php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch 0001-Fix-69948 for Network related Bug #69948

Patch version 2015-06-28 11:49 UTC

Return to Bug #69948 | Download this patch
Patch Revisions:

Developer: cmb@php.net

From c3cf3ad27ec6ae3afe8252a4e4da41d551a01fa7 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Sun, 28 Jun 2015 13:44:21 +0200
Subject: [PATCH] Fix #69948: path/domain are not sanitized for special
 characters in setcookie

For improved security, characters not allowed for name and value should also be
forbidden for path and domain.
---
 ext/standard/head.c                      | 10 ++++++++++
 ext/standard/tests/network/bug69948.phpt | 12 ++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 ext/standard/tests/network/bug69948.phpt

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 22a2af1..c16c519 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -99,6 +99,16 @@ PHPAPI int php_setcookie(char *name, size_t name_len, char *value, size_t value_
 		return FAILURE;
 	}
 
+	if (path && strpbrk(path, ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_error( E_WARNING, "Cookie paths cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
+		return FAILURE;
+	}
+
+	if (domain && strpbrk(domain, ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_error( E_WARNING, "Cookie domains cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
+		return FAILURE;
+	}
+
 	len += name_len;
 	if (value && url_encode) {
 		encoded_value = php_url_encode(value, value_len);
diff --git a/ext/standard/tests/network/bug69948.phpt b/ext/standard/tests/network/bug69948.phpt
new file mode 100644
index 0000000..6e45fe2
--- /dev/null
+++ b/ext/standard/tests/network/bug69948.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #69948 (path/domain are not sanitized for special characters in setcookie)
+--FILE--
+<?php
+setcookie('foo', 'bar', 0, 'asdf;asdf');
+setcookie('foo', 'bar', 0, '/', 'foobar; secure');
+?>
+--EXPECTHEADERS--
+--EXPECTF--
+Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
+
+Warning: Cookie domains cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
-- 
1.9.5.msysgit.0

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 20:01:27 2019 UTC