[wp-trac] [WordPress Trac] #21182: WP_HTTP_Cookie doesn't handle the default conditions for the 'domain' and 'path' field correctly.

WordPress Trac wp-trac at lists.automattic.com
Sat Jul 7 04:34:46 UTC 2012 

#21182: WP_HTTP_Cookie doesn't handle the default conditions for the 'domain' and
'path' field correctly.
--------------------------+-----------------------------
 Reporter:  dd32          |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  low           |  Milestone:  Awaiting Review
Component:  HTTP          |    Version:
 Severity:  minor         |   Keywords:
--------------------------+-----------------------------
 WP_HTTP_Cookie currently handles "simple" cookies in exactly the same way
 they're received, that is, it only fills in the details that the set-
 cookie header contained.

 However, some fields are optional, and as a result of this, the
 [http://www.ietf.org/rfc/rfc2109.txt rfc for state management] specifies a
 set of default values for certain fields:
 {{{
 4.3.1  Interpreting Set-Cookie

    The user agent keeps separate track of state information that arrives
    via Set-Cookie response headers from each origin server (as
    distinguished by name or IP address and port).  The user agent
    applies these defaults for optional attributes that are missing:

    VersionDefaults to "old cookie" behavior as originally specified by
           Netscape.  See the HISTORICAL section.

    Domain Defaults to the request-host.  (Note that there is no dot at
           the beginning of request-host.)

    Max-AgeThe default behavior is to discard the cookie when the user
           agent exits.

    Path   Defaults to the path of the request URL that generated the
           Set-Cookie response, up to, but not including, the
           right-most /.

    Secure If absent, the user agent may send the cookie over an
           insecure channel.
 }}}

 We currently don't do anything special for Secure cookies (From what I can
 see), but we also need to handle the 'domain' and 'path' field defaults
 better, as currently they remain at the default null if nothing is passed.
 This can result in domains passing the WP_HTTP_Cookie::test() method to a
 different domain or path than they were issued on.

 Example cookie values (and WP_HTTP_Cookie representations) which can
 trigger this:
 {{{
 PHPSESSID=ros1liponkqip23k9le0hhmp31; path=/' (length=44)
 test=1341632838; expires=Sat, 07-Jul-2012 04:47:18 GMT
 array (size=2)
   0 =>
     object(WP_Http_Cookie)[87]
       public 'name' => string 'PHPSESSID' (length=9)
       public 'value' => string 'ros1liponkqip23k9le0hhmp31' (length=26)
       public 'expires' => null
       public 'path' => string '/' (length=1)
       public 'domain' => null
   1 =>
     object(WP_Http_Cookie)[86]
       public 'name' => string 'test' (length=4)
       public 'value' => string '1341632838' (length=10)
       public 'expires' => int 1341636438
       public 'path' => null
       public 'domain' => null
 }}}

 This is not a issue for WordPress core, but could affect plugins who do
 anything special with Cookies.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21182>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list