From aec716bac71194bf8d2a56632b20280216bef962 Mon Sep 17 00:00:00 2001
From: Martin Mares <mj@ucw.cz>
Date: Wed, 22 Feb 2017 16:11:45 +0100
Subject: [PATCH] UCW::CGI: Encode UTF-8 characters in cookies properly

---
 ucw/perl/UCW/CGI.pm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ucw/perl/UCW/CGI.pm b/ucw/perl/UCW/CGI.pm
index f31f31a5..d9c2ea6d 100644
--- a/ucw/perl/UCW/CGI.pm
+++ b/ucw/perl/UCW/CGI.pm
@@ -1,6 +1,6 @@
 #	Poor Man's CGI Module for Perl
 #
-#	(c) 2002--2015 Martin Mares <mj@ucw.cz>
+#	(c) 2002--2017 Martin Mares <mj@ucw.cz>
 #	Slightly modified by Tomas Valla <tom@ucw.cz>
 #
 #	This software may be freely distributed and used according to the terms
@@ -38,6 +38,14 @@ sub url_escape($) {
 	return $x;
 }
 
+sub url_strict_escape($) {
+	my $x = shift @_;
+	defined $x or return;
+	utf8::encode($x);
+	$x =~ s/([^-\$_.!*'(),0-9A-Za-z])/"%".unpack('H2',$1)/ge;
+	return $x;
+}
+
 sub url_deescape($) {
 	my $x = shift @_;
 	defined $x or return;
@@ -471,7 +479,7 @@ sub set_cookie($$@) {
 			$wdays[$wd], $d, $mons[$m], $y+1900, $H, $M, $S);
 	}
 
-	print "Set-Cookie: $key=", url_escape($value);
+	print "Set-Cookie: $key=", url_strict_escape($value);
 	foreach my $k (keys %other) {
 		print "; $k";
 		print "=", $other{$k} if defined $other{$k};
-- 
2.39.2