From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Sat, 10 Mar 2018 16:28:32 +0000 (+0100)
Subject: Fix #69948: path/domain are not sanitized in setcookie
X-Git-Tag: php-7.3.0alpha1~134
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5cb825df7251aeb28b297f071c35b227a3949f01;p=php

Fix #69948: path/domain are not sanitized in setcookie

For improved security, characters not allowed for name and value should
also be forbidden for path and domain.
---

diff --git a/NEWS b/NEWS
index 1ac402ba8a..680ef4ce82 100644
--- a/NEWS
+++ b/NEWS
@@ -181,6 +181,7 @@ PHP                                                                        NEWS
   . Fixed bug #75409 (accept EFAULT in addition to ENOSYS as indicator 
     that getrandom() is missing). (sarciszewski)
   . Fixed bug #74719 (fopen() should accept NULL as context). (Alexander Holman)
+  . Fixed bug #69948 (path/domain are not sanitized in setcookie). (cmb)
 
 - Testing:
   . Implemented request #62055 (Make run-tests.php support --CGI-- sections).
diff --git a/ext/standard/head.c b/ext/standard/head.c
index f10c9e52d9..5e21638adf 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -104,6 +104,16 @@ PHPAPI int php_setcookie(zend_string *name, zend_string *value, time_t expires,
 		return FAILURE;
 	}
 
+	if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_error(E_WARNING, "Cookie paths cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
+		return FAILURE;
+	}
+
+	if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_error(E_WARNING, "Cookie domains cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
+		return FAILURE;
+	}
+
 	len += ZSTR_LEN(name);
 	if (value) {
 		if (url_encode) {
diff --git a/ext/standard/tests/network/bug69948.phpt b/ext/standard/tests/network/bug69948.phpt
new file mode 100644
index 0000000000..957d72f99d
--- /dev/null
+++ b/ext/standard/tests/network/bug69948.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #69948 (path/domain are not sanitized for special characters in setcookie)
+--FILE--
+<?php
+var_dump(
+    setcookie('foo', 'bar', 0, 'asdf;asdf'),
+    setcookie('foo', 'bar', 0, '/', 'foobar; secure')
+);
+?>
+===DONE===
+--EXPECTHEADERS--
+--EXPECTF--
+Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
+
+Warning: Cookie domains cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
+bool(false)
+bool(false)
+===DONE===