View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005307 | OXID eShop (all versions) | 4. ------ eShop Core ------- | public | 2013-07-24 11:24 | 2020-02-26 09:12 |
| Reporter | Hendrik Becker | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.7.6 / 5.0.6 | ||||
| Fixed in Version | 6.0.0 | ||||
| Summary | 0005307: Cookies are changed by checkParamSpecialChars's several times | ||||
| Description | Assumption: The Browser sends a cookie named "mycookie" containing the value "M&M" If I access a cookie value like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie') I will receive the value: "M&M" If I access the cookie again like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie') I will receive the value: "M&M" And if I do that again, I will receive: "M&M" And so on ... This is, because the global $_COOKIE array is manipulated on each oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie') The method getOxCookie() in core/oxutilsserver.php calls on line 264: $sValue = oxRegistry::getConfig()->checkParamSpecialChars($_COOKIE[$sName]); The method checkParamSpecialChars() in core/oxconfig.php takes the $sValue parameter by reference and changes its value on line 825. | ||||
| Additional Information | I suggest to leave cookie values unchanged. At least in my case I don't want to receive an checkParamSpecialChars'ed version of the cookie. Currently my workaround is simple. I simply don't access a certain cookie value, but call oxRegistry::get("oxUtilsServer")->getOxCookie() (without parameter) to receive the complete cookie array. Then I can access the certain key. | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | All | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
| has duplicate | 0006477 | resolved | benjamin.joerger | oxUtilsServer::getOxCookie has side effects on $_COOKIE |
|
|
It seems like this bug tracker removed 1 level of & from my example. So here is the example again (hopefully) correct: --- START --- If I access a cookie value like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie') I will receive the value: "M&M" If I access the cookie again like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie') I will receive the value: "M&M" And if I do that again, I will receive: "M&M" And so on ... --- STOP --- |
|
|
+1. Same problem here. Easy fix (replace getOxCookie in oxutilsserver.php): public function getOxCookie($sName = null) { $sValue = null; if ($sName && isset($_COOKIE[$sName])) { $sRawValue = $_COOKIE[$sName]; $sValue = oxRegistry::getConfig()->checkParamSpecialChars($sRawValue); } elseif ($sName && !isset($_COOKIE[$sName])) { $sValue = isset($this->_sSessionCookies[$sName]) ? $this->_sSessionCookies[$sName] : null; } elseif (!$sName && isset($_COOKIE)) { $sValue = $_COOKIE; } return $sValue; } |
|
|
Currently I'm working on https://github.com/OXID-eSales/oxideshop_ce/pull/460 which solves this issue. |
|
|
The bugfix introduced a BC break and must be reverted. This bug cannot be fixed in v5.3 The right way to fix this bug in v6.0 is to create a separate method in v5.3 and deprecate the current method checkParamSpecialChars(). In v6.0 do not change the current method, but replace it by the new one and delete the current method checkParamSpecialChars() |
