Do not decode cookie names anymore

diff --git a/main/php_variables.c b/main/php_variables.c
index d804a3860f4e078d736280addc749ed61a59fc01..ca015352d20a95bcf62d099ed98ee2d36431dae9 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -501,7 +501,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
                        size_t new_val_len;
 
                        *val++ = '\0';
-                       php_url_decode(var, strlen(var));
+                       if (arg != PARSE_COOKIE) {
+                               php_url_decode(var, strlen(var));
+                       }
                        val_len = php_url_decode(val, strlen(val));
                        val = estrndup(val, val_len);
                        if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
@@ -512,7 +514,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
                        size_t val_len;
                        size_t new_val_len;
 
-                       php_url_decode(var, strlen(var));
+                       if (arg != PARSE_COOKIE) {
+                               php_url_decode(var, strlen(var));
+                       }
                        val_len = 0;
                        val = estrndup("", val_len);
                        if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {

diff --git a/tests/basic/022.phpt b/tests/basic/022.phpt
index 0ab70d4be7643f0b17310e6133f0eb33b5d28266..bd1db1370182241cba6742a2b883b5a965552467 100644 (file)
--- a/tests/basic/022.phpt
+++ b/tests/basic/022.phpt
@@ -10,7 +10,7 @@ cookie1=val1  ; cookie2=val2%20; cookie3=val 3.; cookie 4= value 4 %3B; cookie1=
 var_dump($_COOKIE);
 ?>
 --EXPECT--
-array(10) {
+array(12) {
   ["cookie1"]=>
   string(6) "val1  "
   ["cookie2"]=>
@@ -19,11 +19,15 @@ array(10) {
   string(6) "val 3."
   ["cookie_4"]=>
   string(10) " value 4 ;"
+  ["%20cookie1"]=>
+  string(6) "ignore"
+  ["+cookie1"]=>
+  string(6) "ignore"
   ["cookie__5"]=>
   string(7) "  value"
-  ["cookie_6"]=>
+  ["cookie%206"]=>
   string(3) "þæö"
-  ["cookie_7"]=>
+  ["cookie+7"]=>
   string(0) ""
   ["$cookie_8"]=>
   string(0) ""

diff --git a/tests/basic/023.phpt b/tests/basic/023.phpt
index ca5f1dcfbb1a29a4262decb6f69f81511646d43b..0e2e0ac6694534512b44f60c42b544ddaf324e64 100644 (file)
--- a/tests/basic/023.phpt
+++ b/tests/basic/023.phpt
@@ -10,9 +10,11 @@ c o o k i e=value; c o o k i e= v a l u e ;;c%20o+o k+i%20e=v;name="value","valu
 var_dump($_COOKIE);
 ?>
 --EXPECT--
-array(3) {
+array(4) {
   ["c_o_o_k_i_e"]=>
   string(5) "value"
+  ["c%20o+o_k+i%20e"]=>
+  string(1) "v"
   ["name"]=>
   string(24) ""value","value",UEhQIQ=="
   ["UEhQIQ"]=>

diff --git a/tests/basic/bug79699.phpt b/tests/basic/bug79699.phpt
new file mode 100644 (file)
index 0000000..fc3d3fe
--- /dev/null
+++ b/tests/basic/bug79699.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Cookies Security Bug
+--INI--
+max_input_vars=1000
+filter.default=unsafe_raw
+--COOKIE--
+__%48ost-evil=evil; __Host-evil=good; %66oo=baz;foo=bar
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(4) {
+  ["__%48ost-evil"]=>
+  string(4) "evil"
+  ["__Host-evil"]=>
+  string(4) "good"
+  ["%66oo"]=>
+  string(3) "baz"
+  ["foo"]=>
+  string(3) "bar"
+}