Use RFC-compliant URL encoding for cookies #25302

mziech · 2021-01-24T13:19:22Z

PHP 7.4.2 changed the way how cookies are decoded, applying RFC-compliant raw URL decoding. This leads to a conflict Nextcloud's own cookie encoding, breaking the remember-me function if the UID contains a space character.

Fixes #24438

Signed-off-by: Marco Ziech [email protected]

PHP 7.4.2 changed the way how cookies are decoded, applying RFC-compliant raw URL decoding. This leads to a conflict Nextcloud's own cookie encoding, breaking the remember-me function if the UID contains a space character. Fixes nextcloud#24438 Signed-off-by: Marco Ziech <[email protected]>

kesselb · 2021-01-24T16:23:25Z

I was observing the same behavior on my instance, essentially all users with a space in the name have to login twice after the session expired.

I tracked down the issue to a non-obvious change in PHP 7.4.2 and 7.4.3, which makes cookie encoding and decoding RFC compliant. See:

Basically PHP < 7.4.2 would encode Hans Peter as Hans+Peter and decode back to Hans Peter. However, PHP > 7.4.3 encode Hans Peter to Hans%20Peter and decode Hans+Peter to Hans+Peter leading to a clash in the expected UID.

php > echo(rawurldecode(urlencode('Hans Peter')));
Hans+Peter
php > echo(urldecode(rawurlencode('Hans Peter')));
Hans Peter
php > echo(urldecode(urlencode('Hans Peter')));
Hans Peter
php > echo(rawurldecode(rawurlencode('Hans Peter')));
Hans Peter

Since NextCloud uses its own cookie encoding function, the PHP 7.4.3 encoding fix won't work. I fixed the issue by changing urlencode to rawurlencode in https://github.com/nextcloud/server/blob/master/lib/private/Http/CookieHelper.php#L46

Originally posted by @mziech in #24438 (comment)

rullzer

O that is a nasty little change.
Thanks for the detailed explanation.

ChristophWurst

👍 so HP can use his Nextcloud again

welcome · 2021-01-29T12:38:05Z

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

ChristophWurst · 2021-01-29T12:38:29Z

/backport to stable20

ChristophWurst · 2021-01-29T12:38:44Z

/backport to stable19

kesselb requested review from rullzer and nickvergessen January 24, 2021 16:23

kesselb added 3. to review Waiting for reviews bug labels Jan 24, 2021

rullzer approved these changes Jan 25, 2021

View reviewed changes

rullzer added this to the Nextcloud 21 milestone Jan 29, 2021

ChristophWurst approved these changes Jan 29, 2021

View reviewed changes

ChristophWurst merged commit 8fcc0e8 into nextcloud:master Jan 29, 2021

backportbot-nextcloud bot added the backport-request label Jan 29, 2021

This was referenced Jan 29, 2021

[stable20] Use RFC-compliant URL encoding for cookies #25388

Merged

[stable19] Use RFC-compliant URL encoding for cookies #25389

Merged

mziech deleted the patch-2 branch January 29, 2021 21:41

rullzer mentioned this pull request Feb 4, 2021

21 RC1 #25376

Merged

MorrisJobke removed the backport-request label Mar 16, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use RFC-compliant URL encoding for cookies #25302

Use RFC-compliant URL encoding for cookies #25302

mziech commented Jan 24, 2021

kesselb commented Jan 24, 2021

rullzer left a comment

ChristophWurst left a comment

welcome bot commented Jan 29, 2021

ChristophWurst commented Jan 29, 2021

ChristophWurst commented Jan 29, 2021

Use RFC-compliant URL encoding for cookies #25302

Use RFC-compliant URL encoding for cookies #25302

Conversation

mziech commented Jan 24, 2021

kesselb commented Jan 24, 2021

rullzer left a comment

Choose a reason for hiding this comment

ChristophWurst left a comment

Choose a reason for hiding this comment

welcome bot commented Jan 29, 2021

ChristophWurst commented Jan 29, 2021

ChristophWurst commented Jan 29, 2021