php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69948 path/domain are not sanitized in setcookie
Submitted: 2015-06-26 23:09 UTC Modified: 2018-03-10 16:33 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: neal at fb dot com Assigned: cmb (profile)
Status: Closed Package: Network related
PHP Version: 5.6.10 OS: N/A
Private report: No CVE-ID: None
 [2015-06-26 23:09 UTC] neal at fb dot com
Description:
------------
In the highly unlikely event where path or domain are user-controlled, it is possible to inject semi-colons, equals signs, etc into a value. This allows you to provide arbitrary additional key/value pairs inside of a Set-Cookie header (ie: set an expires header 20 years from now, add the HttpOnly flag, etc).

There is already sanitization in the code for checking the "value" parameter: the same logic should be applied to domain and path.

Test script:
---------------
<?php

setcookie('foo', 'bar', 0, $_GET['path'], $_GET['domain']);

Expected result:
----------------
Making a request with path=asdf;asdf&domain=foobar;%20secure results in no cookie being sent (identical to how it's currently handled when the value has invalid characters).

Actual result:
--------------
Header looks like Set-Cookie: foo=bar; path=asdf;asdf; domain=foobar; secure

Patches

0001-Fix-69948 (last revision 2015-06-28 11:49 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-28 11:49 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: 0001-Fix-69948
Revision:   1435492169
URL:        https://bugs.php.net/patch-display.php?bug=69948&patch=0001-Fix-69948&revision=1435492169
 [2018-03-10 16:27 UTC] cmb@php.net
-Package: HTTP related +Package: Network related -Assigned To: +Assigned To: cmb
 [2018-03-10 16:27 UTC] cmb@php.net
-Summary: path/domain are not sanitized for special characters in setcookie +Summary: path/domain are not sanitized in setcookie
 [2018-03-24 16:32 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5cb825df7251aeb28b297f071c35b227a3949f01
Log: Fix #69948: path/domain are not sanitized in setcookie
 [2018-03-24 16:32 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 12 08:01:25 2018 UTC