diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-12 14:22:32 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-12 14:22:32 +0100 |
| commit | 4c5a178df86f338325cf801ae36beca741238739 (patch) | |
| tree | 16bfde3acd0b70d83b617ee6edeb9a16fff4583f | |
| parent | beee92a887e8036a84dcb34f00bdca550eeee420 (diff) | |
| parent | 79376ab209f61be03bbf8c1b6177c18261767da8 (diff) | |
| download | php-git-4c5a178df86f338325cf801ae36beca741238739.tar.gz | |
Merge branch 'PHP-7.4'
* PHP-7.4:
Fix #78929: plus signs in cookie values are converted to spaces
| -rw-r--r-- | main/php_variables.c | 35 | ||||
| -rw-r--r-- | tests/basic/bug78929.phpt | 16 |
2 files changed, 33 insertions, 18 deletions
diff --git a/main/php_variables.c b/main/php_variables.c index d540ff98ac..826b3bcfa5 100644 --- a/main/php_variables.c +++ b/main/php_variables.c @@ -477,6 +477,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) var = php_strtok_r(res, separator, &strtok_buf); while (var) { + size_t val_len; + size_t new_val_len; + val = strchr(var, '='); if (arg == PARSE_COOKIE) { @@ -495,29 +498,25 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) } if (val) { /* have a value */ - size_t val_len; - size_t new_val_len; *val++ = '\0'; - php_url_decode(var, strlen(var)); - val_len = php_url_decode(val, strlen(val)); - val = estrndup(val, val_len); - if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { - php_register_variable_safe(var, val, new_val_len, &array); + + if (arg == PARSE_COOKIE) { + val_len = php_raw_url_decode(val, strlen(val)); + } else { + val_len = php_url_decode(val, strlen(val)); } - efree(val); } else { - size_t val_len; - size_t new_val_len; - - php_url_decode(var, strlen(var)); - val_len = 0; - val = estrndup("", val_len); - if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { - php_register_variable_safe(var, val, new_val_len, &array); - } - efree(val); + val = ""; + val_len = 0; + } + + val = estrndup(val, val_len); + php_url_decode(var, strlen(var)); + if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { + php_register_variable_safe(var, val, new_val_len, &array); } + efree(val); next_cookie: var = php_strtok_r(NULL, separator, &strtok_buf); } diff --git a/tests/basic/bug78929.phpt b/tests/basic/bug78929.phpt new file mode 100644 index 0000000000..60b71d1f8f --- /dev/null +++ b/tests/basic/bug78929.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #78929 (plus signs in cookie values are converted to spaces) +--INI-- +max_input_vars=1000 +filter.default=unsafe_raw +--COOKIE-- +RFC6265=#$%&'()*+-./0123456789<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~! +--FILE-- +<?php +var_dump($_COOKIE); +?> +--EXPECT-- +array(1) { + ["RFC6265"]=> + string(89) "#$%&'()*+-./0123456789<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~!" +} |