Fix #78236: convert error on receiving variables when duplicate [

When an input variable name contains a non matched open bracket, we not
only have to replace that with an underscore, but also all following
forbidden characters.

3 files changed, 28 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 167350640a..a17f4c0919 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.0.0beta1
 
+- Core:
+  . Fixed bug #78236 (convert error on receiving variables when duplicate [).
+    (cmb)
+
 - JIT:
   . Fixed bug #79864 (JIT segfault in Symfony OptionsResolver). (Dmitry)
 
diff --git a/main/php_variables.c b/main/php_variables.c
index dc33e54920..7b753f0cdf 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -178,8 +178,14 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
 			} else {
 				ip = strchr(ip, ']');
 				if (!ip) {
-					/* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
+					/* not an index; un-terminate the var name */
 					*(index_s - 1) = '_';
+					/* PHP variables cannot contain ' ', '.', '[' in their names, so we replace the characters with a '_' */
+					for (p = index_s; *p; p++) {
+						if (*p == ' ' || *p == '.' || *p == '[') {
+							*p = '_';
+						}
+					}
 
 					index_len = 0;
 					if (index) {
diff --git a/tests/basic/bug78236.phpt b/tests/basic/bug78236.phpt
new file mode 100644
index 0000000000..9b56b1388c
--- /dev/null
+++ b/tests/basic/bug78236.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #78236 (convert error on receiving variables when duplicate [)
+--POST--
+id[name=1&id[[name=a&id[na me.=3
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECT--
+array(3) {
+  ["id_name"]=>
+  string(1) "1"
+  ["id__name"]=>
+  string(1) "a"
+  ["id_na_me_"]=>
+  string(1) "3"
+}