Closed
Description
Description
Issue was identified when adding a Set-Cookie header with a query string value to a Response object, and was traced back to HeaderUtils::split() called from Cookie::fromString().
This function fails to parse cookie values with '=' symbols on it, which is perfectly fine according the RFC 6265.
A string like "foo_cookie=foo=1&bar=2&baz=3" ends up being just "foo" in the Cookie object.
https://tools.ietf.org/html/rfc6265#section-4.1.1
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash
How to reproduce
use Symfony\Component\HttpFoundation\Cookie;
$header = "Set-Cookie: bjt_track=firstVisit=2019-09-23 06:18:41&sessionsCount=14&previousVisit=2019-09-23 06:26:37&lastVisit=2019-09-23 06:27:09; expires=Tue, 22-Sep-2020 06:27:09 GMT; path=/";
$parts = explode(": ", $header, 2);
var_dump(Cookie::fromString($parts[1]));
/* OUTPUT:
object(Symfony\Component\HttpFoundation\Cookie)#3 (10) {
["name":protected]=>
string(9) "bjt_track"
["value":protected]=>
string(10) "firstVisit" <--- Note the broken value here
["domain":protected]=>
NULL
["expire":protected]=>
int(1600756029)
["path":protected]=>
string(1) "/"
["secure":protected]=>
bool(false)
["httpOnly":protected]=>
bool(false)
["raw":"Symfony\Component\HttpFoundation\Cookie":private]=>
bool(true)
["sameSite":"Symfony\Component\HttpFoundation\Cookie":private]=>
NULL
["secureDefault":"Symfony\Component\HttpFoundation\Cookie":private]=>
bool(false)
}
*/