zendframework · thomasvargiu · Oct 13, 2018
diff --git a/src/Header/Cookie.php b/src/Header/Cookie.php
@@ -75,12 +75,20 @@ public function __construct(array $array = [])
         parent::__construct($array, ArrayObject::ARRAY_AS_PROPS);
     }
 
+    /**
+     * @param bool $encodeValue
+     *
+     * @return $this
+     */
     public function setEncodeValue($encodeValue)
     {
         $this->encodeValue = (bool) $encodeValue;
         return $this;
     }
 
+    /**
+     * @return bool
+     */
     public function getEncodeValue()
     {
         return $this->encodeValue;

diff --git a/src/Header/SetCookie.php b/src/Header/SetCookie.php
@@ -85,6 +85,11 @@ class SetCookie implements MultipleHeaderInterface
      */
     protected $httponly;
 
+    /**
+     * @var bool
+     */
+    protected $encodeValue = true;
+
     /**
      * @static
      * @throws Exception\InvalidArgumentException
@@ -99,6 +104,7 @@ public static function fromString($headerLine, $bypassHeaderFieldName = false)
         if ($setCookieProcessor === null) {
             $setCookieClass = get_called_class();
             $setCookieProcessor = function ($headerLine) use ($setCookieClass) {
+                /** @var SetCookie $header */
                 $header = new $setCookieClass();
                 $keyValuePairs = preg_split('#;\s*#', $headerLine);
 
@@ -115,6 +121,11 @@ public static function fromString($headerLine, $bypassHeaderFieldName = false)
                     if ($header->getName() === null) {
                         $header->setName($headerKey);
                         $header->setValue(urldecode($headerValue));
+
+                        // set no encode value if raw and encoded values are the same
+                        if (urldecode($headerValue) === $headerValue) {
+                            $header->setEncodeValue(false);
+                        }
                         continue;
                     }
 
@@ -213,6 +224,22 @@ public function __construct(
              ->setHttpOnly($httponly);
     }
 
+    /**
+     * @return bool
+     */
+    public function getEncodeValue()
+    {
+        return $this->encodeValue;
+    }
+
+    /**
+     * @param bool $encodeValue
+     */
+    public function setEncodeValue($encodeValue)
+    {
+        $this->encodeValue = (bool) $encodeValue;
+    }
+
     /**
      * @return string 'Set-Cookie'
      */
@@ -231,7 +258,7 @@ public function getFieldValue()
             return '';
         }
 
-        $value = urlencode($this->getValue());
+        $value = $this->encodeValue ? urlencode($this->getValue()) : $this->getValue();
         if ($this->hasQuoteFieldValue()) {
             $value = '"' . $value . '"';
         }

diff --git a/test/Header/SetCookieTest.php b/test/Header/SetCookieTest.php
@@ -50,6 +50,14 @@ public function testSetCookieFromStringWithQuotedValue()
         $this->assertEquals('myname=quotedValue', $setCookieHeader->getFieldValue());
     }
 
+    public function testSetCookieFromStringWithNotEncodedValue()
+    {
+        $setCookieHeader = SetCookie::fromString('Set-Cookie: foo=a:b; Path=/');
+        $this->assertFalse($setCookieHeader->getEncodeValue());
+        $this->assertEquals('a:b', $setCookieHeader->getValue());
+        $this->assertEquals('foo=a:b; Path=/', $setCookieHeader->getFieldValue());
+    }
+
     public function testSetCookieFromStringCreatesValidSetCookieHeader()
     {
         $setCookieHeader = SetCookie::fromString('Set-Cookie: xxx');
@@ -457,6 +465,25 @@ public function testPreventsCRLFAttackViaSetValue()
         $this->assertEquals('Set-Cookie: leo_auth_token=example%0D%0A%0D%0AevilContent', $header->toString());
     }
 
+    public function testSetCookieWithEncodeValue()
+    {
+        $header = new SetCookie('test');
+        $header->setValue('a:b');
+
+        $this->assertSame('a:b', $header->getValue());
+        $this->assertSame('test=a%3Ab', $header->getFieldValue());
+    }
+
+    public function testSetCookieWithNoEncodeValue()
+    {
+        $header = new SetCookie('test');
+        $header->setValue('a:b');
+        $header->setEncodeValue(false);
+
+        $this->assertSame('a:b', $header->getValue());
+        $this->assertSame('test=a:b', $header->getFieldValue());
+    }
+
     public function setterInjections()
     {
         return [