/Zend/Http/Cookie.php

--- library/Zend/Http/Cookie.php (revision 22198) +++ library/Zend/Http/Cookie.php (working copy) @@ -302,6 +302,7 @@ // Get the name and value of the cookie list($name, $value) = explode('=', trim(array_shift($parts)), 2); $name = trim($name); + $value = str_replace( '"', '', $value ); if ($encodeValue) { $value = urldecode(trim($value)); }

Comments

A better way to strip the beginning and ending quotes is to use ltrim and rtrim. This prevents inner double-quotes from being replaced.

$value = ltrim(rtrim($value, '"'), '"');