View Issue Details

IDProjectCategoryView StatusLast Update
0005307OXID eShop (all versions)4. ------ eShop Core -------public2016-10-05 14:47
ReporterHendrik Becker 
PriorityhighSeveritymajorReproducibilityalways
Status acknowledgedResolutionreopened 
Product Version4.7.6 / 5.0.6 
Target VersionFixed in Version 
Summary0005307: Cookies are changed by checkParamSpecialChars's several times
DescriptionAssumption: The Browser sends a cookie named "mycookie" containing the value "M&M"


If I access a cookie value like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie')
I will receive the value: "M&M"

If I access the cookie again like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie')
I will receive the value: "M&M"

And if I do that again, I will receive: "M&M"

And so on ...


This is, because the global $_COOKIE array is manipulated on each oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie')

The method getOxCookie() in core/oxutilsserver.php calls on line 264: $sValue = oxRegistry::getConfig()->checkParamSpecialChars($_COOKIE[$sName]);

The method checkParamSpecialChars() in core/oxconfig.php takes the $sValue parameter by reference and changes its value on line 825.
Additional InformationI suggest to leave cookie values unchanged. At least in my case I don't want to receive an checkParamSpecialChars'ed version of the cookie.

Currently my workaround is simple. I simply don't access a certain cookie value, but call oxRegistry::get("oxUtilsServer")->getOxCookie() (without parameter) to receive the complete cookie array. Then I can access the certain key.
TagsNo tags attached.
ThemeNot defined
BrowserAll
PHP VersionNot defined
MySQL VersionNot defined

Relationships

has duplicate 0006477 acknowledged oxUtilsServer::getOxCookie has side effects on $_COOKIE 

Activities

Hendrik Becker

2013-07-24 11:28

reporter   ~0008935

It seems like this bug tracker removed 1 level of & from my example.

So here is the example again (hopefully) correct:

--- START ---

If I access a cookie value like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie')
I will receive the value: "M&M"

If I access the cookie again like this: oxRegistry::get("oxUtilsServer")->getOxCookie('mycookie')
I will receive the value: "M&M"

And if I do that again, I will receive: "M&M"

And so on ...


--- STOP ---

Aivaras

2014-10-28 09:52

reporter   ~0010281

+1. Same problem here.

Easy fix (replace getOxCookie in oxutilsserver.php):

public function getOxCookie($sName = null)
    {
        $sValue = null;
        if ($sName && isset($_COOKIE[$sName])) {
            $sRawValue = $_COOKIE[$sName];
            $sValue = oxRegistry::getConfig()->checkParamSpecialChars($sRawValue);
        } elseif ($sName && !isset($_COOKIE[$sName])) {
            $sValue = isset($this->_sSessionCookies[$sName]) ? $this->_sSessionCookies[$sName] : null;
        } elseif (!$sName && isset($_COOKIE)) {
            $sValue = $_COOKIE;
        }

        return $sValue;
    }

gregor.hyneck

2016-09-29 07:39

administrator   ~0011807

Last edited: 2016-09-29 07:40

View 3 revisions

Currently I'm working on https://github.com/OXID-eSales/oxideshop_ce/pull/460 which solves this issue.

robert blank

2016-10-05 14:47

reporter   ~0011823

The bugfix introduced a BC break and must be reverted.

This bug cannot be fixed in v5.3
The right way to fix this bug in v6.0 is to create a separate method in v5.3 and deprecate the current method checkParamSpecialChars().
In v6.0 do not change the current method, but replace it by the new one and delete the current method checkParamSpecialChars()