ZF-9864: Zend_Http_Cookie does not allow quoted values as stated in RFC 2965 section 3.1

Issue Type: Bug Created: 2010-05-19T14:06:16.000+0000 Last Updated: 2012-11-20T21:37:53.000+0000 Status: Open Fix version(s): Reporter: James Zimmerman (sandwyrm) Assignee: None Tags: - Zend_Http_Cookie

Related issues: Attachments:


While dealing with the Asterisk AMI interface, we received cookie key, value pairs which featured quoted values. When using the built-in cookie jar functionality, the cookie was then being reused on later calls in a urlencoded form which replaced the double quotes (") with the encoded counterpart (%22), which did not work. After much research we discovered that the Zend_Http_Cookie class does not account for double quotes in values as is specified by the RFC 2965 in section 3.1 ( which stipulates values can be a "token | quoted-string". We have modified the Zend_Http_Cookie class to simply strip quotes before storing the value. Since I do appear to be able to submit files with this ticket, the patch is as follows:

Index: library/Zend/Http/Cookie.php

--- library/Zend/Http/Cookie.php (revision 22198) +++ library/Zend/Http/Cookie.php (working copy) @@ -302,6 +302,7 @@ // Get the name and value of the cookie list($name, $value) = explode('=', trim(array_shift($parts)), 2); $name = trim($name); + $value = str_replace( '"', '', $value ); if ($encodeValue) { $value = urldecode(trim($value)); }


Posted by David Hollingshead (dhinged) on 2010-07-09T07:44:45.000+0000

A better way to strip the beginning and ending quotes is to use ltrim and rtrim. This prevents inner double-quotes from being replaced.

$value = ltrim(rtrim($value, '"'), '"');

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.