Fix #76688: Disallow excessive parameters after options array

2 files changed, 18 insertions, 0 deletions

diff --git a/ext/session/session.c b/ext/session/session.c
index c7d54b0ee7..c46af0d87d 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1704,6 +1704,15 @@ static PHP_FUNCTION(session_set_cookie_params)
 		zend_string *key;
 		zval *value;
 
+		if (path) {
+			path = NULL;
+			domain = NULL;
+			secure_null = 1;
+			httponly_null = 1;
+			php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
+			RETURN_FALSE;
+		}
+
 		ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(lifetime_or_options), key, value) {
 			if (key) {
 				ZVAL_DEREF(value);
diff --git a/ext/session/tests/session_set_cookie_params_variation7.phpt b/ext/session/tests/session_set_cookie_params_variation7.phpt
index ebd9b71df6..9d1f8709be 100644
--- a/ext/session/tests/session_set_cookie_params_variation7.phpt
+++ b/ext/session/tests/session_set_cookie_params_variation7.phpt
@@ -36,6 +36,10 @@ var_dump(ini_get("session.cookie_lifetime"));
 var_dump(session_set_cookie_params(["lifetime" => 42]));
 var_dump(ini_get("session.cookie_lifetime"));
 
+var_dump(ini_get("session.cookie_path"));
+var_dump(session_set_cookie_params(["path" => "newpath/"], "arg after options array"));
+var_dump(ini_get("session.cookie_path"));
+
 echo "Done";
 ob_end_flush();
 ?>
@@ -57,4 +61,9 @@ string(6) "please"
 string(1) "0"
 bool(true)
 string(2) "42"
+string(1) "/"
+
+Warning: session_set_cookie_params(): Cannot pass arguments after the options array in %s
+bool(false)
+string(1) "/"
 Done