. Fixed bug #75409 (accept EFAULT in addition to ENOSYS as indicator
that getrandom() is missing). (sarciszewski)
. Fixed bug #74719 (fopen() should accept NULL as context). (Alexander Holman)
+ . Fixed bug #69948 (path/domain are not sanitized in setcookie). (cmb)
- Testing:
. Implemented request #62055 (Make run-tests.php support --CGI-- sections).
return FAILURE;
}
+ if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+ zend_error(E_WARNING, "Cookie paths cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
+ return FAILURE;
+ }
+
+ if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+ zend_error(E_WARNING, "Cookie domains cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
+ return FAILURE;
+ }
+
len += ZSTR_LEN(name);
if (value) {
if (url_encode) {
--- /dev/null
+--TEST--
+Bug #69948 (path/domain are not sanitized for special characters in setcookie)
+--FILE--
+<?php
+var_dump(
+ setcookie('foo', 'bar', 0, 'asdf;asdf'),
+ setcookie('foo', 'bar', 0, '/', 'foobar; secure')
+);
+?>
+===DONE===
+--EXPECTHEADERS--
+--EXPECTF--
+Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
+
+Warning: Cookie domains cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
+bool(false)
+bool(false)
+===DONE===
projects / php / commitdiff