From fc4d462e947828fdbeac6020ac8f34704a218834 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 23 Jul 2020 11:10:11 +0200
Subject: [PATCH] Fix #78236: convert error on receiving variables when
 duplicate [

When an input variable name contains a non matched open bracket, we not
only have to replace that with an underscore, but also all following
forbidden characters.
---
 NEWS                      |  4 ++++
 main/php_variables.c      |  8 +++++++-
 tests/basic/bug78236.phpt | 17 +++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 tests/basic/bug78236.phpt

diff --git a/NEWS b/NEWS
index 167350640a..a17f4c0919 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.0.0beta1
 
+- Core:
+  . Fixed bug #78236 (convert error on receiving variables when duplicate [).
+    (cmb)
+
 - JIT:
   . Fixed bug #79864 (JIT segfault in Symfony OptionsResolver). (Dmitry)
 
diff --git a/main/php_variables.c b/main/php_variables.c
index dc33e54920..7b753f0cdf 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -178,8 +178,14 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
 			} else {
 				ip = strchr(ip, ']');
 				if (!ip) {
-					/* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
+					/* not an index; un-terminate the var name */
 					*(index_s - 1) = '_';
+					/* PHP variables cannot contain ' ', '.', '[' in their names, so we replace the characters with a '_' */
+					for (p = index_s; *p; p++) {
+						if (*p == ' ' || *p == '.' || *p == '[') {
+							*p = '_';
+						}
+					}
 
 					index_len = 0;
 					if (index) {
diff --git a/tests/basic/bug78236.phpt b/tests/basic/bug78236.phpt
new file mode 100644
index 0000000000..9b56b1388c
--- /dev/null
+++ b/tests/basic/bug78236.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78236 (convert error on receiving variables when duplicate [)
+--POST--
+id[name=1&id[[name=a&id[na me.=3
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECT--
+array(3) {
+  ["id_name"]=>
+  string(1) "1"
+  ["id__name"]=>
+  string(1) "a"
+  ["id_na_me_"]=>
+  string(1) "3"
+}
-- 
2.40.0