Fix handling of multiple cookie headers and comma values

fisk · fisk · commit 5894f24ff23c · 2019-11-30T09:59:22.000Z
diff --git a/src/Io/ServerRequest.php b/src/Io/ServerRequest.php
@@ -57,7 +57,13 @@ public function __construct(
             \parse_str($query, $this->queryParams);
         }
 
-        $this->cookies = $this->parseCookie($this->getHeaderLine('Cookie'));
+        // Multiple cookie headers are not allowed according
+        // to https://tools.ietf.org/html/rfc6265#section-5.4
+        $cookieHeaders = $this->getHeader("Cookie");
+
+        if (count($cookieHeaders) === 1) {
+            $this->cookies = $this->parseCookie($cookieHeaders[0]);
+        }
     }
 
     public function getServerParams()
@@ -146,10 +152,7 @@ public function withoutAttribute($name)
      */
     private function parseCookie($cookie)
     {
-        // PSR-7 `getHeaderLine('Cookie')` will return multiple
-        // cookie header comma-seperated. Multiple cookie headers
-        // are not allowed according to https://tools.ietf.org/html/rfc6265#section-5.4
-        if ($cookie === '' || \strpos($cookie, ',') !== false) {
+        if ($cookie === '') {
             return array();
         }
 
diff --git a/tests/StreamingServerTest.php b/tests/StreamingServerTest.php
@@ -2790,6 +2790,25 @@ public function testRequestCookieWithSeparatorWillBeAddedToServerRequest()
         $this->assertEquals(array('hello' => 'world', 'test' => 'abc'), $requestValidation->getCookieParams());
     }
 
+    public function testRequestCookieWithCommaValueWillBeAddedToServerRequest() {
+        $requestValidation = null;
+        $server = new StreamingServer(function (ServerRequestInterface $request) use (&$requestValidation) {
+            $requestValidation = $request;
+        });
+
+        $server->listen($this->socket);
+        $this->socket->emit('connection', array($this->connection));
+
+        $data = "GET / HTTP/1.1\r\n";
+        $data .= "Host: example.com:80\r\n";
+        $data .= "Connection: close\r\n";
+        $data .= "Cookie: test=abc,def; hello=world\r\n";
+        $data .= "\r\n";
+
+        $this->connection->emit('data', array($data));
+        $this->assertEquals(array('test' => 'abc,def', 'hello' => 'world'), $requestValidation->getCookieParams());
+    }
+
     private function createGetRequest()
     {
         $data = "GET / HTTP/1.1\r\n";

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,13 @@ public function __construct(`
`57`	`57`	`\parse_str($query, $this->queryParams);`
`58`	`58`	`}`
`59`	`59`
`60`		`- $this->cookies = $this->parseCookie($this->getHeaderLine('Cookie'));`
	`60`	`+ // Multiple cookie headers are not allowed according`
	`61`	`+ // to https://tools.ietf.org/html/rfc6265#section-5.4`
	`62`	`+ $cookieHeaders = $this->getHeader("Cookie");`
	`63`	`+`
	`64`	`+ if (count($cookieHeaders) === 1) {`
	`65`	`+ $this->cookies = $this->parseCookie($cookieHeaders[0]);`
	`66`	`+ }`
`61`	`67`	`}`
`62`	`68`
`63`	`69`	`public function getServerParams()`
`@@ -146,10 +152,7 @@ public function withoutAttribute($name)`
`146`	`152`	`*/`
`147`	`153`	`private function parseCookie($cookie)`
`148`	`154`	`{`
`149`		- // PSR-7 `getHeaderLine('Cookie')` will return multiple
`150`		`- // cookie header comma-seperated. Multiple cookie headers`
`151`		`- // are not allowed according to https://tools.ietf.org/html/rfc6265#section-5.4`
`152`		`- if ($cookie === '' \|\| \strpos($cookie, ',') !== false) {`
	`155`	`+ if ($cookie === '') {`
`153`	`156`	`return array();`
`154`	`157`	`}`
`155`	`158`