php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45141 [PATCH] setcookie will output expires years of >4 digits
Submitted: 2008-05-31 03:21 UTC Modified: 2009-07-29 13:44 UTC
From: php at evilcode dot net Assigned: derick (profile)
Status: Closed Package: Date/time related
PHP Version: 5.2.6 OS: FreeBSD/Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at evilcode dot net
New email:
PHP Version: OS:

 

 [2008-05-31 03:21 UTC] php at evilcode dot net
Description:
------------
setcookie() will happily produce expires times with years greater than 4 digits in length. This violates various RFC's and can also lead to unexpectedly hung scripts (especially on 64-bit).

Reproduce code:
---------------
This works fine on 32-bit, but will keep the script looping effectively forever formatting the date as GMT on 64-bit.

setcookie('test', 'testing', PHP_INT_MAX);

Sample patch: http://evilcode.net/sjg/php5.2.6-setcookie-head.c.patch

This may not be the right place for this, as there are probably other violators as well. A more general/generic fix may be in order.

Expected result:
----------------
Date output should be trimmed to the end of year 9999, possibly a warning presented.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-02 12:53 UTC] derick@php.net
The formatting is actually a bug... I've started optimizing the algorithm but haven't finished yet.
 [2008-06-03 19:13 UTC] crrodriguez at suse dot de
IMHO, it should emit a warning and return FALSE, magically limiting the value is clearly the wrong thing.
 [2008-06-07 04:27 UTC] crrodriguez at suse dot de
Something like the following patch may help in the meanwhile..

http://stuff.cristianrodriguez.net/patches/setcookie_4_digit_years.patch
 [2009-07-29 13:44 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286508
Log: Fixed bug #45141 (setcookie will output expires years of >4 digits).
 [2009-07-29 13:44 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC