|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patches0001-Fix-69948 (last revision 2015-06-28 11:49 UTC by cmb@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-06-28 11:49 UTC] cmb@php.net
[2018-03-10 16:27 UTC] cmb@php.net
-Package: HTTP related
+Package: Network related
-Assigned To:
+Assigned To: cmb
[2018-03-10 16:27 UTC] cmb@php.net
-Summary: path/domain are not sanitized for special characters
in setcookie
+Summary: path/domain are not sanitized in setcookie
[2018-03-10 16:33 UTC] cmb@php.net
[2018-03-24 16:32 UTC] cmb@php.net
[2018-03-24 16:32 UTC] cmb@php.net
-Status: Assigned
+Status: Closed
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Nov 05 16:00:01 2025 UTC |
Description: ------------ In the highly unlikely event where path or domain are user-controlled, it is possible to inject semi-colons, equals signs, etc into a value. This allows you to provide arbitrary additional key/value pairs inside of a Set-Cookie header (ie: set an expires header 20 years from now, add the HttpOnly flag, etc). There is already sanitization in the code for checking the "value" parameter: the same logic should be applied to domain and path. Test script: --------------- <?php setcookie('foo', 'bar', 0, $_GET['path'], $_GET['domain']); Expected result: ---------------- Making a request with path=asdf;asdf&domain=foobar;%20secure results in no cookie being sent (identical to how it's currently handled when the value has invalid characters). Actual result: -------------- Header looks like Set-Cookie: foo=bar; path=asdf;asdf; domain=foobar; secure