v0.2.7 · Tags · Gopal C / zealphp

v0.2.7

65d812f0 · fix(security): relax setrawcookie filter to match PHP native behavior · May 15, 2026

Release v0.2.7 — relax setrawcookie filter

v0.2.5 introduced CRLF/NUL injection guards on cookie/header sinks.
The setrawcookie value filter was too strict — it rejected legal raw
cookie-octets (space, comma, semicolon) that PHP native accepts. Now
matches PHP behavior: rejects only \r\n\0 in the value. CRLF guards
on header(), Response::header(), redirect(), setcookie() are unchanged.

Existing testSetRawCookieDoesNotUrlEncode integration test confirms.