laminas/laminas-diactoros

Plus signs in cookie data get converted to space.

Danack opened this issue · 1 comments

Bug Report

Plus signs in cookie values are converted to spaces.

Q A
Version(s) 2.24.0 but also the latest version.

My reading of rfc6265 is that plus signs:

cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E

as the plus sign is a %2B

Summary

Plus signs in cookie values are converted to spaces.

Current behavior

The function parseCookieHeader does a urldecode on the values here, and so the plus sign is converted to a space.

How to reproduce

$data = "john=12345; plus_sign=plus+sign";
$result = parseCookieHeader($data);
var_dump($data, $result);

Expected behavior

As the plus sign is apparently a valid cookie character, it should be passed through unchanged.

Not sure how you could change this without a large BC break...

btw, probably relevant
https://bugs.php.net/bug.php?id=78929

@Danack thank you