Reviews

Author: Girgias

ext/standard/head.c

@@ -76,13 +76,42 @@ PHPAPI int php_header(void)
 	}
 }
 
-PHPAPI int php_setcookie(zend_string *name, zend_string *value, time_t expires, zend_string *path, zend_string *domain, int secure, int httponly, zend_string *samesite, int url_encode)
+#define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", and \"\\014\""
+PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires,
+	zend_string *path, zend_string *domain, bool secure, bool httponly,
+	zend_string *samesite, bool url_encode)
 {
 	zend_string *dt;
 	sapi_header_line ctr = {0};
-	int result;
+	zend_result result;
 	smart_str buf = {0};
 
+	if (!ZSTR_LEN(name)) {
+		zend_argument_value_error(1, "cannot be empty");
+		return FAILURE;
+	}
+	if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
+		zend_argument_value_error(1, "cannot contain \"=\", " ILLEGAL_COOKIE_CHARACTER);
+		return FAILURE;
+	}
+	if (!url_encode && value &&
+			strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_argument_value_error(2, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
+		return FAILURE;
+	}
+
+	if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_value_error("%s(): \"path\" option cannot contain " ILLEGAL_COOKIE_CHARACTER,
+			get_active_function_name());
+		return FAILURE;
+	}
+	if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_value_error("%s(): \"domain\" option cannot contain " ILLEGAL_COOKIE_CHARACTER,
+			get_active_function_name());
+		return FAILURE;
+	}
+	/* Should check value of SameSite? */
+
 	if (value == NULL || ZSTR_LEN(value) == 0) {
 		/*
 		 * MSIE doesn't delete a cookie when you set it to a null value
@@ -118,7 +147,8 @@ PHPAPI int php_setcookie(zend_string *name, zend_string *value, time_t expires,
 			if (!p || *(p + 5) != ' ') {
 				zend_string_free(dt);
 				smart_str_free(&buf);
-				zend_error(E_WARNING, "Expiry date cannot have a year greater than 9999");
+				zend_value_error("%s(): \"expires\" option cannot have a year greater than 9999",
+					get_active_function_name());
 				return FAILURE;
 			}
 
@@ -201,7 +231,6 @@ static void php_head_parse_cookie_options_array(zval *options, zend_long *expire
 	}
 }
 
-#define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", and \"\\014\""
 static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw)
 {
 	/* to handle overloaded function array|int */
@@ -228,47 +257,13 @@ static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw)
 					"($expires_or_options) is an array", get_active_function_name());
 				RETURN_THROWS();
 			}
-			php_head_parse_cookie_options_array(expires_or_options, &expires, &path, &domain, &secure, &httponly, &samesite);
-			if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-				zend_value_error("%s(): Argument #3 ($expires_or_options[\"path\"]) cannot contain "
-					ILLEGAL_COOKIE_CHARACTER, get_active_function_name());
-				goto cleanup;
-				RETURN_THROWS();
-			}
-			if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-				zend_value_error("%s(): Argument #3 ($expires_or_options[\"domain\"]) cannot contain "
-					ILLEGAL_COOKIE_CHARACTER, get_active_function_name());
-				goto cleanup;
-				RETURN_THROWS();
-			}
-			/* Should check value of SameSite? */
+			php_head_parse_cookie_options_array(expires_or_options, &expires, &path,
+				&domain, &secure, &httponly, &samesite);
 		} else {
 			expires = zval_get_long(expires_or_options);
-			if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-				zend_argument_value_error(4, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
-				RETURN_THROWS();
-			}
-			if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-				zend_argument_value_error(5, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
-				RETURN_THROWS();
-			}
 		}
 	}
 
-	if (!ZSTR_LEN(name)) {
-		zend_argument_value_error(1, "cannot be empty");
-		RETURN_THROWS();
-	}
-	if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
-		zend_argument_value_error(1, "cannot contain \"=\", " ILLEGAL_COOKIE_CHARACTER);
-		RETURN_THROWS();
-	}
-	if (is_raw && value &&
-		strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-		zend_argument_value_error(2, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
-		RETURN_THROWS();
-	}
-
 	if (!EG(exception)) {
 		if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, !is_raw) == SUCCESS) {
 			RETVAL_TRUE;
@@ -278,7 +273,6 @@ static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw)
 	}
 
 	if (expires_or_options && Z_TYPE_P(expires_or_options) == IS_ARRAY) {
-		cleanup:
 		if (path) {
 			zend_string_release(path);
 		}

ext/standard/head.h

@@ -28,6 +28,8 @@
 extern PHP_RINIT_FUNCTION(head);
 
 PHPAPI int php_header(void);
-PHPAPI int php_setcookie(zend_string *name, zend_string *value, time_t expires, zend_string *path, zend_string *domain, int secure, int httponly, zend_string *samesite, int url_encode);
+PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires,
+	zend_string *path, zend_string *domain, bool secure, bool httponly,
+	zend_string *samesite, bool url_encode);
 
 #endif

ext/standard/tests/network/bug69948.phpt

@@ -17,6 +17,6 @@ try {
 ===DONE===
 --EXPECTHEADERS--
 --EXPECT--
-setcookie(): Argument #4 ($path) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
-setcookie(): Argument #5 ($domain) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "path" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "domain" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
 ===DONE===

ext/standard/tests/network/setcookie_array_option_error.phpt

@@ -13,6 +13,13 @@ setcookie('name', 'value', ['unknown_key' => 'only']);
 setcookie('name2', 'value2', [0 => 'numeric_key']);
 // Unrecognized key
 setcookie('name3', 'value3', ['path' => '/path/', 'foo' => 'bar']);
+// Invalid expiration date
+// To go above year 9999: 60 * 60 * 24 * 365 * 9999
+try {
+    setcookie('name', 'value', ['expires' => 315328464000]);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
 // Invalid path key content
 try {
     setcookie('name', 'value', ['path' => '/;/']);
@@ -46,8 +53,9 @@ Warning: setcookie(): Numeric key found in the options array in %s
 Warning: setcookie(): No valid options were found in the given array in %s
 
 Warning: setcookie(): Unrecognized key 'foo' found in the options array in %s
-setcookie(): Argument #3 ($expires_or_options["path"]) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
-setcookie(): Argument #3 ($expires_or_options["domain"]) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "expires" option cannot have a year greater than 9999
+setcookie(): "path" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "domain" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
 setcookie(): Expects exactly 3 arguments when argument #3 ($expires_or_options) is an array
 array(4) {
   [0]=>

ext/standard/tests/network/setcookie_error.phpt

@@ -22,6 +22,12 @@ try {
 } catch (\ValueError $e) {
     echo $e->getMessage() . "\n";
 }
+// To go above year 9999: 60 * 60 * 24 * 365 * 9999
+try {
+    setcookie('name', 'value', 315328464000);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
 try {
     setcookie('name', 'value', 100, 'invalid;');
 } catch (\ValueError $e) {
@@ -39,8 +45,9 @@ var_dump(headers_list());
 --EXPECTF--
 setcookie(): Argument #1 ($name) cannot be empty
 setcookie(): Argument #1 ($name) cannot contain "=", ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
-setcookie(): Argument #4 ($path) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
-setcookie(): Argument #5 ($domain) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "expires" option cannot have a year greater than 9999
+setcookie(): "path" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "domain" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
 array(2) {
   [0]=>
   string(%d) "X-Powered-By: PHP/%s"

ext/standard/tests/network/setrawcookie_error.phpt

@@ -22,6 +22,12 @@ try {
 } catch (\ValueError $e) {
     echo $e->getMessage() . "\n";
 }
+// To go above year 9999: 60 * 60 * 24 * 365 * 9999
+try {
+    setcookie('name', 'value', 315328464000);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
 try {
     setrawcookie('name', 'value', 100, 'invalid;');
 } catch (\ValueError $e) {
@@ -40,8 +46,9 @@ var_dump(headers_list());
 setrawcookie(): Argument #1 ($name) cannot be empty
 setrawcookie(): Argument #1 ($name) cannot contain "=", ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
 setrawcookie(): Argument #2 ($value) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
-setrawcookie(): Argument #4 ($path) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
-setrawcookie(): Argument #5 ($domain) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): "expires" option cannot have a year greater than 9999
+setrawcookie(): "path" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setrawcookie(): "domain" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
 array(1) {
   [0]=>
   string(%d) "X-Powered-By: PHP/%s"