Fix #76688: Disallow excessive parameters after options array

diff --git a/NEWS b/NEWS
index d53d90e6d99d6e95775dedb46c2c289dcb210b56..23bea374ddb6c742338a0646985aa76143247362 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,8 @@ PHP                                                                        NEWS
     (Kevin Abel)
 
 - Standard:
+  . Fixed bug #76688 (Disallow excessive parameters after options array).
+    (pmmaga)
   . Fixed bug #76713 (Segmentation fault caused by property corruption).
     (Laruence)
 

diff --git a/ext/session/session.c b/ext/session/session.c
index c7d54b0ee739704b4fce14b4bf4e905fd0514aaa..c46af0d87d778487e0f95b54fa7007fa20510551 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1704,6 +1704,15 @@ static PHP_FUNCTION(session_set_cookie_params)
                zend_string *key;
                zval *value;
 
+               if (path) {
+                       path = NULL;
+                       domain = NULL;
+                       secure_null = 1;
+                       httponly_null = 1;
+                       php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
+                       RETURN_FALSE;
+               }
+
                ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(lifetime_or_options), key, value) {
                        if (key) {
                                ZVAL_DEREF(value);

diff --git a/ext/session/tests/session_set_cookie_params_variation7.phpt b/ext/session/tests/session_set_cookie_params_variation7.phpt
index ebd9b71df60745ae2f5516d7eb197e954ffd6d7a..9d1f8709be7126523064c204017b1c8e0420b123 100644 (file)
--- a/ext/session/tests/session_set_cookie_params_variation7.phpt
+++ b/ext/session/tests/session_set_cookie_params_variation7.phpt
@@ -36,6 +36,10 @@ var_dump(ini_get("session.cookie_lifetime"));
 var_dump(session_set_cookie_params(["lifetime" => 42]));
 var_dump(ini_get("session.cookie_lifetime"));
 
+var_dump(ini_get("session.cookie_path"));
+var_dump(session_set_cookie_params(["path" => "newpath/"], "arg after options array"));
+var_dump(ini_get("session.cookie_path"));
+
 echo "Done";
 ob_end_flush();
 ?>
@@ -57,4 +61,9 @@ string(6) "please"
 string(1) "0"
 bool(true)
 string(2) "42"
+string(1) "/"
+
+Warning: session_set_cookie_params(): Cannot pass arguments after the options array in %s
+bool(false)
+string(1) "/"
 Done

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 5a9f09b1e72674613c32226cba48c9613bb257dd..5e753840ccf8b20e6b443b2ba60c6b1a10d748e5 100644 (file)
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -211,6 +211,15 @@ static int php_head_parse_cookie_options_array(zval *options, zend_long *expires
        zend_string *key;
        zval *value;
 
+       if (*path) {
+               *path = NULL;
+               *domain = NULL;
+               *secure = 0;
+               *httponly = 0;
+               php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
+               return 0;
+       }
+
        ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(options), key, value) {
                if (key) {
                        ZVAL_DEREF(value);
@@ -243,7 +252,6 @@ static int php_head_parse_cookie_options_array(zval *options, zend_long *expires
        /* Array is not empty but no valid keys were found */
        if (found == 0 && zend_hash_num_elements(Z_ARRVAL_P(options)) > 0) {
                php_error_docref(NULL, E_WARNING, "No valid options were found in the given array");
-               return 0;
        }
 
        return 1;

diff --git a/ext/standard/tests/network/setcookie_error.phpt b/ext/standard/tests/network/setcookie_error.phpt
index 1cbdf9ef0caeef48539145f8d380779ae53de103..d9241d3de79a0c4090661bbb3f97db158a0dba8d 100644 (file)
--- a/ext/standard/tests/network/setcookie_error.phpt
+++ b/ext/standard/tests/network/setcookie_error.phpt
@@ -10,9 +10,15 @@ ob_start();
 // Unrecognized key and no valid keys
 setcookie('name', 'value', ['unknown_key' => 'only']);
 // Numeric key and no valid keys
-setcookie('name', 'value', [0 => 'numeric_key']);
+setcookie('name2', 'value2', [0 => 'numeric_key']);
 // Unrecognized key
-setcookie('name', 'value', ['path' => '/path/', 'foo' => 'bar']);
+setcookie('name3', 'value3', ['path' => '/path/', 'foo' => 'bar']);
+// Arguments after options array (will not be set)
+setcookie('name4', 'value4', [], "path", "domain.tld", true, true);
+
+var_dump(headers_list());
+
+--EXPECTHEADERS--
 
 --EXPECTF--
 Warning: setcookie(): Unrecognized key 'unknown_key' found in the options array in %s
@@ -24,3 +30,15 @@ Warning: setcookie(): Numeric key found in the options array in %s
 Warning: setcookie(): No valid options were found in the given array in %s
 
 Warning: setcookie(): Unrecognized key 'foo' found in the options array in %s
+
+Warning: setcookie(): Cannot pass arguments after the options array in %s
+array(4) {
+  [0]=>
+  string(%d) "X-Powered-By: PHP/%s"
+  [1]=>
+  string(22) "Set-Cookie: name=value"
+  [2]=>
+  string(24) "Set-Cookie: name2=value2"
+  [3]=>
+  string(37) "Set-Cookie: name3=value3; path=/path/"
+}