|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45141 [PATCH] setcookie will output expires years of >4 digits
Submitted: 2008-05-31 03:21 UTC Modified: 2009-07-29 13:44 UTC
From: php at evilcode dot net Assigned: derick
Status: Closed Package: Date/time related
PHP Version: 5.2.6 OS: FreeBSD/Linux
Private report: No CVE-ID:
 [2008-05-31 03:21 UTC] php at evilcode dot net
setcookie() will happily produce expires times with years greater than 4 digits in length. This violates various RFC's and can also lead to unexpectedly hung scripts (especially on 64-bit).

Reproduce code:
This works fine on 32-bit, but will keep the script looping effectively forever formatting the date as GMT on 64-bit.

setcookie('test', 'testing', PHP_INT_MAX);

Sample patch:

This may not be the right place for this, as there are probably other violators as well. A more general/generic fix may be in order.

Expected result:
Date output should be trimmed to the end of year 9999, possibly a warning presented.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-02 12:53 UTC]
The formatting is actually a bug... I've started optimizing the algorithm but haven't finished yet.
 [2008-06-03 19:13 UTC] crrodriguez at suse dot de
IMHO, it should emit a warning and return FALSE, magically limiting the value is clearly the wrong thing.
 [2008-06-07 04:27 UTC] crrodriguez at suse dot de
Something like the following patch may help in the meanwhile..
 [2009-07-29 13:44 UTC]
Automatic comment from SVN on behalf of iliaa
Log: Fixed bug #45141 (setcookie will output expires years of >4 digits).
 [2009-07-29 13:44 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 03:01:32 2015 UTC