[wp-trac] [WordPress Trac] #43231: Wp_Http_Cookie host-only flag

WordPress Trac noreply at wordpress.org
Mon Feb 5 13:43:20 UTC 2018


#43231: Wp_Http_Cookie host-only flag
--------------------------+-----------------------------
 Reporter:  soulseekah    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  HTTP API      |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The `Wp_Http_Cookie` as parsed from the `Requests_Cookie` does away with
 some very important information - the host-only flag.

 Consider the following example header that a remote server sends:

 `Set-Cookie: test=12345; domain=".example.org"`

 This is transformed into a `Requests_Cookie` with the domain attribute set
 as "example.org" (as per RFC 6265
 https://tools.ietf.org/html/rfc6265#section-5.3 point 6 (domain-attribute
 storage model)) and a "host-only" flag is set to false, which means that
 the cookie can be sent to any subdomains within the domain.

 Then the `Request_Cookie` is transformed into a `Wp_Http_Cookie`, which
 doesn't store any of the flags at all. This results in a cookie that is
 only valid for the main domain, since "host-only" is a true-by-default
 flag.

 It is now impossible to send the same `Wp_Http_Cookie` instance to the
 next request as it gets filtered out by `Request_Cookie` domain-matching
 https://github.com/rmccue/Requests/blob/master/library/Requests/Cookie.php#L131)
 and never gets sent.

 The only workaround is to null the `domain` property of the
 `Wp_Http_Cookie` to allow it to be sent to a subdomain.

 So in short, `Wp_Http_Cookie` is losing very important information, i.e.
 the difference between ".example.org" and "example.org".

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43231>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list