Cookie urlencoding in getHeaderValue method of WP_Http_Cookie confuses servers
|Reported by:||pw201||Owned by:||westi|
|Component:||HTTP API||Keywords:||has-patch dev-feedback|
WP_Http_Cookie calls urlencode on cookie values before they're used in the Cookie header in the HTTP request. This produces interoperability problems with servers which don't perform the corresponding decode. This Stack Overflow article says that the RFC specifying that these values should be encoded is not well adopted, and that browsers don't follow it.
I found this while looking into why the LiveJournal importer now fails to import comments. I think LJ changed their cookie formats a while ago. The session cookies now contain colons and forward slashes. Both of these are encoded by the WP core code, resulting in the cookie not being recognised by LJ's server.
Removing the call to urlencode in getHeaderValue allows the import to complete. A better fix would probably be to only encode non-printable characters, I suppose.
Change History (23)
comment:3 @kurtpayne — 4 years ago
- Cc kpayne@… added
- Component changed from General to HTTP
- Keywords has-patch dev-feedback added
- Version set to 2.8