openswoole / ext-openswoole

Programmatic server for PHP with async IO, coroutines and fibers
https://openswoole.com
Apache License 2.0
808 stars 50 forks source link

Cookie decoding problem #311

Open Baachi opened 1 year ago

Baachi commented 1 year ago
1. What did you do? If possible, provide a simple script for reproducing the error.

If we add a cookie with a "+" as value, this value get's encoded as " ".

<?php

use Swoole\Http\Server;
use Swoole\Http\Request;
use Swoole\Http\Response;

$server = new Server('127.0.0.1', 9000);
$server->set([
    'enable_coroutine' => false,
]);
$server->on("Start", function() {
    echo "OpenSwoole HTTP Server Started @ 127.0.0.1:9000\n";
});

$server->on('Request', function(Request $request, Response $response) {
    echo sprintf('%s %s', $request->getMethod(), $request->server['request_uri']).PHP_EOL;

    if (!isset($request->cookie['csrf'])) {
        $response->rawCookie('csrf', 'qDGK6d1q6aMJ6/5GlrQxvUnM3+Vj/R3SWv/ZYfVxaKo=');
        $response->redirect('/');

        return $response;
    }

    $response->end($request->cookie['csrf']);
    // Prints qDGK6d1q6aMJ6/5GlrQxvUnM3 Vj/R3SWv/ZYfVxaKo=
});

$server->start();
2. What did you expect to see?

Should be qDGK6d1q6aMJ6/5GlrQxvUnM3+Vj/R3SWv/ZYfVxaKo= or at least a method to get the raw cookie.

3. What did you see instead?

The sign is interpreted as space.

4. What version of OpenSwoole are you using (show your `php --ri openswoole`)?
☁  swoole-bug  php --ri openswoole

openswoole

Open Swoole => enabled
Author => Open Swoole Group <hello@openswoole.com>
Version => 22.0.0
Built => Apr 19 2023 13:12:05
coroutine => enabled with boost asm context
kqueue => enabled
rwlock => enabled
pcre => enabled
zlib => 1.2.11

Directive => Local Value => Master Value
openswoole.enable_coroutine => On => On
openswoole.enable_preemptive_scheduler => Off => Off
openswoole.display_errors => On => On
openswoole.unixsock_buffer_size => 262144 => 262144
5. What is your machine environment used (show your `uname -a` & `php -v` & `gcc -v`) ?

MacOS and Linux (Alpine) with PHP 8.2. We use the native php alpine image from docker hub and install openswoole via https://github.com/mlocati/docker-php-extension-installer.

Baachi commented 1 year ago

The PHP native webserver handle this value correctly:

if (!isset($_COOKIE['csrf'])) {
    header('Location: index_webserver.php');
    setcookie('csrf', 'qDGK6d1q6aMJ6/5GlrQxvUnM3+Vj/R3SWv/ZYfVxaKo=');

    exit;
}

var_dump($_COOKIE['csrf']); // Prints qDGK6d1q6aMJ6/5GlrQxvUnM3+Vj/R3SWv/ZYfVxaKo=

And just as a context. We don't set the cookie ourselves. We use Ory Kratos which sends the csrf token with a "+" sign.