Fix #78236: convert error on receiving variables when duplicate [

When an input variable name contains a non matched open bracket, we not
only have to replace that with an underscore, but also all following
forbidden characters.

diff --git a/NEWS b/NEWS
index 167350640a0b5c970c4271b6f015038ec04d5349..a17f4c0919d308b3fced11eeacc67821552b3633 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.0.0beta1
 
+- Core:
+  . Fixed bug #78236 (convert error on receiving variables when duplicate [).
+    (cmb)
+
 - JIT:
   . Fixed bug #79864 (JIT segfault in Symfony OptionsResolver). (Dmitry)
 

diff --git a/main/php_variables.c b/main/php_variables.c
index dc33e54920b3657ebf2346b0f467ac36afd38da5..7b753f0cdf8e4b6c775899d222a139bd07ff7ffe 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -178,8 +178,14 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
                        } else {
                                ip = strchr(ip, ']');
                                if (!ip) {
-                                       /* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
+                                       /* not an index; un-terminate the var name */
                                        *(index_s - 1) = '_';
+                                       /* PHP variables cannot contain ' ', '.', '[' in their names, so we replace the characters with a '_' */
+                                       for (p = index_s; *p; p++) {
+                                               if (*p == ' ' || *p == '.' || *p == '[') {
+                                                       *p = '_';
+                                               }
+                                       }
 
                                        index_len = 0;
                                        if (index) {

diff --git a/tests/basic/bug78236.phpt b/tests/basic/bug78236.phpt
new file mode 100644 (file)
index 0000000..9b56b13
--- /dev/null
+++ b/tests/basic/bug78236.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78236 (convert error on receiving variables when duplicate [)
+--POST--
+id[name=1&id[[name=a&id[na me.=3
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECT--
+array(3) {
+  ["id_name"]=>
+  string(1) "1"
+  ["id__name"]=>
+  string(1) "a"
+  ["id_na_me_"]=>
+  string(1) "3"
+}