prohibit empty cookie names for setcookie()

author Christoph M. Becker <cmbecker69@gmx.de>

Fri, 1 May 2015 22:10:28 +0000 (00:10 +0200)

committer Julien Pauli <jpauli@php.net>

Tue, 12 May 2015 08:47:35 +0000 (10:47 +0200)
author Christoph M. Becker <cmbecker69@gmx.de>
Fri, 1 May 2015 22:10:28 +0000 (00:10 +0200)
committer Julien Pauli <jpauli@php.net>
Tue, 12 May 2015 08:47:35 +0000 (10:47 +0200)
diff --git a/ext/standard/head.c b/ext/standard/head.c

index bdb3e59f58d107f0620e2c129686181ea867577a..22a2af1abe7dde37bc71a51229488c4ed0b78208 100644 (file)
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -86,7 +86,10 @@ PHPAPI int php_setcookie(char *name, size_t name_len, char *value, size_t value_
         int result;
         zend_string *encoded_value = NULL;
  
-       if (name && strpbrk(name, "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
+       if (!name_len) {
+               zend_error( E_WARNING, "Cookie names must not be empty" );
+               return FAILURE;
+       } else if (name && strpbrk(name, "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
                 zend_error( E_WARNING, "Cookie names cannot contain any of the following '=,; \\t\\r\\n\\013\\014'" );
                 return FAILURE;
         }
diff --git a/ext/standard/tests/network/bug69523.phpt b/ext/standard/tests/network/bug69523.phpt

new file mode 100644 (file)

index 0000000..979ae00
--- /dev/null
+++ b/ext/standard/tests/network/bug69523.phpt
@@ -0,0 +1,8 @@
+--TEST--
+setcookie() allows empty cookie name
+--FILE--
+<?php
+setcookie('', 'foo');
+?>
+--EXPECTF--
+Warning: Cookie names must not be empty in %s on line %d
author	Christoph M. Becker <cmbecker69@gmx.de>
	Fri, 1 May 2015 22:10:28 +0000 (00:10 +0200)
committer	Julien Pauli <jpauli@php.net>
	Tue, 12 May 2015 08:47:35 +0000 (10:47 +0200)
ext/standard/head.c		patch \| blob \| history
ext/standard/tests/network/bug69523.phpt	[new file with mode: 0644]	patch \| blob