PHP 7.4.3RCE1 now calls rawurlencode for encoding cookie's value

[jairlopez]

Hello everybody,

Thank you all for your work.

Here's my contribution: As of PHP 7.4.3RC1, setcookie calls rawurlencode (instead of urlencode) for encoding the
value parameter; as a result, the following test:

\testCookie('greeting', '¡Buenos días!');

is failing:

[Set-Cookie: greeting=%C2%A1Buenos%20d%C3%ADas%21]
FAILED: [Set-Cookie: greeting=%C2%A1Buenos+d%C3%ADas%21] !== [Set-Cookie: greeting=%C2%A1Buenos%20d%C3%ADas%21]

Have a nice day!
Bye

[ocram]

Thank you!

So it seems decoding of cookie values, which is done by PHP internally and not by this library, had been changed (and fixed, with respect to the specification) in PHP 7.4.2, released on January 23, 2020.

Then, encoding of cookie values, which this library itself does as well, had to be fixed to match the new decoding behavior in PHP 7.4.3, released on February 20, 2020.

We’ll fix this with a PHP version check and new behavior for 7.4.3 and later versions. It seems no other minor versions were affected.

[jairlopez]

You're welcome! Right on!

[Empornium]

18 months later, any progress on this?

FYI, version check shouldn't be necessary, just using rawurlencode() should correctly decode with either urldecode() or rawurldecode();