From: Arpad Ray <arraypad@gmail.com>
Date: Wed, 17 Jul 2013 15:07:26 +0000 (+0100)
Subject: Fixed bug #50308 - session id not appended properly for empty anchor tags
X-Git-Tag: php-5.5.1~6^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e6ae977082bcff9c2ef0db4db58df2b07561c0a1;p=php

Fixed bug #50308 - session id not appended properly for empty anchor tags

The issue was actually because a lack of space before a "/" marking the tag
as empty. This was being swallowed in the rule for unquoted values. Fixed
by making that rule exclude quotes (as per spec anyway).
---

diff --git a/NEWS b/NEWS
index 4f6a111f51..00442ebb8f 100644
--- a/NEWS
+++ b/NEWS
@@ -77,6 +77,8 @@ PHP                                                                        NEWS
     oorza2k5 at gmail dot com (Yasuo)
   . Fixed bug #62129 (rfc1867 crashes php even though turned off). (gxd305 at
     gmail dot com)
+  . Fixed bug #50308 (session id not appended properly for empty anchor tags).
+    (Arpad)
 
 - Sockets:
   . Implemented FR #63472 (Setting SO_BINDTODEVICE with socket_set_option). 
diff --git a/ext/session/tests/bug50308.phpt b/ext/session/tests/bug50308.phpt
new file mode 100644
index 0000000000..110277ce3c
--- /dev/null
+++ b/ext/session/tests/bug50308.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #50308 (session id not appended properly for empty anchor tags)
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--INI--
+session.name=PHPSESSID
+session.save_handler=files
+session.use_trans_sid=1
+session.use_only_cookies=0
+--FILE--
+<?php
+@session_start();
+?>
+<a href=""/>
+<a href="" />
+<a href="foo"/>
+<a href="foo" />
+<a href=foo/>
+<a href=/>
+<a href=?foo=bar/>
+<a href="?foo=bar"/>
+--EXPECTF--
+<a href="?PHPSESSID=%s"/>
+<a href="?PHPSESSID=%s" />
+<a href="foo?PHPSESSID=%s"/>
+<a href="foo?PHPSESSID=%s" />
+<a href=foo/?PHPSESSID=%s>
+<a href=/?PHPSESSID=%s>
+<a href=?foo=bar/&PHPSESSID=%s>
+<a href="?foo=bar&PHPSESSID=%s"/>
diff --git a/ext/standard/url_scanner_ex.c b/ext/standard/url_scanner_ex.c
index 9aff2cb61e..236276a648 100644
--- a/ext/standard/url_scanner_ex.c
+++ b/ext/standard/url_scanner_ex.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Tue Jan  1 16:28:14 2013 */
+/* Generated by re2c 0.13.5 */
 #line 1 "ext/standard/url_scanner_ex.re"
 /*
   +----------------------------------------------------------------------+
@@ -764,147 +764,120 @@ state_val:
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 160, 160, 248, 248, 160, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		160, 248,  56, 248, 248, 248, 248, 200, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248,   0, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
-		248, 248, 248, 248, 248, 248, 248, 248, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 192, 192, 224, 224, 192, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		192, 224,  64, 224, 224, 224, 224, 128, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224,   0, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
+		224, 224, 224, 224, 224, 224, 224, 224, 
 	};
-	if ((YYLIMIT - YYCURSOR) < 3) YYFILL(3);
+	if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2);
 	yych = *YYCURSOR;
 	if (yych <= ' ') {
 		if (yych <= '\f') {
 			if (yych <= 0x08) goto yy63;
-			if (yych <= '\n') goto yy64;
+			if (yych <= '\n') goto yy65;
 			goto yy63;
 		} else {
-			if (yych <= '\r') goto yy64;
+			if (yych <= '\r') goto yy65;
 			if (yych <= 0x1F) goto yy63;
-			goto yy64;
+			goto yy65;
 		}
 	} else {
 		if (yych <= '&') {
 			if (yych != '"') goto yy63;
 		} else {
 			if (yych <= '\'') goto yy62;
-			if (yych == '>') goto yy64;
+			if (yych == '>') goto yy65;
 			goto yy63;
 		}
 	}
 	yych = *(YYMARKER = ++YYCURSOR);
-	goto yy77;
+	if (yych != '>') goto yy74;
 yy61:
-#line 346 "ext/standard/url_scanner_ex.re"
-	{ handle_val(STD_ARGS, 0, ' '); goto state_next_arg_begin; }
+#line 347 "ext/standard/url_scanner_ex.re"
+	{ passthru(STD_ARGS); goto state_next_arg_begin; }
 #line 827 "ext/standard/url_scanner_ex.c"
 yy62:
 	yych = *(YYMARKER = ++YYCURSOR);
+	if (yych == '>') goto yy61;
 	goto yy69;
 yy63:
-	yych = *++YYCURSOR;
+	++YYCURSOR;
+	yych = *YYCURSOR;
 	goto yy67;
 yy64:
-	++YYCURSOR;
-#line 347 "ext/standard/url_scanner_ex.re"
-	{ passthru(STD_ARGS); goto state_next_arg_begin; }
-#line 838 "ext/standard/url_scanner_ex.c"
+#line 346 "ext/standard/url_scanner_ex.re"
+	{ handle_val(STD_ARGS, 0, ' '); goto state_next_arg_begin; }
+#line 839 "ext/standard/url_scanner_ex.c"
+yy65:
+	yych = *++YYCURSOR;
+	goto yy61;
 yy66:
 	++YYCURSOR;
 	if (YYLIMIT <= YYCURSOR) YYFILL(1);
 	yych = *YYCURSOR;
 yy67:
-	if (yybm[0+yych] & 8) {
+	if (yybm[0+yych] & 32) {
 		goto yy66;
 	}
-	goto yy61;
+	goto yy64;
 yy68:
-	YYMARKER = ++YYCURSOR;
-	if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2);
+	++YYCURSOR;
+	if (YYLIMIT <= YYCURSOR) YYFILL(1);
 	yych = *YYCURSOR;
 yy69:
-	if (yybm[0+yych] & 16) {
+	if (yybm[0+yych] & 64) {
 		goto yy68;
 	}
-	if (yych <= '&') goto yy72;
-	if (yych >= '(') goto yy61;
-	++YYCURSOR;
-	if (yybm[0+(yych = *YYCURSOR)] & 8) {
-		goto yy66;
-	}
+	if (yych <= '=') goto yy71;
+yy70:
+	YYCURSOR = YYMARKER;
+	goto yy61;
 yy71:
+	++YYCURSOR;
 #line 345 "ext/standard/url_scanner_ex.re"
 	{ handle_val(STD_ARGS, 1, '\''); goto state_next_arg_begin; }
-#line 865 "ext/standard/url_scanner_ex.c"
-yy72:
+#line 868 "ext/standard/url_scanner_ex.c"
+yy73:
 	++YYCURSOR;
 	if (YYLIMIT <= YYCURSOR) YYFILL(1);
 	yych = *YYCURSOR;
-	if (yybm[0+yych] & 32) {
-		goto yy72;
-	}
-	if (yych <= '=') goto yy75;
 yy74:
-	YYCURSOR = YYMARKER;
-	goto yy61;
-yy75:
-	yych = *++YYCURSOR;
-	goto yy71;
-yy76:
-	YYMARKER = ++YYCURSOR;
-	if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2);
-	yych = *YYCURSOR;
-yy77:
-	if (yybm[0+yych] & 64) {
-		goto yy76;
+	if (yybm[0+yych] & 128) {
+		goto yy73;
 	}
-	if (yych <= '!') goto yy80;
-	if (yych >= '#') goto yy61;
+	if (yych >= '>') goto yy70;
 	++YYCURSOR;
-	if (yybm[0+(yych = *YYCURSOR)] & 8) {
-		goto yy66;
-	}
-yy79:
 #line 344 "ext/standard/url_scanner_ex.re"
 	{ handle_val(STD_ARGS, 1, '"'); goto state_next_arg_begin; }
-#line 897 "ext/standard/url_scanner_ex.c"
-yy80:
-	++YYCURSOR;
-	if (YYLIMIT <= YYCURSOR) YYFILL(1);
-	yych = *YYCURSOR;
-	if (yybm[0+yych] & 128) {
-		goto yy80;
-	}
-	if (yych >= '>') goto yy74;
-	++YYCURSOR;
-	yych = *YYCURSOR;
-	goto yy79;
+#line 881 "ext/standard/url_scanner_ex.c"
 }
 #line 348 "ext/standard/url_scanner_ex.re"
 
diff --git a/ext/standard/url_scanner_ex.re b/ext/standard/url_scanner_ex.re
index 760f725e98..f0dee8ebc1 100644
--- a/ext/standard/url_scanner_ex.re
+++ b/ext/standard/url_scanner_ex.re
@@ -317,7 +317,7 @@ state_next_arg_begin:
 state_next_arg:
 	start = YYCURSOR;
 /*!re2c
-  ">"		{ passthru(STD_ARGS); handle_form(STD_ARGS); goto state_plain_begin; }
+  [/]? [>]		{ passthru(STD_ARGS); handle_form(STD_ARGS); goto state_plain_begin; }
   [ \v\r\t\n]+	{ passthru(STD_ARGS); goto state_next_arg; }
   alpha		{ --YYCURSOR; STATE = STATE_ARG; goto state_arg; }
   any		{ passthru(STD_ARGS); goto state_plain_begin; }
@@ -343,7 +343,7 @@ state_val:
 /*!re2c
   ["] (any\[">])* ["]	{ handle_val(STD_ARGS, 1, '"'); goto state_next_arg_begin; }
   ['] (any\['>])* [']	{ handle_val(STD_ARGS, 1, '\''); goto state_next_arg_begin; }
-  (any\[ \r\t\n>])+	{ handle_val(STD_ARGS, 0, ' '); goto state_next_arg_begin; }
+  (any\[ \r\t\n>'"])+	{ handle_val(STD_ARGS, 0, ' '); goto state_next_arg_begin; }
   any					{ passthru(STD_ARGS); goto state_next_arg_begin; }
 */