Fix cookie safe url creation

Calling rawurlencode is not enought, since it will encode / as %2F. Slashes needs to be respected, but any non url-friendly value must be encoded. Picked from a2f2323
symphonycms · Jun 16, 2017 · 27ea896 · 27ea896
1 parent 89b5f47
commit 27ea896
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/symphony/lib/core/class.session.php b/symphony/lib/core/class.session.php
@@ -75,7 +75,13 @@ public static function start($lifetime = 0, $path = '/', $domain = null, $httpOn
                 array('Session', 'gc')
             );
 
-            session_set_cookie_params($lifetime, rawurlencode($path), ($domain ? $domain : self::getDomain()), $secure, $httpOnly);
+            session_set_cookie_params(
+                $lifetime,
+                static::createCookieSafePath($path),
+                ($domain ? $domain : self::getDomain()),
+                $secure,
+                $httpOnly
+            );
             session_cache_limiter('');
 
             if (session_id() == '') {
@@ -93,6 +99,24 @@ public static function start($lifetime = 0, $path = '/', $domain = null, $httpOn
         return session_id();
     }
 
+    /**
+     * Returns a properly formatted ascii string for the cookie path.
+     * Browsers are notoriously bad at parsing the cookie path. They do not
+     * respect the content-encoding header. So we must be careful when dealing
+     * with setups with special characters in their paths.
+     *
+     * @since Symphony 2.7.0
+     **/
+    protected static function createCookieSafePath($path)
+    {
+        $path = array_filter(explode('/', $path));
+        if (empty($path)) {
+            return '/';
+        }
+        $path = array_map(rawurlencode, $path);
+        return '/' . implode('/', $path) . '/';
+    }
+
     /**
      * Returns the current domain for the Session to be saved to, if the installation
      * is on localhost, this returns null and just allows PHP to take care of setting