php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76688 Cookie $options should not allow further arguments
Submitted: 2018-07-31 21:17 UTC Modified: 2018-08-07 21:39 UTC
From: cmb@php.net Assigned: pmmaga (profile)
Status: Closed Package: Network related
PHP Version: 7.3Git-2018-07-31 (Git) OS: *
Private report: No CVE-ID: None
 [2018-07-31 21:17 UTC] cmb@php.net
Description:
------------
The support for SameSite cookie directives[1] introduced $option
parameters for setcookie(), setrawcookie() and
session_set_cookie_params(), but these appear to allow further
arguments to be passed, which does not appear to conform to the
respective RFC[2], and is generally confusing.

[1] <https://github.com/php/php-src/pull/3398>
[2] <https://wiki.php.net/rfc/same-site-cookie#proposal>


Test script:
---------------
<?php
session_set_cookie_params(array('path'=>'/foo/'), 'bar', 'www.example.com');
var_dump(session_get_cookie_params());

Expected result:
----------------
A warning regarding excess arguments, which should be ignored for
further processing.

Actual result:
--------------
array(6) {
  ["lifetime"]=>
  int(0)
  ["path"]=>
  string(5) "/foo/"
  ["domain"]=>
  string(15) "www.example.com"
  ["secure"]=>
  bool(false)
  ["httponly"]=>
  bool(false)
  ["samesite"]=>
  string(0) ""
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-31 21:29 UTC] phpdev at ehrhardt dot nl
Related to the same RFC implementation: php_setcookie requires a 9th argument now. This line:

https://github.com/pmjones/ext-request/blob/master/serverresponse.c#L1034

leads to

serverresponse.c(1034): error C2198: 'php_setcookie': too few arguments for call

It only compiles on Windows if you add an extra argument NULL.
 [2018-07-31 21:33 UTC] phpdev at ehrhardt dot nl
The referenced line is

    php_setcookie(name, value, expires, path, domain, secure, !raw, httponly);

And has to be changed to

    php_setcookie(name, value, expires, path, domain, secure, !raw, httponly, NULL);

to make it compile.
 [2018-07-31 22:16 UTC] requinix@php.net
@phpdev: That's right, this does come with an API change, and as with any new series existing extensions may not be source-compatible.
But just because it compiles does not mean it's correct. Simply adding NULL is wrong. You should wait until the author updates for PHP 7.3.
 [2018-07-31 23:07 UTC] pmmaga@php.net
-Assigned To: +Assigned To: pmmaga
 [2018-08-07 21:39 UTC] cmb@php.net
For reference: <https://github.com/php/php-src/pull/3424>.
 [2018-08-12 13:50 UTC] cmb@php.net
Automatic comment on behalf of mail@pmmaga.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a16aee6cee77571e3af604117bdc48b75d8a3315
Log: Fix #76688: Disallow excessive parameters after options array
 [2018-08-12 13:50 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC