bfrance Wed Feb 11 14:00:44 2004 EDT
Modified files:
/php-src/ext/standard head.c
Log:
Added checks for invalid characters in a cookie name or cookie data from
setrawcookie
http://cvs.php.net/diff.php/php-src/ext/standard/head.c?r1=1.74&r2=1.75&ty=u
Index: php-src/ext/standard/head.c
diff -u php-src/ext/standard/head.c:1.74 php-src/ext/standard/head.c:1.75
--- php-src/ext/standard/head.c:1.74 Thu Jan 8 03:17:32 2004
+++ php-src/ext/standard/head.c Wed Feb 11 14:00:42 2004
@@ -15,7 +15,7 @@
| Author: Rasmus Lerdorf <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: head.c,v 1.74 2004/01/08 08:17:32 andi Exp $ */
+/* $Id: head.c,v 1.75 2004/02/11 19:00:42 bfrance Exp $ */
#include <stdio.h>
@@ -74,6 +74,16 @@
sapi_header_line ctr = {0};
int result;
+ if (name && strpbrk(name, "=,; \t\r\n\013\014") != NULL) { /* man isspace
for \013 and \014 */
+ zend_error( E_WARNING, "Cookie names can not contain any of the
folllowing '=,; \\t\\r\\n\\013\\014' (%s)", name );
+ return FAILURE;
+ }
+
+ if (!url_encode && value && strpbrk(value, ",; \t\r\n\013\014") != NULL) { /*
man isspace for \013 and \014 */
+ zend_error( E_WARNING, "Cookie values can not contain any of the
folllowing ',; \\t\\r\\n\\013\\014' (%s)", value );
+ return FAILURE;
+ }
+
len += name_len;
if (value && url_encode) {
int encoded_value_len;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
