PHP :: Bug #69948 :: path/domain are not sanitized in setcookie

Bug #69948

path/domain are not sanitized in setcookie

Submitted:

2015-06-26 23:09 UTC

Modified:

2018-03-10 16:33 UTC

Votes:	3
Avg. Score:	4.3 ± 0.9
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

neal at fb dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

Network related

PHP Version:

5.6.10

OS:

N/A

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	neal at fb dot com
New email:
PHP Version:		OS:

New Comment:

[2015-06-26 23:09 UTC] neal at fb dot com

Description:
------------
In the highly unlikely event where path or domain are user-controlled, it is possible to inject semi-colons, equals signs, etc into a value. This allows you to provide arbitrary additional key/value pairs inside of a Set-Cookie header (ie: set an expires header 20 years from now, add the HttpOnly flag, etc).

There is already sanitization in the code for checking the "value" parameter: the same logic should be applied to domain and path.

Test script:
---------------
<?php

setcookie('foo', 'bar', 0, $_GET['path'], $_GET['domain']);

Expected result:
----------------
Making a request with path=asdf;asdf&domain=foobar;%20secure results in no cookie being sent (identical to how it's currently handled when the value has invalid characters).

Actual result:
--------------
Header looks like Set-Cookie: foo=bar; path=asdf;asdf; domain=foobar; secure

Patches

0001-Fix-69948 (last revision 2015-06-28 11:49 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-28 11:49 UTC] cmb@php.net

The following patch has been added/updated:

Patch Name: 0001-Fix-69948
Revision:   1435492169
URL:        https://bugs.php.net/patch-display.php?bug=69948&patch=0001-Fix-69948&revision=1435492169

[2018-03-10 16:27 UTC] cmb@php.net

-Package: HTTP related +Package: Network related -Assigned To: +Assigned To: cmb

[2018-03-10 16:27 UTC] cmb@php.net

-Summary: path/domain are not sanitized for special characters in setcookie +Summary: path/domain are not sanitized in setcookie

[2018-03-10 16:33 UTC] cmb@php.net

PR: <https://github.com/php/php-src/pull/3179>

[2018-03-24 16:32 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5cb825df7251aeb28b297f071c35b227a3949f01
Log: Fix #69948: path/domain are not sanitized in setcookie

[2018-03-24 16:32 UTC] cmb@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 11:01:33 2024 UTC