Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#43231 closed defect (bug) (fixed)

Wp_Http_Cookie host-only flag

Reported by: soulseekah's profile soulseekah Owned by: pento's profile pento
Milestone: 5.2 Priority: normal
Severity: normal Version:
Component: HTTP API Keywords: has-patch has-unit-tests
Focuses: Cc:


The Wp_Http_Cookie as parsed from the Requests_Cookie does away with some very important information - the host-only flag.

Consider the following example header that a remote server sends:

Set-Cookie: test=12345; domain=""

This is transformed into a Requests_Cookie with the domain attribute set as "" (as per RFC 6265 point 6 (domain-attribute storage model)) and a "host-only" flag is set to false, which means that the cookie can be sent to any subdomains within the domain.

Then the Request_Cookie is transformed into a Wp_Http_Cookie, which doesn't store any of the flags at all. This results in a cookie that is only valid for the main domain, since "host-only" is a true-by-default flag.

It is now impossible to send the same Wp_Http_Cookie instance to the next request as it gets filtered out by Request_Cookie domain-matching and never gets sent.

The only workaround is to null the domain property of the Wp_Http_Cookie to allow it to be sent to a subdomain.

So in short, Wp_Http_Cookie is losing very important information, i.e. the difference between "" and "".

Attachments (3)

43231.tests.patch (1.1 KB) - added by soulseekah 6 years ago.
Initial tests
43231.1.patch (4.0 KB) - added by soulseekah 6 years ago.
Initial patch
43231.2.tests.patch (1.4 KB) - added by soulseekah 6 years ago.
Reworked tests without remote call

Download all attachments as: .zip

Change History (11)

#1 @johnbillion
6 years ago

  • Keywords needs-patch needs-unit-tests added

6 years ago

Initial tests

6 years ago

Initial patch

#2 @soulseekah
6 years ago

  • Keywords has-patch has-unit-tests added; needs-patch needs-unit-tests removed

#3 @johnbillion
6 years ago

  • Owner set to soulseekah
  • Status changed from new to assigned

Thanks for the patch, @soulseekah! This looks like something that should be able to be unit tested without the need to perform an external HTTP request. What do you think? Can you take a look?

6 years ago

Reworked tests without remote call

#4 @SergeyBiryukov
6 years ago

  • Milestone changed from Awaiting Review to 5.0

#5 @pento
6 years ago

  • Milestone changed from 5.0 to 5.1

#6 @pento
6 years ago

  • Milestone changed from 5.1 to 5.2

Patch needs testing and a decision.

#7 @pento
5 years ago

  • Owner changed from soulseekah to pento

#8 @pento
5 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 45135:

HTTP: Add support for the host-only flag to Wp_Http_Cookie.

Props soulseekah.
Fixes #43231.

Note: See TracTickets for help on using tickets.