wrong escaping of cookie path by MichaelRoosz · Pull Request #16087 · matomo-org/matomo · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wrong escaping of cookie path #16087

Merged
merged 1 commit into from
Jun 24, 2020
Merged

wrong escaping of cookie path #16087

merged 1 commit into from
Jun 24, 2020

Conversation

MichaelRoosz
Copy link
Contributor

Since this commit has been merged, setting the cookie path is broken.
3b69290
#15185

Cookie path in the Set-Cookie header must not be escaped, or the browser will fall back to the current URL path.

For example:
If $Path === '/' and the cookie is set from /js/tracker.php, the browser will save the cookie path as "/js" and not "/".

Reading the docu here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie, I think we should not escape the path at all.
Same applies for the domain, but since the dot is not escaped by rawurlencode, I think it does not hurt

@Findus23 Findus23 added the Needs Review PRs that need a code review label Jun 18, 2020
@sgiehl
Copy link
Member

sgiehl commented Jun 18, 2020

Might be something we maybe should add to 3.x-dev. Seems to be the same issue we had with session cookies. See #15602

@Findus23 Findus23 added the Regression Indicates a feature used to work in a certain way but it no longer does even though it should. label Jun 18, 2020
@tsteur
Copy link
Member

tsteur commented Jun 20, 2020

Haven't looked... can we always trust the $path?

@sgiehl
Copy link
Member

sgiehl commented Jun 22, 2020

@tsteur In most cases it should use config values for cookie_path / login_cookie_path or doesn't have a value at all.
But we can't encode the path that way. We had the same problem in the linked PR. The browser simply discards the path if it's encoded...

@tsteur
Copy link
Member

tsteur commented Jun 22, 2020

👍 sweet. Was just meaning in case there is user input somewhere we'd need to do maybe some validation or so. That's all.

@diosmosis
Copy link
Member

👍 to merge into 3.x-dev

@diosmosis diosmosis changed the base branch from 4.x-dev to 3.x-dev June 23, 2020 22:46
@diosmosis diosmosis changed the base branch from 3.x-dev to 4.x-dev June 23, 2020 22:46
@diosmosis diosmosis self-assigned this Jun 24, 2020
@tsteur tsteur merged commit 288a905 into matomo-org:4.x-dev Jun 24, 2020
diosmosis pushed a commit that referenced this pull request Jun 25, 2020
@diosmosis
Fixed wrong escaping of cookie path (#16087)
afc98a5 
Co-authored-by: michael.heerklotz <michael.heerklotz@check24.de>
@mattab mattab added this to the 4.0.0 milestone Sep 10, 2020
@mattab mattab changed the title Critical: Fixed wrong escaping of cookie path wrong escaping of cookie path Sep 28, 2020
@MichaelRoosz MichaelRoosz deleted the fix_cookie_path branch October 29, 2023 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@diosmosis diosmosis

Labels
Needs Review PRs that need a code review Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Projects
None yet
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.
6 participants
@MichaelRoosz @sgiehl @tsteur @diosmosis @mattab @Findus23